Configmgr 2012 Remote control How to get Rid of Local security group ConfigMgr Remote Control Users

Configmgr 2012 allow admins to Configure Custom Client Settings at collection level to control the behavior and functionality of the Configmgr 2012 clients.

You can create as many number of Custom Client Device/User settings (9999) ,which you can apply onto collections(Device/User).

What happens if client is member of multiple collections that have client settings ? All the Custom Client settings that you create are chosen with the priority. Higher the priority(1) will take over the settings with lower priority(10000).

If you are going to have multiple client agent settings,focus attention else you will see undesired results.

By Default,Configmgr will Configure default client settings at Hierarchy Level with priority 10000 (low) which is applied to every User and Device.To know more about Client Settings refer TechNet

Now,lets jump into the subject line. After the Configmgr 2012 Installation ,Default Client settings is configured with necessary changes,in this case,Remote tools is configured ‘Permitted viewers of remote control and remote assistance’ with AD security groups allowing users, who are member of this AD security group can do Remote control from Configmgr.

Note: Remote control always takes control of the console session. It cannot and does not control other remote sessions.


These settings(remote Control) will be then applied to every Client (both workstations and servers) in next policy interval. what happens when this is applied ?

It will create Local security group called ‘ConfigMgr Remote Control Users’ by providing necessary DCOM permissions to this group.You can verify the remote control properties via wmi or registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control)


also,if you have selected the option ‘Manage Remote Desktop settings’ to Yes in the Remote tools,then ‘ConfigMgr Remote Control Users’ group will be added automatically to below accounts.

1)  Start > Administrative Tools > Local Security Policy > User Rights Assignment > Allow log on through Remote Desktop Services


2) Remote Desktop settings: “ConfigMgr Remote Control Users” group added with Full Control (See screenshot below),How do i check RDP-tcp IP properties,follow guide here


till now,we have seen the behavior of sccm client with respect to remote tools settings .

Issue: Server team raised concern that ,above changes(1 &2 ) should not be reflected on the server (for workstation,it should be fine) ,this happened because i do not have separate client device settings for workstations and servers.Default client settings with remote tools enabled and is applied at hierarchy level for both workstations and servers.

How do i correct the issue of 1 & 2 on the existing servers and should not occur on new servers going forward as explained above screenshots ?

Create a Custom Client device settings for Remote Tools  and other settings if you are interested to manage via settings.Go to Remote tools and set All Yes/Enabled options to No/Disabled including ‘Manage Remote Desktop settings’ to ‘No

Note: its always recommended to not touch the default client settings and create custom client device settings for workstations and servers.

Deploy this setting to server based collection ,wait for the machine policy to load or trigger the action on one of the server from the collection and see the changes.

You should not see ConfigMgr Remote Control Users’ from rdp-tcp properties also from Allow log on through Remote Desktop Services.

What about the Local Security group which was created in the past ?

TechNet article says ,After you disable remote tools for a client, this group is not automatically removed and must be manually deleted this from each client computer.

So we have to delete this group on all the existing servers.To do this,I created simple vbscript checks the group and deletes if exist.

strComputer = "."
Set objComputer = GetObject("WinNT://" & strComputer & "")
For Each objgroup In objComputer
If (objgroup.Name) = "ConfigMgr Remote Control Users" Then
objComputer.Delete "group", "ConfigMgr Remote Control Users"
End If

Create a package using this script and deploy to collection.This will remove the local group  on all the existing servers and do nothing if the group doesn't exit.

Thanks to windows-noob (Niall Brady) for helping out on this .

8 Responses to "Configmgr 2012 Remote control How to get Rid of Local security group ConfigMgr Remote Control Users"

  1. Hello Eswar.

    Thank you for the excellent Post!

    For some reason some devices in our domain are not retrieving the users that belong to the remote access group and as a consequence we cannot start a remote access.
    If we do a repair to the SCCM client the users are automatically added to the group so I would like to get a list of the “non-compliant” devices and then do a remote repair of the SCCM client.
    Is there a way to create a Collection with a WMI query to achieve this? Or some similar examples that I can check. A configuration baseline could also work. I created one with a powershell script but for some reason it is not working.

    $LocAdmGroupMembers = (Get-WmiObject -Query "ASSOCIATORS OF `
    {Win32_Group.Domain='$($env:COMPUTERNAME)',Name='ConfigMgr Remote Control Users'} `
    WHERE ResultClass = Win32_UserAccount").Caption
    $LocAdmGroupMembers += (Get-WmiObject -Query "ASSOCIATORS OF `
    {Win32_Group.Domain='$($env:COMPUTERNAME)',Name='ConfigMgr Remote Control Users'} `
    WHERE ResultClass = Win32_Group").Caption

    if ($LocAdmGroupMembers) {$Compliance = 1}
    else {$Compliance = 0 }
    Return $Compliance

    Thanks in advance for your help!


  2. Will try during this weekend. Got a new Dell Alienware 32GB memory laptop. Going to destroy current lab and start a new ONE.

    Will package and deploy once the lab is ready.


  3. The question is regarding the above (remove remote control users from workstation - win7). I created a application called removerdp using above script (vbscript). Deployed to Win 7 collections. The ConfigMgr Remote Control Users are still present. Testing the application in lab.

    Can you post a screen shot of how you created the application to remove ConfigMgr Remote Control Users using above vbscript.

    1. ok,you need to make sure,there are no client agent settings applied to these win7 machines with remote control enabled and also you should try to disable the remote desktop option on remote tool options.
      coming to script,i would suggest you to create package instead of application as package will be easy to create.if you are creating for application,you will have many things to provide like detection methods etc.
      Create a package and deploy it.

  4. I tried to deploy for Win 7 collection after creating it as an application. Nothing is happening. Can you if possible post some screen shot of how to complete the application creation.

    1. what are you looking at ? i did not get your question completely .is your question related to the post subject line ? or different one ?


Leave a Reply