This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Global domain group access

Note: This is a topic brought over from DameWare Forums which has been closed. If you wish to engage in this discussion, just comment here.

Global domain group access
by Verrry on Thu May 15, 2008 1:59 am


Good day!
During testing DNTU v.6.7.0.9 I have collided with a following problem: When i check the option "Must be member of this global group" in Access tab, i can login into remote machine only if there is a "logon screen" (locked or not logged in). When the user on remote machine logged in locally the mistake stands out: "The remote system is not currently at the Logon Desktop. Your credentials do not allow for access at the current desktop state. Please contact your Administrator for more information"
At Access tab no other options are checked.
At General tab only next options are checked: "Allow Windows NT Challenge/Response" and "Allow Encrypted Windows Logon"
At Additional setting tab no one option is checked.
The idea was to permit use DNTU only members of the global domain group.
How can i provide access only to members of the global domain group and not only from "logon screen"?


Re: Global domain group access
by bryan on Thu May 15, 2008 2:27 pm


Hello Verrry,

This specific message "The remote system is not currently at the Logon Desktop. Your credentials do not allow for access at the current desktop state" is not related to using a Local or Global Group. It has to do with what rights these users have within the O/S security on the remote machine.

Most likely these users do not have Admin rights within the O/S security on this remote machine, and you also disabled the "Permission Required for these Account Types" setting, at the bottom of the Access Tab.

Non-Admins will always require explicit permission from the Desktop User before they can connect, but if you turn off the "Permission Required for these Account Types" setting, then any non-Admin will simply be denied access to this machine, without even prompting the Desktop user to Accept their connection.

I hope this helps.


Bryan Brinkman
Support Engineer
DameWare Development, LLC.
http://www.dameware.com

Re: Global domain group access
by Verrry on Fri May 16, 2008 2:10 am


Well, thanks Bryan for your answer.
I understand, that if user wants to connect to remote host, he must be a member of the local administrator group or must ask the permission on local user to login.
But in case the security service wishes to look silently the remote desktop, there is no ways to provide them this ability without adding to local admin group.
And for what global groups are in that case used?


Re: Global domain group access
by bryan on Fri May 16, 2008 11:49 am


Hi Verrry,

When a remote machine is not at the Logon Desktop or Lock screen, in order to connect without requiring explicit permission from the Desktop User then you must have Administrator rights within the O/S security on that machine. Otherwise if you don't have Administrator rights, then you will require permission before you can connect.

The only other possible work-around (to allow non-Admins to connect without requiring explicit permission) I can think of and I don’t necessarily recommend it, would be to allow these users to connect via the Proprietary Challenge/Response authentication method instead. This method of authentication used a fictitious hard-coded UserID & Password instead of your O/S credentials.

I hope this helps.


Bryan Brinkman
Support Engineer
DameWare Development, LLC.
http://www.dameware.com

Re: Global domain group access
by TheCat on Fri May 08, 2009 9:07 am


Well i guess that answers my question !

But why would i be able to configure such a setup to only find out through support (not even with a correct error message) that this configuration is useless ?

Seriously, you can make your local group setup and all, but still cannot get it to work because your not a local admin.

I dont know about you, but if i setup a "must be in this localgroup", it's obvious that's because i dont want them to be local admin group... If i do not allow an admin to have remote access with dameware, they will just logon locally and setup their account to use remote desktop (as they have the right to do so as admin...)

Right now we're working on the PCI-DSS certification, so i ended up removing all level 1 tech admin rights to our POS system, giving them appropriate "power user" rights.

Part of there jobs, require them to logon remotly to remote pc's without having to ask for permission (as they sometimes work off-hours, or on call when there is no one to answer the connection request). For the PCI-DSS requirement, i cannot give them a generic username/password. Even you folks dont recommand me to use such a settings.

Sorry... i guess i'm just a little mad that i just spent the last 2 hours trying to figure out what went wrong, thinking i had the right config setup (and according to the setting description i had) but to find out later that this is a normal behavior. You can set it up, but it will not work... wow...   

It's like telling you i build you a car, gave you the key to it, tell you to go pick me something with that car. But when you'll hit the "start engine" it wont work and it's normal because your not the car owner...