cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Managing DMRC access settings using a GPO

Introduction


Access settings for DameWare Mini Remote Control are configured directly in the MRC Client Agent. They are stored locally in the client machine which could create a difficulty when trying to manage them on multiple computers. However, since these settings are stored in the Windows Registry, it is possible to configure a GPO to apply changes to these settings across a domain.

This document provides a guide on how to use the Group Policy Management Editor in order to manage these settings. It provides reference to the Registry Keys that are used to set the MRC Client Agent access settings and how to configure them without having to use the agents GUI.

1- Access configuration Registry Subkeys

The following is a list of the registry subkeys stored by the Mini Remote Control associated to the Access configuration. All these subkeys are located under the key:

HKLM\Software\DameWare Development\Mini Remote Control Service\Settings


Table 1 - DMRC Access Control Subkeys

Subkey NameMRC Agent GUI locationTypeDescription
Allow All Administrators to Have ControlAdditional SettingsREG_DWORD

Sets Full Control by default to any user that belongs to the local or domain “Administrators” group when the MRC session is starts.

Values:

0x00000001 – Enable

0x00000000 – Disable

Allow Only Administrators To ConnectAccessREG_DWORD

Allows MRC connections to the machine only for members of the Local Administrators group.

Values:

0x00000001 – Enable

0x00000000 – Disable

Group [#]AccessREG_SZEach Group subkey is designated a consecutive number starting with 0. Each one is a string value containing the name of a group, Local or Global that will be granted permission to start an MRC connection.
Must Be Member Of GroupAccessREG_DWORD

Allows MRC connections to this machine only to members of one of the registered groups, Local or Global.

Values:

0x00000001 – Enable

0x00000000 – Disable

Permission RequiredAdditional SettingsREG_DWORD

Enabling this setting will prompt the currently logged on user to Allow or Deny every MRC connection attempt regardless of the rights used to connect.

Values:

0x00000001 – Enable

0x00000000 – Disable

Permission Required for non Admin

AccessREG_DWORD

Requires a Non-Administrator to be granted permission from the currently logged on user of the remote machine to connect.  When this setting is disabled, a Non-Administrator can connect without receiving permission in “Non-Administrator Mode.”

Values:

0x00000001 – Enable

0x00000000 – Disable

Disconnect If At Logon Desktop

AccessREG_DWORD

Applies to Non-Administrators who attempt to connect to a remote machine that is currently at the Logon Desktop.  If this setting is enabled, the Non-Administrator will not be allowed to establish the MRC connection

Values:

0x00000001 – Enable

0x00000000 – Disable

Permission Required for no Admin Force View Only

AccessREG_DWORD

Applies to Non-Administrators; This setting will restrict the MRC session to View Only Mode for the Non-Administrator.

Values:

0x00000001 – Enable

0x00000000 – Disable

Requires Logon Locally Privilege

AccessREG_DWORD

Allows MRC connections to the machine only for users who have sufficient rights to perform a local Logon to this machine.

Values:

0x00000001 – Enable

0x00000000 – Disable

2 – Configuring a GPO to manage MRC Access settings


GPM.JPG

It is not necessary to create a new GPO to manage these settings since they can be set in an existing GPO. The following instructions will describe the procedure in a new GPO, but the same steps would apply on an existing one.


To create the new GPO you can use the Group Policy Management tool. Once you create it and link it to the OUs of the computers you plan to manage. Open it using the Group Policy Management Editor. You can launch this tool from Group Policy Management by right-clicking on the GPO and selecting “Edit…”

In the editor, navigate to:

Computer Configuration | Preferences | Windows Settings | Registry


Create a collection for the settings by right clicking “Registry” and selecting New > Collection Item


GPM.JPG


You can give the collection the name you want. We suggest you use a name that will help you identify it such as “DameWare Access”. Inside this collection create the Registry Items for the setting you wish to manage. With the exception of Groups, you will only have to add the Registry items the first time you manage the configuration.

2.1 – Creating Registry Items for Access Settings



For each Access setting you would like to manage in the GPO, a Registry Item must be created. When you create it, the “New Registry Properties” window will be displayed. All settings apart from user groups use the same settings. The only thing that changes will be the value name. Here is how each field should be set:

Table 2 - Registry Item fields for MRC Access Control

FieldValue
ActionUpdate
HiveHKEY_LOCAL_MACHINE
Key PathSOFTWARE\DameWare Development\Mini Remote Control Service\Settings
Value NameUse the Subkey Name of the setting exactly as listed in Table 1.
Value TypeREG_DWORD
Value data00000001 to enable or 00000000 to disable
BaseHexadecimal

NGProp.JPG

If you decide to manage all Access Settings, your collection will look something like this:

dwacc.JPG

2.2 – Creating Registry Items to set permissions for non-admin Groups

Unlike other Registry Items, groups are defined as String Values. This string, “Group [#]”, will contain the name of the Local or Global Group that you wish to grant access to. It’s important to keep in mind that the “Must Be Member Of Group” subkey must be set to 00000001 in order for any non-admin Group members to be allowed to start an MRC connection.  The following table describes what to input on each field when creating the item:

FieldValue
ActionCreate
HiveHKEY_LOCAL_MACHINE
Key PathSOFTWARE\DameWare Development\Mini Remote Control Service\Settings
Value NameGroup [#] where [#] is a consecutive number starting with 0 (ie: Group 0)
Value TypeREG_SZ
Value dataGroupName or DomainName\GroupName

gpgp.JPG

A Group [#] subkey must be created for each group that will be granted MRC connection permissions. Make sure each group you add follows a consecutive number: Group 0, Group 1, Group 2, etc. Once you set a Registry Key item for each group you would like to give permission, your collection will look something like this:

groups.JPG

Make sure that each Group [#] item has a green triangle icon little_red_icon.JPG indicating the Registry Key will be created.


3- Managing DMRC Access settings on an existing GPO



Managing an existing Access configuration consist of modifying the Registry Items values in the GPO. To do this, right-click the item in the Group Policy Management Editor and select “Properties”.  The items properties window will come up. To enable or disable the setting defined by each item, the only setting that needs to be modified is the “Value Data” field.

Click OK and once the GPO propagates over the domain, the settings will be applied to the MRC Client Agent in all the machines affected by the policy. DWRCS.EXE dynamically checks the Windows Registry for changes so it is not necessary to restart the services for the changes to take effect.

chg.JPG

IMPORTANT: Settings configured using GPO will override any settings set manually in the local machine.

Version history
Revision #:
1 of 1
Last update:
‎08-09-2013 01:02 PM
Updated by: