Local security w2k question

[tdezarn]

You can also set security policy by using the secpol.msc snapin.

I didn't know that about the remote desktop. quite cool

[SawPer]

Did you guys try the /console option for mstsc!? Are you connecting to a Win2000/Win2003 TS?
That sure isn't working for me at least, I just get connected like a regular RDP connection, not taking over the actual console session...

Would be really cool if it worked though...!

[SawPer]

Maaaan... I have now tried all combinations I can think of, without success.
From WinXP/Win2003 to Win2000/Win2003...
Was never able to connect to the console session...

Must be doing something wrong I guess... or some kind of policy is preventing me to connect to the console and automatically shots me over to a regular RDP session.. strange... !

Guess I will try the MS Forums... will let you know if I figure it out...

[DerekK]

Good point "mstsc /console"!!

Thx!

[SawPer]

Sorry, I think I confused myself!! :]

The only sadness is it only works on Win2003 not on Win2000...

Anyway, what confused me was when looking in TSADMIN, it still shows the remote console session as a RDP session, and the local console session is still "usused", but when looking closer the RDP session took over ID 0, which always is the console..
I guess TSADMIN is also getting some what confused over the whole thing.. hehe!

Started Windows Update locally, connected remotely with two admin connections, then tried a third to simulate you being locked out, then tried the /console option and voila! Took over the local console with Windows Update running in the background, awesome!

Very cool, thanks a lot zencoder!!

[zencoder]

Originally posted here by SawPer
Sorry, I think I confused myself!! :]

The only sadness is it only works on Win2003 not on Win2000...

Anyway, what confused me was when looking in TSADMIN, it still shows the remote console session as a RDP session, and the local console session is still "usused", but when looking closer the RDP session took over ID 0, which always is the console..
I guess TSADMIN is also getting some what confused over the whole thing.. hehe!

Started Windows Update locally, connected remotely with two admin connections, then tried a third to simulate you being locked out, then tried the /console option and voila! Took over the local console with Windows Update running in the background, awesome!

Very cool, thanks a lot zencoder!!

I don't think it is actually getting confused, and I don't believe the intent was ever to do a 'shared desktop' (like PCAnywhere). Microsoft already has a tool to do this in Remote Assistance (which is pretty much the same code base as Remote Desktop/Terminal Server). The point of /console is more of a policy issue. IIRC, the default setting for Remote Desktop/TS connections is 2 remote connections max. This can be changed, but I've seen it do some flaky things when too many users are connecting remotely with a full desktop. The /console option let's a Remote administrator connect even when the max. connections has been reached, by giving him the reserved session for the local console.

You folks having trouble will have to read up on the mstsc /? info for how to use it, I don't recall the details, but I consult it myself everytime I need to use this. I don't use anything older than XP/2003 nowadays, simply due to the environment I work in, so I haven't tried it in any other combinations. But it sure beats resorting to a tool like Dameware or VNC, if you need to do something on the fly!

[DerekK]

BTW, some of you guys, know how copy local policy from a PC to another one?

Thank you.

[SawPer]

That's what Active Directory is for.. do you have your computers in a Domain environment?
You can set all the policies through Active Directory Users and Computers, and have them apply to whole OU's.

If not, I'm not sure if it can be done. In NT4 with POLEDIT you were able to export and import those settings from one workstation to another, but doesn't seem as easy here.
I think all the files keeping this configruation are using extension *.adm .
Might be able to copy those to another machine? Haven't ever tried it though.. somebody else might know??

[DerekK]

Yes, I already have a domain and GPO at OU level working. I was wondering it could be usefull with thw users who have laptops. Now I've to configure de local policy by hand in each!!

Thank you!

[zencoder]

Originally posted here by DerekK
Yes, I already have a domain and GPO at OU level working. I was wondering it could be usefull with thw users who have laptops. Now I've to configure de local policy by hand in each!!

Thank you!

Why?!? Are they in a different OU? Are they not members of the domain at all? We have all systems (except some select servers) in the Domain(s) here at my clients site. There are many groups (OU, but I like the word group for some reason) for different purposes. We have a 'relaxed GPO' group, where only the most important restrictions are placed on the system/user, but most of the rest are lifted (such as ability to install software, stop services, etc.) "Relaxe GPO" is for the power users in IT, for example. We have a mobile users group, so they can have a few of the extra options that users may need when not connected to the network.