Configure TS Automatically for Logged On User

[Guest Thomas M.]

XP SP2

 

We are in the process of converting our users to standard user accounts. We

have a number of employees who use terminal services to remotely control

their machines. By default, administrators on the local machine have the

right to use terminal services, whereas non-administrators must be added to

the Remote Desktop Users list. This sets up a situation where people have

the ability to use terminal services by virtue of the fact that they are

members of the local administrators group. Once they are removed from local

administrators group, and if they have not been added to the Remote Desktop

Users list, they lose the ability to use terminal services. Of course, an

administrator must then login and add the user's account to the Remote

Desktop Users list so that he or she can continue to use terminal services

after being converted to a standard user account.

 

The obvious solution would be to add the user account to the Remote Desktop

Users list BEFORE taking away the user's admin rights. I would like to know

if there is some way to automate this work. Is there a script, or a

registry hack, that will add the currently logged in user to the Remote

Desktop Users list?

 

FYI: We run Active Directory and Novell eDirectory, so we have a number of

options for limiting the distribution of any such script or registry hack to

only those employees who are authorized to use terminal services. In other

words, we can control it so that it goes to only the employees we specify,

and not to everyone.

 

--Tom

[Guest Marcin]

Re: Configure TS Automatically for Logged On User

 

Thomas,

include the following

net localgroup /add "Remote Desktop Users" %username%

in the logon script (this will succeed if the current user is a member of

local Administrators - which, from what I understand, is what you are

looking for)

 

hth

Marcin

[Guest Thomas M.]

Re: Configure TS Automatically for Logged On User

 

Yep, that sounds like what I am looking for. I could create a security

group called something like TSUsers and then add an IF statement to run your

command if the user is a member of the TSUsers group. That should work.

 

Now I've come up with two other questions. First, is there a registry hack

or something that will cause the "Allow users to connect remotely to this

computer" box to be checked? That box is on the Remote tab of the system

properties.

 

Ideally, when we get a request to configure someone to use TS we would just

drop them into a domain group and then the login script, based on membership

in that group, would check the box and add the user to the Remote Desktop

Users group. That would allow us to do this with essentially no overhead.

 

Second, say that Betty logs on to Mike's computer and that the login script

configures Mike's computer so that Betty can use TS to control the machine.

After Betty logs off, does her user name remain a member of the Remote

Desktop Users group, meaning that she would retain the ability to remotely

control Mike's machine?

 

--Tom

 

"Marcin" <marcin@community.nospam> wrote in message

news:7028CF0A-13C6-4753-8EEC-C1E69B7327B6@microsoft.com...

> Thomas,

> include the following

> net localgroup /add "Remote Desktop Users" %username%

> in the logon script (this will succeed if the current user is a member of

> local Administrators - which, from what I understand, is what you are

> looking for)

>

> hth

> Marcin

>

[Guest Patrick Rouse]

Re: Configure TS Automatically for Logged On User

 

We have a solution called Virtual Access Suite, Desktop Services Edition

which allows publishing of desktops or individual applications from Managed

Virtual Desktops (on VMware or Virtual Iron), Standard XP Pro or Vista

Desktops or Blade PCs. With our solution the administrator assigns users to

desktops, or users get a desktop from a pool (and return it to a pool at

logoff) or users get a desktop from a pool and retain it permanently. Our

solution removes the users name from the Remote Desktop Users Group at

logoff, so users can not connect via remote desktop w/o connecting via our

Connection Broker.

 

Users can connect via Web Browser w/ SSL Gateway, CE Client, Linux Client or

Win32 non-web client.

 

With this an administrator can offer a managed desktop/application solution

for internal and external users (VDI) and stop paying a recurring fee for

services such as GoToMyPC.

 

 

 

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

SE, West Coast USA & Canada

Quest Software, Provision Networks Division

Virtual Client Solutions

http://www.provisionnetworks.com

 

 

"Thomas M." wrote:

> Yep, that sounds like what I am looking for. I could create a security

> group called something like TSUsers and then add an IF statement to run your

> command if the user is a member of the TSUsers group. That should work.

>

> Now I've come up with two other questions. First, is there a registry hack

> or something that will cause the "Allow users to connect remotely to this

> computer" box to be checked? That box is on the Remote tab of the system

> properties.

>

> Ideally, when we get a request to configure someone to use TS we would just

> drop them into a domain group and then the login script, based on membership

> in that group, would check the box and add the user to the Remote Desktop

> Users group. That would allow us to do this with essentially no overhead.

>

> Second, say that Betty logs on to Mike's computer and that the login script

> configures Mike's computer so that Betty can use TS to control the machine.

> After Betty logs off, does her user name remain a member of the Remote

> Desktop Users group, meaning that she would retain the ability to remotely

> control Mike's machine?

>

> --Tom

>

> "Marcin" <marcin@community.nospam> wrote in message

> news:7028CF0A-13C6-4753-8EEC-C1E69B7327B6@microsoft.com...

> > Thomas,

> > include the following

> > net localgroup /add "Remote Desktop Users" %username%

> > in the logon script (this will succeed if the current user is a member of

> > local Administrators - which, from what I understand, is what you are

> > looking for)

> >

> > hth

> > Marcin

> >

>

>

>

[Guest Thomas M.]

Re: Configure TS Automatically for Logged On User

 

I'll have to look into that.

 

I think that we are doing something similar via Citrix, but I don't deal

with that end of things so I'm not completely sure how it works. I plan to

meet with our Citrix people to get more info. One problem that we've run

into is that some people want to be setup without going through Citrix so

that they can still reach their desktops in the event that the Citrix

servers are having problems. Those are the people who are giving us

headaches because right now we just set them up manually (there aren't very

many). I'd like to get to the point where we don't need to visit the

machine, but we're struggling with how to do that in a way that doesn't

leave the employee with the ability to remotely access any machine that

they've logged in to previously.

 

--Tom

 

"Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message

news:A7CD129F-6DA3-4A7D-81A4-6A846AA58781@microsoft.com...

> We have a solution called Virtual Access Suite, Desktop Services Edition

> which allows publishing of desktops or individual applications from

> Managed

> Virtual Desktops (on VMware or Virtual Iron), Standard XP Pro or Vista

> Desktops or Blade PCs. With our solution the administrator assigns users

> to

> desktops, or users get a desktop from a pool (and return it to a pool at

> logoff) or users get a desktop from a pool and retain it permanently. Our

> solution removes the users name from the Remote Desktop Users Group at

> logoff, so users can not connect via remote desktop w/o connecting via our

> Connection Broker.

>

> Users can connect via Web Browser w/ SSL Gateway, CE Client, Linux Client

> or

> Win32 non-web client.

>

> With this an administrator can offer a managed desktop/application

> solution

> for internal and external users (VDI) and stop paying a recurring fee for

> services such as GoToMyPC.

>

>

>

> --

> Patrick C. Rouse

> Microsoft MVP - Terminal Server

> SE, West Coast USA & Canada

> Quest Software, Provision Networks Division

> Virtual Client Solutions

> http://www.provisionnetworks.com

>

>

> "Thomas M." wrote:

>

>> Yep, that sounds like what I am looking for. I could create a security

>> group called something like TSUsers and then add an IF statement to run

>> your

>> command if the user is a member of the TSUsers group. That should work.

>>

>> Now I've come up with two other questions. First, is there a registry

>> hack

>> or something that will cause the "Allow users to connect remotely to this

>> computer" box to be checked? That box is on the Remote tab of the system

>> properties.

>>

>> Ideally, when we get a request to configure someone to use TS we would

>> just

>> drop them into a domain group and then the login script, based on

>> membership

>> in that group, would check the box and add the user to the Remote Desktop

>> Users group. That would allow us to do this with essentially no

>> overhead.

>>

>> Second, say that Betty logs on to Mike's computer and that the login

>> script

>> configures Mike's computer so that Betty can use TS to control the

>> machine.

>> After Betty logs off, does her user name remain a member of the Remote

>> Desktop Users group, meaning that she would retain the ability to

>> remotely

>> control Mike's machine?

>>

>> --Tom

>>

>> "Marcin" <marcin@community.nospam> wrote in message

>> news:7028CF0A-13C6-4753-8EEC-C1E69B7327B6@microsoft.com...

>> > Thomas,

>> > include the following

>> > net localgroup /add "Remote Desktop Users" %username%

>> > in the logon script (this will succeed if the current user is a member

>> > of

>> > local Administrators - which, from what I understand, is what you are

>> > looking for)

>> >

>> > hth

>> > Marcin

>> >

>>

>>

>>