Add user to Remtoe Desktop list via script or GPO? 1

[markdmac]

I need to add a group to the Remote Desktop list on a bunch of machines. Does anybody know of a registry setting, script or GPO that can help automate this process?

The environment is SBS 2003 with XP Pro workstations.

Users are already members fo the Remote Web Workplace group. I'm looking to add that group to the access list found on the Remote tab in My Computer Properties. I've searched the registry but this apparently isn't stored there. Looked at my group policies and I see I can set Offer Remote Assistance and Request Remote Assistance, but nothing for setting the actual rights to use Remote Desktop.

Any help greatly appreciated.

Thanks,

Mark

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bcastner]

I have used Cusrmgr.exe from the Win2k server Resource kit.

Since by default members of the Group "Administrators" are added to the "Remote Users" Group, this freeware suggestion by MS-MVP Daniel Petri should do it without spending the $$ on the reskit:

http://www.petri.co.il/a2a.htm

I have not tested this, but on its face it seems reasonable.

Best,
Bill Castner

 

[markdmac]

Hi All,

Well I got this working. Had to do a few things.

First I created a GPO to ensure that remote desktop was enabled.

Next I used NET LOCALGROUP to add the user at the local machine.

I scripted the running of NET LOCALGROUP and all seems to be well.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bcastner]

One thing missing, and I missed it at first read, is that member markdmac is one of the best scripters on the Tek-Tips forum.

And I have a tremendous amount of respect for him.

The question is fundamentally how do you move the members of an OU or preferrably a Group, to a local Group?

Marc notes: "First I created a GPO to ensure that remote desktop was enabled."

Actually, you do not. You have to do this if you are using NET LOCALGROUPS for the add. As I stated earlier, the Group Administrators are automaticly added in the Group Remote Users under XP. And you may not want to make all of your remote users Administraors. A very fair argument.

So how do you add a Domain custom group to the local group of hundreds if not thousands of workstations?

Well you can write a fairly complicated batch file, and use the third-party tool psexec, or if you have it, the Win2k reskit to host a remote command shell.

Or, you can make your life easier by using my original advice to this thread.

 

[markdmac]

Thanks for the kind works bcastner.

I just want to clarify something for others who may stumble upon this thread.

The GPO I created enables remote desktop. Without this, even administrators can not log on remotely. So this is a step that is necessary no matter what group your users are a member of.

Here is the code for the custom ADM file that can be imported into a GPO.

[script]
CLASS MACHINE
CATEGORY "Remote Desktop Configuration"
KEYNAME "SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"

POLICY !!DENY_CONNECT
#if version >= 4
SUPPORTED !!WinXP
#endif
EXPLAIN !!DENY_CONNECT_EXPLAIN
ACTIONLISTON
VALUENAME "fDenyTSConnections" VALUE NUMERIC 1
END ACTIONLISTON
ACTIONLISTOFF
VALUENAME "fDenyTSConnections" VALUE NUMERIC 0
END ACTIONLISTOFF
END POLICY
End Category

[strings]
WinXP="At least Windows XP Professional or .NET Server"
DENY_CONNECT="Do not allow client connections"
DENY_CONNECT_EXPLAIN="Prevents remote desktop connections to the system."
[/script]



I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bcastner]

The GPO I created enables remote desktop. Without this, even administrators can not log on remotely. So this is a step that is necessary no matter what group your users are a member of."

Mark is correct. And I was in error on this. The default nature of Remote Desktop is disabled. I had a pre-existing notion that this was no true for Group Administrator, but this is not true.

Darn, Mark we need to see you here more often in this Forum.

 

[markdmac]

Yea, sorry I spend most of my time in the Win2K, Win2K3 and VBScript forums.

Will try to visit here a little more often when time permits.

For those interested, that ADM file will work for Win2K server and Windows 2003 Server as well as the XP machines.

Regards,

Mark



I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bcastner]

Could you expand on this, as the whole notion of adding a Domain Group to a local Group is a frequent question here:

"Next I used NET LOCALGROUP to add the user at the local machine.

I scripted the running of NET LOCALGROUP and all seems to be well. "

Thanks Mark for any help.
Bill

 

[markdmac]

First place to look is at the MS web site;

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_localgroup.mspx

Basically, Microsoft has made adding users to local groups fairly simple in that you can easily do it from a command line.

So lets say you have a domain group called desktopadmins and you wanted to add this group to the local machine Administrators group. If your domain name is mydomain

Execute the following from a command prompt.
net localgroup Administrators mydomain\desktopadmins /add

Scripting this is where things get a little hairier and is I think beyond the scope of this forum, but hopefully the above example and link will help others accomplish the desired goal.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[markdmac]

Also, going back to my original problem here...

One of the things I was looking to do was add a domain group (non-administrator group) to the Remote Desktop Users group. As stated above I did this using the net localgroup.

Not trying to beat a dead horse, I just want all that follow to know what the heck I was trying to do.

By scripting this it took about 15 minutes for the script to run on about 45 computers when launched from a single computer. Had I broken it up into several runs (for a multithread affect) it would have been faster, but I was feeling lazy and watching it run was a nice diversion for my brain.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bcastner]

How did you get tis local command ro run on the 45 workstations?

 

[markdmac]

I am found of (and used) PSEXEC from systinternals when under the gun, but this could be done via login script to avoid the 3rd party application. You can also have it run with elevated priviledges even if the user does not have admin rights.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bcastner]

Mark,

Thanks so much. I have regular cause to bless the boys at Sysinternals for their freeware PsTools:

http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

Are you going to leave it to the reader's imagination to answer the obvious question "You can also have it run with elevated priviledges even if the user does not have admin rights."?

Star for your post, sir.

 

[markdmac]

Not much imagination needed. If instead of using PSEXEC you were to make the code execute in a vbscript login script, you could have it run at login. When executed from a GPO the script can run with elevated priviledges.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bcastner]

An interesting change in XP Service Pack 2 is that the logon runs under the authentication of NT AUTHORITY/Local System.

And Longhorn promises to be even more restrictive. A logon is verified against a set of policies you may set to ensure the workstation is at a certain service pack, AntiVirus definition level, Anti-Spyware definition level and security hotfix level before permitting the logon.

All of which is a prefix for my main point. If you are scripting logons assuming that the OU provides enough information for the permissions required, this will change soon.