Note: This is a topic brought over from DameWare Forums which has been closed. If you wish to engage in this discussion, just comment here.
Granting remote control rights to non-admins
by abentley on Wed Sep 09, 2009 4:38 am
Try as I might, I have been unable to get non-admin users to be able to remote controlcomputers. I am running Windows Vista Enterprise SP2 and MRC 6.8.1.4. I have read a lot of posts on the subject and understand that the default dwrcs.ini settings need to be altered during MSI creation so that non-admins will be able to connect (after permission is granted) and i'm pretty sure I've got the settings correct, but only users with admin rights are currently able to connect successfully.
What I want is for members of a specific domain global group to be able to connect to any MRC client. All of the members of this group are at the very least members of the local 'Users' group on each computer (becuase they are members of Domain Users which is in-turn a member of the local Users group). Some members of the domain group have local admin rights on computers, and it is only these accounts that are able to authenticate and connect.
I require all connection attempts to prompt for permission when someone is logged on to the target computer, and for any connection to a locked or un-logged-on computer to be automatically accepted.
I have tried both Encrypted Windows Logon and Windows NT Challenge Response authentication methods without success. I'm pulling my hair out now as I really need some users who can't have local admin rights the ability to remote control with MRC.
Here is my INI file (I am not using registry settings), can anyone spot anything wrong with it?
CODE: SELECT ALL
[Settings]
Port=6129
Adgang NTLM=Yes
Adgang 1=
Adgang 2=
Adgang 3=0
Notify On New Connection=Yes
Notify On Disconnection=No
No Notify Sound=No
Notify On New Connection Timeout Value=30
Notify Dialog Caption=Remote Control
Notify Dialog Text 1=Remote Control Notification
Notify Dialog Text 2 Remote Control=The following user has connected viaremote control.
Permission Required=Yes
Center Permission Dialog=No
Permission Dialog Set Focus On Decline Button=No
Show SysTray Icon=Yes
Enable User Option Menu=No
Option Notify On New Connection=Yes
Option Notify On New Connection Dialog Timeout=Yes
Option On Disconnect Logoff Desktop=Yes
Option On Disconnect Logoff Desktop Force Applications Close=Yes
Option On Disconnect Lock Workstation=Yes
Option Logon At Logon Desktop Only=Yes
Option Logon At Logon Desktop Only Timeout=Yes
Option Enable File Transfer=Yes
Option Enable Chat=Yes
Option Enable Chat Allow Anyone To Initiate=Yes
Option Permission Required=Yes
Option Enable Add Client Connection Menu=Yes
Option Enable DisConnection Menu=Yes
Option Enable Email Notification=Yes
Option Enable Email Notification Change Email Address=Yes
Permission Required for non Admin=Yes
Permission Required for non Admin Disconnect If At Logon Desktop=No
Permission Required for non Admin Force View Only=No
On Disconnect Logoff Desktop=No
Force Applications Close=No
On Disconnect Lock Workstation=No
Logon At Logon Desktop Only=No
Logon At Logon Desktop Only Timeout=Yes
Logon At Logon Desktop Only Timeout Value=20
Enable Add Client Connection Menu=Yes
Enable Disconnection Menu=Yes
Enable Settings Menu=No
Absolute Timeout=0
Requires Explicit Remote Admin Rights=No
Allow Only Administrators To Connect=No
Requires Logon Locally Privilege=No
Must Be Member Of This Local Group=No
Local Group Name=
Must Be Member Of This Global Group=Yes
Global Group Name=DameWare Desktop Remote Control Access
Enable Email Notification=No
Email Notification Address=
Email Notification Server=
Disable Host Lookup=Yes
Socket Logon Timeout=90000
Authentication Type=2
Must Have Logon Locally Rights with Windows Logon=No
SFT: Enable Simple File Transfer=Yes
SFT: Append Host Name=No
SFT: Upload Folder=%SYSTEMROOT%\DWRCS UploadsSFT: User Response Time Out=6000
Disable Version Downgrade=No
Global Group Machine 0=[IP address of Domain Controller 1]
Global Group Machine 1=[IP address of Domain Controller 2]
Global Group Machine 2=[IP address of Domain Controller 3]
Global Group Machine 3=
Global Group Machine 4=
Global Group Machine 5=
Allow All Administrators To Have Control=Yes
Upgrade Information=
Downgrade Information=
Max Access Log Size=10240000
Force Encrypt Data=No
Force Encrypt Images=No
Force Encrypt Files=No
Configuration Version=5.5
[Proxy]
Enable Proxy=No
Require Shared Secret=No
Disable Remote Control=No
[IP Filter]
Enable Filter For Remote Control=No
Enable Filter For Proxy=No
Access Granted=Yes
Questions: Can 'Global Group Name' contain spaces and does it need to be prefixed with 'DOMAIN\' ?
Many thanks in advance
Re: Granting remote control rights to non-admins
by switbro on Wed Sep 09, 2009 6:21 pm
I am having a similiar issue - I have 45 domain controllers and have a group assigned to "Account Operators" so they can remotely access these machines with DMRC. They can access 44 of the 45 but they seem to be in view only mode on the 45th. They cannot connect even when the server is at the login window. The dwrcs.ini file looks the same as all the others, Is there a particular setting I should be looking for that would cause this behavior?
Thanks
Scott
Re: Granting remote control rights to non-admins
by abentley on Tue Sep 15, 2009 2:07 am
Hi, is anyone able to advise on this issue? Thanks
Re: Granting remote control rights to non-admins
by bryan on Fri Sep 18, 2009 1:24 pm
Exactly what error message are you receiving when you try to connect? Because it looks like everything is setup correctly. Spaces in the Global Group name should also be fine (i.e. Domain Admins).
Permission Required=Yes
- all users, even Admins, will require permission from the desktop user
- unless remote machine is at Logon Desktop or Lock Screen
Permission Required for non Admin=Yes
Permission Required for non Admin Disconnect If At Logon Desktop=No
Permission Required for non Admin Force View Only=No
- non-Admins will require permission from the desktop user, unless @ Logon Desktop or Lock Scr.
Please also look for DWMRCS entries in the Operating System's Application Event Log on theremote machine. Copy & paste the entire text from each of these entries back to our support team so they can review them. There should be at least two entries for each failed login attempt.
Once we have this information we whould be able to assist you further.
I hope this helps.
Bryan Brinkman
Support Engineer
DameWare Development, LLC.
http://www.dameware.com
Re: Granting remote control rights to non-admins
by abentley on Mon Sep 21, 2009 3:14 am
Thanks for the response Bryan. When any non-local admin attempts to connect they get this error immediately:
Authentication failed:
System Error: 5
System Message: Access denied
Event log entries:
CODE: SELECT ALL
Error:
DameWare Mini Remote Control
System Error: -2146893044
Failed to establish a security context. OS Error Code: [SEC_E_LOGON_DENIED] The logon attempt failed. : (srv)
CODE: SELECT ALL
Error: Failed Authentication.
Using Windows NT Challenge/Response.
Date: 09/21/2009 09:02:59
Computer Name: [computername]
User ID: [logged-in username]
Logon As ID: [login credentials username - not the same as username above]
Domain:
Desktop User ID:
Desktop Name:
System Settings Using: INI-File
Desktop State: Unknown
Permission Required: Yes
Access Approved By: N/A
Access Declined By: N/A
Access Request Timeout: N/A
Access Request Disconnected: N/A
OS Product ID: [product id]
OS Registered Owner: [registered owner]
OS Registered Organization: [registered org]
Host Name from Peer: [computername]
IP Address(es) from Peer: [ip address]
Peer Host Name:
Peer IP Address: [ip address]
Protocol Version - DWRCC.EXE: 6.800000-0.000010
Protocol Version - DWRCS.EXE: 6.800000-0.000010
Product Version - DWRCS.EXE: 6.8.1.4
Product Version - DWRCC.EXE: 6.8.1.4
Proxy Host Used: No
Proxy Host:
Proxy Destination Host:
Proxy Destination Port: 0
Proxy Callback Port: N/A
Authentication Type: NT Challenge/Response
Last Error Code: -2146893044
Last Error Code (WSA): 0
Host Port Number: 6129
Host IP Address: [ip address]
Host Name: [computer name]
Absolute timeout setting: 0 minutes
Connect/Logon timeout setting: 90000 milliseconds
AccessCheck:
Registered: No
WTS Session: No
Used RSA Public-Key Key Exchange (1024 bit keys).
Encryption IDs: 26128 (24576,1536,16) [256].
Hashing IDs: 26128 (24576,1536,16).
Used Shared Secret: No
Registration: [registration code]
Re: Granting remote control rights to non-admins
by mbernards on Tue Sep 29, 2009 4:32 am
We have added all global groups in our forests and domains with one name: UG_DWMRC
Universal groups does not seem to work here.
In those groups reside all support personal.
A tip: don't get fooled by the PDC/DC list requirement here, better use the domain names. (6 max)
let DNS find the nearest DC instead of hardwiring nodes here.
We recenly retired a bunch of old DC's and this nuked the authentication process at the clients
You have to force new settings by removing the current remote control agent and installing the new builded MSI file
The repair option does not restart the service for unknown reasons
(I am local admin, but event log says cannot find file)
I also enabled a central log server ( needs a active DWMRCS service )
Domain and enterprise administrators are also allowed to take over machines.
Works great here.
Re: Granting remote control rights to non-admins
by abentley on Wed Oct 07, 2009 5:04 am
Hi, any update on this issue from DameWare support? Thanks
Re: Granting remote control rights to non-admins
by bryan on Fri Oct 09, 2009 9:54 am
See this post for additional information:
http://forums.dameware.com/viewtopic.php?f=8&t=1189
Do those non-Admin credentials have sufficient right to login at the console of this remotemachine? In other words, can these non-Admins physically walk up to this machine and sit down at the console and use their credentials to login? If not, then they won't be able to use those credentials to connect via our software either.
SEC_E_xxxxx errors are produced by Microsoft's SSPI (Security Support Provider) interface within the O/S, which is only used when using NT Challenge/Response authentication. Our software simply passes the necessary information to Microsoft's SSPI interface and the O/S takes over and performs all authentication.
This specific SSPI Error, "Failed to establishing a security context" - SEC_E_LOGON_DENIED, implies there may be some setting within your O/S that's preventing "LAN Manager Authentication" on this machine, possibly a Policy setting (i.e. "Send NTLMv2 response only\refuse LM & NTLM" , etc.).
Therefore, you might want to try using the Encrypted Windows Logon authentication method instead. Using the Encrypted Windows Logon authentication method may resolve your issue, or it may actually generate another error message which may point us in the right direction with regard to this issue. However, presently this behavior appears to be related to some type of O/S configuration issue.
Here are some other things you can check:
- For machines in a Domain, make sure the Net Logon Service is running.
- Make sure the credentials you're using to connect do not have an expired password.
- Check your LanManager Authentication Level policy.
- Try using the Encrypted Windows Logon authentication method instead.
I hope this helps.
Bryan Brinkman
Support Engineer
DameWare Development, LLC.
http://www.dameware.com
Re: Granting remote control rights to non-admins
by abentley on Mon Oct 12, 2009 3:03 am
Thanks Bryan,
I did read the article above and have tried Encrypted Windows Logon before. I have just tried again on several computers and still no joy...
1. The NETLOGON server is running. Confirmed on all computers. All other domain-based authenticaion would fail without this service, so it's definitely running OK.
2. The credentials I am testing with are definitely OK. The account is not expired, locked out and does not require a password change. I can logon interactively at the console of any computer with this test account.
3. LAN Manager Authentication Level is configured using Group Policy to: Send LM & NTLM - use NTLMv2 session security if negotiated. I have also set this to 'Not Configured' so that the default Vista setting (Undefined on workstations) takes effect, this does not help either.
4. Both Windows NT Challenge Response and Encrypted Windows Logon consistently fail for all users who do not have local admin rights. I changed the 'Authentication Type' in the ini file (restarting DameWare service after each change) to 2,4 and 6 to test the different scenarios.
Here's the event log of a failed Encrypted Windows Logon attempt:
Error: Failed Authentication.
Using Encrypted Windows Logon.
CODE: SELECT ALL
Error:
DameWare Mini Remote Control
System Error: 1326
Failed to Logon User (srv)
CODE: SELECT ALL
Date: 10/12/2009 08:46:45
Computer Name: [computername]
User ID: [username]
Logon As ID: [username]
Domain:
Desktop User ID:
Desktop Name:
System Settings Using: INI-File
Desktop State: Unknown
Permission Required: Yes
Access Approved By: N/A
Access Declined By: N/A
Access Request Timeout: N/A
Access Request Disconnected: N/A
OS Product ID: 89579-236-0200203-71402
OS Registered Owner: [owner]
OS Registered Organization: [org]
Host Name from Peer: [client computer name]
IP Address(es) from Peer: [client ip address]
Peer Host Name:
Peer IP Address: [client ip address]
Protocol Version - DWRCC.EXE: 6.800000-0.000010
Protocol Version - DWRCS.EXE: 6.800000-0.000010
Product Version - DWRCS.EXE: 6.8.1.4
Product Version - DWRCC.EXE: 6.8.1.4
Proxy Host Used: No
Proxy Host:
Proxy Destination Host:
Proxy Destination Port: 0
Proxy Callback Port: N/A
Authentication Type: Encrypted Windows Logon
Last Error Code: 1326
Last Error Code (WSA): 0
Host Port Number: 6129
Host IP Address: [host ip address]
Host Name: [host computer name]
Absolute timeout setting: 0 minutes
Connect/Logon timeout setting: 90000 milliseconds
AccessCheck:
Registered: No
WTS Session: No
Used RSA Public-Key Key Exchange (1024 bit keys).
Encryption IDs: 26128 (24576,1536,16) [256].
Hashing IDs: 26128 (24576,1536,16).
Used Shared Secret: No
Registration: [reg code]