Switch users under Remote Desktop

  • Thread starter Thread starter Don
  • Start date Start date
D

Don

I have to remotely administer a couple of computers (Vista Business) that run
standalone, we are not part of any kind of network/domain. I've got the
hidden Administrator account active and passworded on all machines, but the
individual users of these machines run in Standard User mode. When I try to
do a remote desktop with them, and then have adjust something that requires
Administrative privileges, I cannot enter the password. Any suggestions
(with a little detail if possible, thanks), would be greatly appreciated.
THanks.
 
Hi, Don.

Is there a really compelling reason to use the built-in admin account on
these Vista systems? I believe that MS recommends strongly activating and
using that account ONLY for purposes of repairing the OS.

I know this isn't a direct answer to your query, but I'd suggest creating a
regular password-protected admin account on each of those systems, logging on
to the system under the new account, and using gpedit.msc (drill down to
security policies) to disable that built-in account.

I'm pretty sure you'll find that negotiating the privilege escalation
process will be possible using that account. There are a lot of default
features concerning that built-in admin account that don't match up with the
way other accounts are used.

BTW, I'm curious since that account is by default normally left without a
password on it, are you able to log on to those systems remotely using that
account?
 
Thanks for the reply, but my main problem is that my users are logged in
under a Standard account. When I access their desktop remotely using a
tightvnc-based product, I cannot enter the Administrative password, whether
it be for the Administrator account or any other account with administrative
privileges. So I can't go any further to help them without telling them the
administrative password....and that's the problem.

I guess I can hide the Administrator account as you suggest and use the
other account with administrative privileges, but this is a side issue. I'm
really just having trouble remote controlling another user's PC when it
involves elevating my privileges to do certain tasks....like change network
settings.

Any thoughts?
 
Oh, okay. I didn't understand that you were using VNC. That does present a
problem. Is there any way you could use RDC? I'm wondering if it is the use
of VNC as your means of remote access that could be causing the issue. Of
course, if you're using RDC, the users won't be seeing anything at all of the
desktop, which can be good or bad -- depending on whether or not you need
them to see what's going on.
 
Thanks for the explanation, I think I may prefer to use RDC in certain
instances. I think my problem now is that I have tried RDC, but cannot get
it to work since all of us are in separate locations behind NAT routers.
I've also got Hamachi running too on everyone's machine. I'll lookup some
additional info on RDC and how to get it to work properly. If you have any
info websites you could point me to, I'd appreciate it. Thanks for all of
your input.
 
I don't know if my post serves as an explanation so much as musing.

You know what I'd suggest? If it's possible for you, before going through
all the trouble of setting up port-forwarding on your NAT routers for RDC,
try RDC (or have someone else try it) AND VNC locally within each of the
remote locations. If you see a difference in their ability to allow the
privilege escalation process to go through, you have at least proved whether
or not it makes sense to proceed with RDC.

You might also try UltraVNC as an alternative to TightVNC, if that's
feasible. I have had better luck with UltraVNC, though I've had precious
little experience with any VNC. UltraVNC has an encryption plugin available,
which should reduce any concerns about some aspects of security.
 
I agree strongly with everything Luc has said.

I wasn't thinking about Remote Assistance because I was reacting to Don's
expressed concern about users seeing what he was doing and (potentially)
having to be prompted and given an admin password. But that was just my admin
paranoia creeping in there. I realize that having the end user's
participation can be useful in a remote session -- just never in the
particular case of the system I admin currently.

Luc is especially correct in saying that a VPN solution is going to be safer
than simply forwarding ports. But I think you should test RDP from a local
point first to find out for certain whether or not there is something besides
an issue with VNC causing the privilege elevation issue. If there is such a
problem, it must be dealt with promptly.

Luc said:
Thanks for the explanation, I think I may prefer to use RDC in certain
instances. I think my problem now is that I have tried RDC, but cannot get
it to work since all of us are in separate locations behind NAT routers.
I've also got Hamachi running too on everyone's machine. I'll lookup some
additional info on RDC and how to get it to work properly. If you have any
info websites you could point me to, I'd appreciate it. Thanks for all of
your input.
Click to expand...

I've been a VNC addict too, way back in NT4. I started building it down
when W2K server came with a remote administration mode, because RDP is way
more efficient with bandwidth. Today I only keep it around for some old
Win2000 Pro machines I still have to administer.


You can use RDC through NAT routers if you open port 3389 on the router and
forward it to the proper machine [but: see first remark below].

I've RDPed to multiple machines after the same router as well (an internal
NAT router in the company LAN, not on the internet - there's that remark
again ;)
You can route a port to only one machine, but you can route different ports
to different machines - and 3389 is the default for RDP, but you can make
machines connect on other ports.

Sorry if this sounds a bit vague, but the exact details depend on the
brand/model of router you use.


Some remarks:

1) I would strongly recommend against opening the RDP port (and VNC just as
well) "naked" on the internet, go for a VPN solution and connect through a
tunnel.

2) It isn't necessarily so with RDC that the other user can't see what
happens on the screen. There's remote assistance mode (which also uses the
RDP protocol, just like RDC), where you both see the screen and can use
keyboard and mouse at the same time.
The main difference between remote desktop and remote assistance mode is
that the session is started from the other side, you can't start
"assisting" uninvitedly.

3) Remote assistance mode contains a built-in mechanism to get through NAT
routers, see http://en.wikipedia.org/wiki/Teredo_tunneling .

Disclaimer: I haven't tried it yet (Teredo never, and remote assistance
just once in XP).
Click to expand...
 
Thanks LeftFoot and Luc, both of you have given me lot's to think about.
There are indeed times when I don't care to have the other person know or see
what I'm doing, but in other cases, I need to show them something for
training purposes. So I'm looking into trying to use Hamachi as a VPN and
run RDC through it.

Thanks again for the lively discussion.

LeftFoot said:
I agree strongly with everything Luc has said.

I wasn't thinking about Remote Assistance because I was reacting to Don's
expressed concern about users seeing what he was doing and (potentially)
having to be prompted and given an admin password. But that was just my admin
paranoia creeping in there. I realize that having the end user's
participation can be useful in a remote session -- just never in the
particular case of the system I admin currently.

Luc is especially correct in saying that a VPN solution is going to be safer
than simply forwarding ports. But I think you should test RDP from a local
point first to find out for certain whether or not there is something besides
an issue with VNC causing the privilege elevation issue. If there is such a
problem, it must be dealt with promptly.

Luc said:
Thanks for the explanation, I think I may prefer to use RDC in certain
instances. I think my problem now is that I have tried RDC, but cannot get
it to work since all of us are in separate locations behind NAT routers.
I've also got Hamachi running too on everyone's machine. I'll lookup some
additional info on RDC and how to get it to work properly. If you have any
info websites you could point me to, I'd appreciate it. Thanks for all of
your input.
Click to expand...

I've been a VNC addict too, way back in NT4. I started building it down
when W2K server came with a remote administration mode, because RDP is way
more efficient with bandwidth. Today I only keep it around for some old
Win2000 Pro machines I still have to administer.


You can use RDC through NAT routers if you open port 3389 on the router and
forward it to the proper machine [but: see first remark below].

I've RDPed to multiple machines after the same router as well (an internal
NAT router in the company LAN, not on the internet - there's that remark
again ;)
You can route a port to only one machine, but you can route different ports
to different machines - and 3389 is the default for RDP, but you can make
machines connect on other ports.

Sorry if this sounds a bit vague, but the exact details depend on the
brand/model of router you use.


Some remarks:

1) I would strongly recommend against opening the RDP port (and VNC just as
well) "naked" on the internet, go for a VPN solution and connect through a
tunnel.

2) It isn't necessarily so with RDC that the other user can't see what
happens on the screen. There's remote assistance mode (which also uses the
RDP protocol, just like RDC), where you both see the screen and can use
keyboard and mouse at the same time.
The main difference between remote desktop and remote assistance mode is
that the session is started from the other side, you can't start
"assisting" uninvitedly.

3) Remote assistance mode contains a built-in mechanism to get through NAT
routers, see http://en.wikipedia.org/wiki/Teredo_tunneling .

Disclaimer: I haven't tried it yet (Teredo never, and remote assistance
just once in XP).
Click to expand...
Click to expand...
 
Good luck, Don. I know that you'll be busy for awhile.

;)

Don said:
Thanks LeftFoot and Luc, both of you have given me lot's to think about.
There are indeed times when I don't care to have the other person know or see
what I'm doing, but in other cases, I need to show them something for
training purposes. So I'm looking into trying to use Hamachi as a VPN and
run RDC through it.

Thanks again for the lively discussion.

LeftFoot said:
I agree strongly with everything Luc has said.

I wasn't thinking about Remote Assistance because I was reacting to Don's
expressed concern about users seeing what he was doing and (potentially)
having to be prompted and given an admin password. But that was just my admin
paranoia creeping in there. I realize that having the end user's
participation can be useful in a remote session -- just never in the
particular case of the system I admin currently.

Luc is especially correct in saying that a VPN solution is going to be safer
than simply forwarding ports. But I think you should test RDP from a local
point first to find out for certain whether or not there is something besides
an issue with VNC causing the privilege elevation issue. If there is such a
problem, it must be dealt with promptly.

Luc said:
Thanks for the explanation, I think I may prefer to use RDC in certain
instances. I think my problem now is that I have tried RDC, but cannot get
it to work since all of us are in separate locations behind NAT routers.
I've also got Hamachi running too on everyone's machine. I'll lookup some
additional info on RDC and how to get it to work properly. If you have any
info websites you could point me to, I'd appreciate it. Thanks for all of
your input.

I've been a VNC addict too, way back in NT4. I started building it down
when W2K server came with a remote administration mode, because RDP is way
more efficient with bandwidth. Today I only keep it around for some old
Win2000 Pro machines I still have to administer.


You can use RDC through NAT routers if you open port 3389 on the router and
forward it to the proper machine [but: see first remark below].

I've RDPed to multiple machines after the same router as well (an internal
NAT router in the company LAN, not on the internet - there's that remark
again ;)
You can route a port to only one machine, but you can route different ports
to different machines - and 3389 is the default for RDP, but you can make
machines connect on other ports.

Sorry if this sounds a bit vague, but the exact details depend on the
brand/model of router you use.


Some remarks:

1) I would strongly recommend against opening the RDP port (and VNC just as
well) "naked" on the internet, go for a VPN solution and connect through a
tunnel.

2) It isn't necessarily so with RDC that the other user can't see what
happens on the screen. There's remote assistance mode (which also uses the
RDP protocol, just like RDC), where you both see the screen and can use
keyboard and mouse at the same time.
The main difference between remote desktop and remote assistance mode is
that the session is started from the other side, you can't start
"assisting" uninvitedly.

3) Remote assistance mode contains a built-in mechanism to get through NAT
routers, see http://en.wikipedia.org/wiki/Teredo_tunneling .

Disclaimer: I haven't tried it yet (Teredo never, and remote assistance
just once in XP).
Click to expand...
Click to expand...
Click to expand...
 
Back
Top