Remote tools requires an active local user session

myITforum.com Community Forum

Home Forums Blogs Live Support chat Search Articles Wiki FAQ Email Lists Register Login My Profile Inbox Address Book My Subscription My Forums

Photo Gallery Member List Search Calendars FAQ Ticket List Log Out

All Forums RSS Feed Subscription:

Remote tools requires an active local user session

View related threads: (in this forum | in all forums)

Logged in as: Guest

Printable Version

All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Remote tools requires an active local user session

Page: [1]

Message

<< Older Topic Newer Topic >>

Remote tools requires an active local user session - 11/13/2007 6:50:04 PM

tmiller

Posts: 675
Score: 20
Joined: 7/29/2003
From: Iowa
Status: offline

New in SCCM 2007 is the inability to use SMS remote tools to connect to a machine where no one is logged on.

Let's look at this scenario...

A user calls the help desk to report a problem and a ticket is assigned to a desktop person. When the desktop person gets to the work order, the user has gone home for the day. The desktop staff sends a wake on lan packet to the user's computer to turn it on, and then connects to the system uisng the Remote tools in SMS, logs in an works on the problem. We perform lots of system troubleshooting in the overnight hours when the users are gone for the night.

That common scenario is no longer available in SCCM 2007. Remote tools in SCCM 2007 will not connect to a machine that is sitting at the Ctrl-Alt-Delete screen or one that is sitting at the locked system screem. In order to connect to machines in this state you will be required to enable RDP on your systems. Of course once RDP is enabled, anyone with admin rights on that box can connect to the system, and the access is not centrally audited or controlled by SCCM.

With the Remote tools, SMS 2003 kept track of who was remote controlling which computers. Administrators of a machine did not necessarily have rights to remote control a system, and you didn't have to leave RDP enabled on all your systems. This is a huge leap backwards for remote management in SCCM 2007 compared with previous itterations of SMS. The feature set of SCCM shouldn't have me looking for third party remote control tools.

< Message edited by tmiller -- 11/14/2007 1:56:49 PM >

Post #: 1

RE: Remote tools requires an active local user session - 11/14/2007 4:01:42 PM

mcarriere893

Posts: 3626
Score: 300
Joined: 4/12/2002
From: Manitoba, Canada
Status: offline

Wally responded to a similar thread on the Technet forums:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2323896&SiteID=17

_____________________________

Mark Carriere
Microsoft MVP-SMS
www.SMSUG.ca

(in reply to tmiller)

Post #: 2

RE: Remote tools requires an active local user session - 11/15/2007 11:52:22 AM

tmiller

Posts: 675
Score: 20
Joined: 7/29/2003
From: Iowa
Status: offline

I knew the reson behind the change, the switch to the Vista RDP collab stack, and I knew that a RFC was placed to the Vista group, but I had no idea that the fix was both as uncertain as it is and as far away as Wally suggests in the post (one year + away and certainly after SP1) This is a total deal breaker for us. I hope that SMS 2003 is supported long enough for the change to get added into the Vista RDP stack.

RDP is not audited (centrally) and is not authorized using SMS. Any Administrator can use RDP, SMS remote tools is authorised by SMS security.

(in reply to mcarriere893)

Post #: 3

RE: Remote tools requires an active local user session - 11/15/2007 11:57:45 AM

mcarriere893

Posts: 3626
Score: 300
Joined: 4/12/2002
From: Manitoba, Canada
Status: offline

There is a MOF (search the forums) to audit RDP and RA that was for SMS 2003 (and perhaps also for ConfigMgr, or at least easily setup to be used).

http://myitforum.com/cs2/blogs/jgilbert/archive/2007/08/08/inventorying-remote-assistance-requests-and-connections.aspx

_____________________________

Mark Carriere
Microsoft MVP-SMS
www.SMSUG.ca

(in reply to tmiller)

Post #: 4

RE: Remote tools requires an active local user session - 11/15/2007 3:02:45 PM

tmiller

Posts: 675
Score: 20
Joined: 7/29/2003
From: Iowa
Status: offline

Thaks, Mark.

I am looking at the possibility of using a GPO to disable RDP and then write a little wrapper around the remote.exe command that will enable the RDP service on the remote computer, launch rc.exe, and then disable it on the exit. RC.exe fails over to RDP automatically, so the wrapper application would be the interface I'd present to the desktop staff.

It really bugs me that I have to go to all this work just to maintain the same functionality as in the 4 year old version. But enough, I've got the complaining out of my system now. There is pleanty to be happy and excited about in SCCM, just not remote control or patching.

(in reply to mcarriere893)

Post #: 5

RE: Remote tools requires an active local user session - 11/15/2007 3:25:35 PM

mcarriere893

Posts: 3626
Score: 300
Joined: 4/12/2002
From: Manitoba, Canada
Status: offline

Gotta say that I went away from remote.exe several years ago. There were plenty of security holes in it, like... if your staff are local admins on the remote box, then they can simply add themself to the permitted viewers list in the registry, and they can also run remote.exe using the nosql switch to bypass collection security.

And we got over the issue of staff saying that remote.exe was faster to start than RA/RDP (just took time for them to forget :) )

And on top of that, it no longer becomes "our problem" when a system cannot be remote controlled. RA and RDP are built into the OS, so technical staff should look at the problem.

Interesting wrapper your thinking of making though.

_____________________________

Mark Carriere
Microsoft MVP-SMS
www.SMSUG.ca

(in reply to tmiller)

Post #: 6

RE: Remote tools requires an active local user session - 11/15/2007 6:06:47 PM

tmiller

Posts: 675
Score: 20
Joined: 7/29/2003
From: Iowa
Status: offline

Interesting.

How do your users decide between RA and RDP. RA also doesn't work if no one is logged in. Do they just try RA first and if they get a noone logged in error then they start up RDP? Or do you have some intellegence in the system to look and see if a user is logged in and if so do RA and if not do RDP.

There is a secret way to start up RA without asking permission right?

I too dislike SMS Remote Tools quite a bit. No support for multiple monitors, the crazy SMS Mirror driver BS, etc. I made my decision based on us having still having about 20% windows 2000 systems at the time. I wanted to have a single path to remote control without needing to know if the target was XP or 2000. I'm under 1% Windows 2000 now, and so wouldn't mind droping Remote Tools - except I must be able to control a machine with no user logged on, and my security officer really has something against RDP - not the protocol, but regular users using it from home or elsewhere - he also doesn;t want it left on all the time. I think he'd be cool with the toggeling idea.

The actual Remote tool is so much better in SCCM 2007 , but that inability to connect to the console 0 session is a killer.

(in reply to mcarriere893)

Post #: 7

RE: Remote tools requires an active local user session - 11/16/2007 8:40:10 AM

mcarriere893

Posts: 3626
Score: 300
Joined: 4/12/2002
From: Manitoba, Canada
Status: offline

We use security groups to allow access via RDP or RA. Baisically IT technical staff have rights to RDP, and application support staff have rights to RA (allow them to shadow end user sessions for application support issues). Every use who wants access must request it, and they are given appropriate rights (via their justification). They are also notified (and some training if required) of their access rights (and warned about abusing those rights).

We also provide these two tools via a custom web application (all users of SMS/ConfigMgr use the custom web app for reports, remote tools, etc, etc).

Security is also setup so that if a user has RA access only, they can't even run the RDP button (they get a "no permission" message if they attempt to run). (simple button clicks/messages in the web app).

We also have simple button clicks that show if the machine is on, a user is logged on, and WOL (among others). This is useful for the IT staff to help detemine how they will need to connect. Of course everyone is informed to always contact the end user before attempting any connection.

Now of course they can run the tools without going through the web app (the web app does make use of unsolictedRCUI.htm for RA so they like using it), but without appropriate rights, they don't gain access.

By default, local admins have RDP access (if it is not enabled, they can enable it right

), but I guess having it in a wrapper saves them a couple of steps to enable, and then disable. Might be a popular download on the site if you make a nice one.

Edit:

quote:

There is a secret way to start up RA without asking permission right?

Don't knwo if it's a secret, but yes.

< Message edited by mcarriere893 -- 11/16/2007 8:49:16 AM >

_____________________________

Mark Carriere
Microsoft MVP-SMS
www.SMSUG.ca

(in reply to tmiller)

Post #: 8

RE: Remote tools requires an active local user session - 12/5/2007 6:40:05 PM

ltran

Posts: 203
Score: 0
Joined: 7/5/2001
Status: offline

Hi All,

I finally got a SCCM test environment up and am really disappointed at the remote control features. I just read wally's comments from the other site as well.

I would be okay with RA asking user's permission or RDP when users are not available, but the two major draw back for me is that there is no more central audits for RDP or RA. On top of that, It seems that enabling the RDP will enable it for everyone under the permitted users's list. This kind of sucks, what if you wanted to restrict remote access of 1 dept and only give 1 user that access. So far from my test, any users in permitted users can remote in even though they have no access to any collection.

(in reply to mcarriere893)

Post #: 9

Page: [1]

All Forums >> [Management Products] >> System Center Products >> System Center Configuration Manager >> Remote tools requires an active local user session

Page: [1]

Jump to:

New Messages	No New Messages
Hot Topic w/ New Messages	Hot Topic w/o New Messages
Locked w/ New Messages	Locked w/o New Messages

Post New Thread

Reply to Message

Post New Poll

Submit Vote

Delete My Own Post

Delete My Own Thread

Rate Posts

0.359