Managing DMRC access settings using a GPO

Version 2

    Introduction


    Access settings for DameWare Mini Remote Control are configured directly in the MRC Client Agent. They are stored locally in the client machine which could create a difficulty when trying to manage them on multiple computers. However, since these settings are stored in the Windows Registry, it is possible to configure a GPO to apply changes to these settings across a domain.

     

    This document provides a guide on how to use the Group Policy Management Editor in order to manage these settings. It provides reference to the Registry Keys that are used to set the MRC Client Agent access settings and how to configure them without having to use the agents GUI.

     

     

    1- Access configuration Registry Subkeys

     

    The following is a list of the registry subkeys stored by the Mini Remote Control associated to the Access configuration. All these subkeys are located under the key:

     

    HKLM\Software\DameWare Development\Mini Remote Control Service\Settings


    Table 1 - DMRC Access Control Subkeys

     

    Subkey NameMRC Agent GUI locationTypeDescription
    Allow All Administrators to Have ControlAdditional SettingsREG_DWORD

    Sets Full Control by default to any user that belongs to the local or domain “Administrators” group when the MRC session is starts.

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

    Allow Only Administrators To ConnectAccessREG_DWORD

    Allows MRC connections to the machine only for members of the Local Administrators group.

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

    Group [#]AccessREG_SZEach Group subkey is designated a consecutive number starting with 0. Each one is a string value containing the name of a group, Local or Global that will be granted permission to start an MRC connection.
    Must Be Member Of GroupAccessREG_DWORD

    Allows MRC connections to this machine only to members of one of the registered groups, Local or Global.

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

    Permission RequiredAdditional SettingsREG_DWORD

    Enabling this setting will prompt the currently logged on user to Allow or Deny every MRC connection attempt regardless of the rights used to connect.

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

    Permission Required for non Admin

    AccessREG_DWORD

    Requires a Non-Administrator to be granted permission from the currently logged on user of the remote machine to connect.  When this setting is disabled, a Non-Administrator can connect without receiving permission in “Non-Administrator Mode.”

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

    Disconnect If At Logon Desktop

    AccessREG_DWORD

    Applies to Non-Administrators who attempt to connect to a remote machine that is currently at the Logon Desktop.  If this setting is enabled, the Non-Administrator will not be allowed to establish the MRC connection

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

    Permission Required for no Admin Force View Only

    AccessREG_DWORD

    Applies to Non-Administrators; This setting will restrict the MRC session to View Only Mode for the Non-Administrator.

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

    Requires Logon Locally Privilege

    AccessREG_DWORD

    Allows MRC connections to the machine only for users who have sufficient rights to perform a local Logon to this machine.

     

    Values:

     

    0x00000001 – Enable

    0x00000000 – Disable

     

     

    2 – Configuring a GPO to manage MRC Access settings


     

    GPM.JPG

     

    It is not necessary to create a new GPO to manage these settings since they can be set in an existing GPO. The following instructions will describe the procedure in a new GPO, but the same steps would apply on an existing one.


    To create the new GPO you can use the Group Policy Management tool. Once you create it and link it to the OUs of the computers you plan to manage. Open it using the Group Policy Management Editor. You can launch this tool from Group Policy Management by right-clicking on the GPO and selecting “Edit…”

     

    In the editor, navigate to:

     

    Computer Configuration | Preferences | Windows Settings | Registry


    Create a collection for the settings by right clicking “Registry” and selecting New > Collection Item


    GPM.JPG


    You can give the collection the name you want. We suggest you use a name that will help you identify it such as “DameWare Access”. Inside this collection create the Registry Items for the setting you wish to manage. With the exception of Groups, you will only have to add the Registry items the first time you manage the configuration.

     

     

    2.1 – Creating Registry Items for Access Settings



    For each Access setting you would like to manage in the GPO, a Registry Item must be created. When you create it, the “New Registry Properties” window will be displayed. All settings apart from user groups use the same settings. The only thing that changes will be the value name. Here is how each field should be set:

     

    Table 2 - Registry Item fields for MRC Access Control

     

    FieldValue
    ActionUpdate
    HiveHKEY_LOCAL_MACHINE
    Key PathSOFTWARE\DameWare Development\Mini Remote Control Service\Settings
    Value NameUse the Subkey Name of the setting exactly as listed in Table 1.
    Value TypeREG_DWORD
    Value data00000001 to enable or 00000000 to disable
    BaseHexadecimal

     

    NGProp.JPG

     

     

    If you decide to manage all Access Settings, your collection will look something like this:

     

     

    dwacc.JPG

     

     

     

     

    2.2 – Creating Registry Items to set permissions for non-admin Groups

     

    Unlike other Registry Items, groups are defined as String Values. This string, “Group [#]”, will contain the name of the Local or Global Group that you wish to grant access to. It’s important to keep in mind that the “Must Be Member Of Group” subkey must be set to 00000001 in order for any non-admin Group members to be allowed to start an MRC connection.  The following table describes what to input on each field when creating the item:

     

    FieldValue
    ActionCreate
    HiveHKEY_LOCAL_MACHINE
    Key PathSOFTWARE\DameWare Development\Mini Remote Control Service\Settings
    Value NameGroup [#] where [#] is a consecutive number starting with 0 (ie: Group 0)
    Value TypeREG_SZ
    Value dataGroupName or DomainName\GroupName

     

    gpgp.JPG

     

     

    A Group [#] subkey must be created for each group that will be granted MRC connection permissions. Make sure each group you add follows a consecutive number: Group 0, Group 1, Group 2, etc. Once you set a Registry Key item for each group you would like to give permission, your collection will look something like this:

     

     

    groups.JPG

     

     

    Make sure that each Group [#] item has a green triangle icon little_red_icon.JPG indicating the Registry Key will be created.


     

    3- Managing DMRC Access settings on an existing GPO



    Managing an existing Access configuration consist of modifying the Registry Items values in the GPO. To do this, right-click the item in the Group Policy Management Editor and select “Properties”.  The items properties window will come up. To enable or disable the setting defined by each item, the only setting that needs to be modified is the “Value Data” field.

     

    Click OK and once the GPO propagates over the domain, the settings will be applied to the MRC Client Agent in all the machines affected by the policy. DWRCS.EXE dynamically checks the Windows Registry for changes so it is not necessary to restart the services for the changes to take effect.

     

    chg.JPG

     

     

    IMPORTANT: Settings configured using GPO will override any settings set manually in the local machine.