making a user for remote desktop on w2000 server

[mark]

I need to grant remote access to our sims support guy and also need to deny him access to staff files also on that server. He recons only admins can remote desktop omto a w2000 server - anyone know different?

[ChrisH]

Try giving him log on locally permission then try it.

[Ric_]

Only admins can login unless you have a terminal services license server (or are using your 90-day trial that comes with Windows).

I would say, give him limited access and make him use VNC.

[Geoff]

If you use UltraVNC you can control VNC access with Windows ACLs rather than just a password. Makes it easier to give out access to indiviual computers/groups of people.

[mark]

Thanks for that guys. Sheeshk - hectic morning!

Yeah - he doesn't like vnc. Though i've got to do something because we're contravening data protection as it stands.

Don't you get 5 terminal services licences free with a server??

[tarquel]

Couldnt a additional admin group be made with restrictions on it which then of course would be easy to prevent access to certain areas on the server?

Any ideas on how that could be achived?

After all mark - you might get john appear and i would be happier with both of them on the restricted admin group

Regards
N.

[mac_shinobi]

dameware have great utils

www.dameware.com

Hopefully that helps

I think it is the mini remote you are after

[mac_shinobi]

http://www.dameware.co.uk/ is the uk website obviously , not sure if there is much difference ??

[GrumbleDook]

Our SIMS support team (county) use GoToAssist, but only when I am there watching what they are doing. I have also previously hooked up the VGA output to a video recorder to watch what they were doing ... partly because I wanted to follow what insane thing they were having to do to get some bizarre problem fixed.

I told them first and they were happy ....

[Ric_]

You don't get any TS CALs with server - except for administrative access. You can however use the 'trial-licenses' which last for 90 days.

What sort of person doesn't like VNC anyway? You are effectively looking at the computer's screen! Is this guy meant to be technical? Even our phone engineers can use VNC to tap into our voicemail server by dialing in through the Avaya comms system!

I would have to say that you should tell the man to use VNC - don't give an alternative.

[tarquel]

Not sure mark's view here, but me personally, I wouldnt want him to use VNC (as I am and I dont want him to use the password i have - got enough passwords to remember without having seperate vnc passwords as well lo).

Remote Desktop is fine and works well for him.

Either way, he has to log on as a administrator and this is our problem in that he can see any file on the system - including the home directories of the admin staff - which in theory is a no no (security wise - not that i dont trust him, its just he shouldnt be able to).

Should we make the home directories permissions differennt then in this case that we remove the administrators group from the root of the homedir share (or however ppl have it setup) and only have "Administrator" & "System" with Full Control, and set the indiviual username (with Full Control) on each users folder i.e.

-+ HomeDirs ("Administrator", "SYSTEM", "Creator Owner" - Full Control)
|
+- Administrator (no additional changes)
+- Nigel ("Nigel" - Full Control)
+- AOther ("AOther" - Full Control)

etc.

Would this be a good work around? (excuse the crudeness of things - I'm a little tired lol)

Regards
N.

[mark]

But if he was an admin he could take control back of those directories.

It's not just security - it's legal - you could get your ass sued for not complying with data protection laws. I think it's very serious anyhow.

[tarquel]

But if he was an admin he could take control back of those directories.

Damn right - forgot bout that lol

I think it's very serious anyhow.

Agreed

N.

[mac_shinobi]

So dameware isnt an option then , cos no one said anything about that yet ?? hhhmmmm

[kingswood]

Gecko: No.

Question: We actually allow a remote connection from SIMS too when they are repairing yet another glitch in the system. Which is about every week. So far, it's been twice this week.

Basically the school (I think) has always given the remote engineer admin rights. Now I hadn't thought of the connotations of that legally, but I will look into it.

Perhaps VNC would be a better...

Paul