Configmgr 2012 allow admins to specify the Client Settings at collection level to control the behavior and functionality of the clients.
You can create as many number of Custom Client Device/User settings (9999) ,which you can apply onto collections(Device/User).
What happens if client is member of multiple collections that have client settings ? All the Custom Client settings that you create are chosen with the priority. Higher the priority(1) will take over the settings with lower priority(10000).
If you are going to have multiple client agent settings,focus attention else you will see undesired results.
By Default,Configmgr will Configure default client settings at Hierarchy Level with priority 10000 (low) which is applied to every User and Device.To know more about Client Settings refer TechNet http://technet.microsoft.com/en-us/library/gg682067.aspx
Now,lets jump into the subject line. After the Configmgr 2012 Installation ,Default Client settings is configured with necessary changes,in this case,Remote tools is configured ‘Permitted viewers of remote control and remote assistance’ with AD security groups allowing users, who are member of this AD security group can do Remote control from Configmgr.
Note: Remote control always takes control of the console session. It cannot and does not control other remote sessions.
These settings(remote Control) will be then applied to every Client (both workstations and servers) in next policy interval.what happens when this is applied ?
It will create Local security group called ‘ConfigMgr Remote Control Users’ by providing necessary DCOM permissions to this group.You can verify the remote control properties via wmi or registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control)
also,if you have the option ‘Manage Remote Desktop settings’ is set to Yes in the Remote tools,then ‘ConfigMgr Remote Control Users’ group will be added automatically to
1) Start > Administrative Tools > Local Security Policy > User Rights Assignment > Allow log on through Remote Desktop Services
2) Remote Desktop settings: “ConfigMgr Remote Control Users” group added with Full Control (See screenshot below),How do i check RDP-tcp IP properties,follow guide here
So far,we have seen how remote tools works and what changes it will do on the client.
Issue: I don’t want the above changes(1 &2 ) to be reflected on the server (for workstation,it should be fine) ,this happened because i do not have separate client device settings for workstations and servers.Default client settings with remote tools enabled and is applied at hierarchy level for both workstations and servers.
How do i correct the issue 1 & 2 on the existing servers and should not occur on new servers going forward as explained above screenshots ?
Create a Custom Client device settings for Remote Tools and other settings if you are interested to manage via settings.Go to Remote tools and set All Yes/Enabled options to No/Disabled including ‘Manage Remote Desktop settings’ to ‘No’
Note: its always recommended to not touch the default client settings and create custom client device settings for workstations and servers.
Deploy this setting to server based collection ,wait for the machine policy to load or trigger the action on one of the server from the collection and see the changes.
You should not see ConfigMgr Remote Control Users’ from rdp-tcp properties also from Allow log on through Remote Desktop Services.
What about the Local Security group which was created in the past ?
TechNet article says ,After you disable remote tools for a client, this group is not automatically removed and must be manually deleted this from each client computer.
So we have to delete this group on all the existing servers.To do this,I created simple vbscript checks the group and deletes if exist.
strComputer = "."
Set objComputer = GetObject("WinNT://" & strComputer & "")
For Each objgroup In objComputer
If (objgroup.Name) = "ConfigMgr Remote Control Users" Then
objComputer.Delete "group", "ConfigMgr Remote Control Users"
End If
next
Create a package using this script and deploy to collection.This will remove the local group on all the existing servers and do nothing if the group do not exist.
Thanks to windows-noob (Niall Brady) for helping out on this .
Configmgr 2012 Remote control –How to get Rid of Local security group ConfigMgr Remote Control Users is a post from: Eswar Koneti's Blog