Close Menu
    Facebook X (Twitter) Instagram
    Tuesday, May 20
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»CM2012»Configmgr 2012 Remote control How to get Rid of Local security group ConfigMgr Remote Control Users

    Configmgr 2012 Remote control How to get Rid of Local security group ConfigMgr Remote Control Users

    Eswar KonetiBy Eswar KonetiMay 23, 7:49 am4 Mins Read CM2012 8,550 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Configmgr 2012 allow admins to Configure Custom Client Settings at collection level to control the behavior and functionality of the Configmgr 2012 clients.

    You can create as many number of Custom Client Device/User settings (9999) ,which you can apply onto collections(Device/User).

    What happens if client is member of multiple collections that have client settings ? All the Custom Client settings that you create are chosen with the priority. Higher the priority(1) will take over the settings with lower priority(10000).

    If you are going to have multiple client agent settings,focus attention else you will see undesired results.

    By Default,Configmgr will Configure default client settings at Hierarchy Level with priority 10000 (low) which is applied to every User and Device.To know more about Client Settings refer TechNet http://technet.microsoft.com/en-us/library/gg682067.aspx

    Now,lets jump into the subject line. After the Configmgr 2012 Installation ,Default Client settings is configured with necessary changes,in this case,Remote tools is configured ‘Permitted viewers of remote control and remote assistance’ with AD security groups allowing users, who are member of this AD security group can do Remote control from Configmgr.

    Note: Remote control always takes control of the console session. It cannot and does not control other remote sessions.

    image

    These settings(remote Control) will be then applied to every Client (both workstations and servers) in next policy interval. what happens when this is applied ?

    It will create Local security group called ‘ConfigMgr Remote Control Users’ by providing necessary DCOM permissions to this group.You can verify the remote control properties via wmi or registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control)

    image

    also,if you have selected the option ‘Manage Remote Desktop settings’ to Yes in the Remote tools,then ‘ConfigMgr Remote Control Users’ group will be added automatically to below accounts.

    1)  Start > Administrative Tools > Local Security Policy > User Rights Assignment > Allow log on through Remote Desktop Services

    clip_image002[5]

    2) Remote Desktop settings: “ConfigMgr Remote Control Users” group added with Full Control (See screenshot below),How do i check RDP-tcp IP properties,follow guide here

    image

    till now,we have seen the behavior of sccm client with respect to remote tools settings .

    Issue: Server team raised concern that ,above changes(1 &2 ) should not be reflected on the server (for workstation,it should be fine) ,this happened because i do not have separate client device settings for workstations and servers.Default client settings with remote tools enabled and is applied at hierarchy level for both workstations and servers.

    How do i correct the issue of 1 & 2 on the existing servers and should not occur on new servers going forward as explained above screenshots ?

    Create a Custom Client device settings for Remote Tools  and other settings if you are interested to manage via settings.Go to Remote tools and set All Yes/Enabled options to No/Disabled including ‘Manage Remote Desktop settings’ to ‘No’

    Note: its always recommended to not touch the default client settings and create custom client device settings for workstations and servers.

    Deploy this setting to server based collection ,wait for the machine policy to load or trigger the action on one of the server from the collection and see the changes.

    You should not see ConfigMgr Remote Control Users’ from rdp-tcp properties also from Allow log on through Remote Desktop Services.

    What about the Local Security group which was created in the past ?

    TechNet article says ,After you disable remote tools for a client, this group is not automatically removed and must be manually deleted this from each client computer.

    So we have to delete this group on all the existing servers.To do this,I created simple vbscript checks the group and deletes if exist.

    strComputer = "."
    Set objComputer = GetObject("WinNT://" & strComputer & "")
    For Each objgroup In objComputer
    If (objgroup.Name) = "ConfigMgr Remote Control Users" Then
    objComputer.Delete "group", "ConfigMgr Remote Control Users"
    End If
    next

    Create a package using this script and deploy to collection.This will remove the local group  on all the existing servers and do nothing if the group doesn't exit.

    Thanks to windows-noob (Niall Brady) for helping out on this .

    Allow log on through Remote Desktop Services Client Settings configmgr ConfigMgr Remote Control Users’ Disable Remote Control Enable Remote control Manage Remote Desktop settings remote control
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    Investigating Co-Management Issues with Windows Endpoints in SCCM/Intune

    October 26, 10:45 pm

    8 Comments

    1. pedroroeseler on June 23, 2017 11:48 PM

      Hello Eswar.

      Thank you for the excellent Post!

      For some reason some devices in our domain are not retrieving the users that belong to the remote access group and as a consequence we cannot start a remote access.
      If we do a repair to the SCCM client the users are automatically added to the group so I would like to get a list of the “non-compliant” devices and then do a remote repair of the SCCM client.
      Is there a way to create a Collection with a WMI query to achieve this? Or some similar examples that I can check. A configuration baseline could also work. I created one with a powershell script but for some reason it is not working.
      Script:

      $LocAdmGroupMembers = (Get-WmiObject -Query "ASSOCIATORS OF `
      {Win32_Group.Domain='$($env:COMPUTERNAME)',Name='ConfigMgr Remote Control Users'} `
      WHERE ResultClass = Win32_UserAccount").Caption
      $LocAdmGroupMembers += (Get-WmiObject -Query "ASSOCIATORS OF `
      {Win32_Group.Domain='$($env:COMPUTERNAME)',Name='ConfigMgr Remote Control Users'} `
      WHERE ResultClass = Win32_Group").Caption

      if ($LocAdmGroupMembers) {$Compliance = 1}
      else {$Compliance = 0 }
      Return $Compliance

      Thanks in advance for your help!

      Cheers,
      Pedro

      Reply
      • Eswar Koneti on July 11, 2017 3:27 PM

        Hi Pedro,
        To get local admin groups,you can use this method http://eskonr.com/2017/03/sccm-configmgr-report-for-local-admins-and-local-group-members/ .

        Regards,
        Eswar

        Reply
    2. Ram on June 16, 2014 7:26 PM

      Will try during this weekend. Got a new Dell Alienware 32GB memory laptop. Going to destroy current lab and start a new ONE.

      Will package and deploy once the lab is ready.

      Thanks

      Reply
      • Eswar Koneti on June 17, 2014 7:34 AM

        wow 32 GIG,good luck

        Reply
    3. Ram on June 7, 2014 4:20 PM

      The question is regarding the above (remove remote control users from workstation - win7). I created a application called removerdp using above script (vbscript). Deployed to Win 7 collections. The ConfigMgr Remote Control Users are still present. Testing the application in lab.

      Can you post a screen shot of how you created the application to remove ConfigMgr Remote Control Users using above vbscript.

      Reply
      • Eswar Koneti on June 10, 2014 10:32 AM

        ok,you need to make sure,there are no client agent settings applied to these win7 machines with remote control enabled and also you should try to disable the remote desktop option on remote tool options.
        coming to script,i would suggest you to create package instead of application as package will be easy to create.if you are creating for application,you will have many things to provide like detection methods etc.
        Create a package and deploy it.

        Reply
    4. Ram on June 5, 2014 6:11 PM

      I tried to deploy for Win 7 collection after creating it as an application. Nothing is happening. Can you if possible post some screen shot of how to complete the application creation.
      Thanks

      Reply
      • Eswar Koneti on June 6, 2014 2:07 PM

        what are you looking at ? i did not get your question completely .is your question related to the post subject line ? or different one ?

        Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.