5 Replies Latest reply: Dec 9, 2011 7:21 AM by zman RSS

    LANDesk Remote permissions

    tlman12 Rookie

      Is there a way in LANDesk (I didn't see it if there was) to say that certain users require approval from the user to dial into an endsystem and certain users don't?

       

      the closest thing i can find is chaning the remote permissions to Windows NT Secuirty/ Localtemplate and then specifying the users that would have view only. this dosn't exactly stop them from dialing into a computer without user consient and it seems like it would be come an admin nitemare

       

      Thank you

        • 1. Re: LANDesk Remote permissions
          Specialist

          Unfortunately that permission is configured in the LANDesk agent and on per machine.  So to get what you want, you will need to create two separate agent one with the "end user must grant permission for remote control session" box checked and one don't.  And deploy the two agents to the target machine.  Then assign  the scope with the prompt for permission to the user that need the approval and vice versa.

          • 2. Re: LANDesk Remote permissions
            MarXtar SSMMVPGroup

            Agree that there isn't really a way to do this. The permission required is often a legal requirement and not linked to an individual as such which is why it is on, off, or permission required if user logged in.

             

            Only those that can modify agent settings are able to change this and that would require new agent settings to be deployed.

             

            I'd suggest you check into this properly. Is this something you want to do or is a manager requesting it? There may be an HR policy that forbids this or even a legal requirement depending on which country you are in. What you are looking to do basically allows some people to spy on employees while others are not allowed. Technically it can't easily be done, but always worth knowing if you should even allow it if you can create a workaround.

             

            Mark McGinn

            MarXtar Ltd

            http://landesk.marxtar.co.uk

            LANDesk Silver ESP

             

            The One-Stop Shop for LANDesk Enhancements

            - Wake-On-WAN - Distributed Wake-On-LAN, Scheduled Power Down, and SWDist Sequencing

            • 3. Re: LANDesk Remote permissions
              zman Master

              As Billy and Mark have indicated this is not the design. The issue is that the setting for this is in the registry and in the HKLM (machine part).  If there was a sister setting in HKU then it would be easy to manipulate through a custom AD GPO, etc... So I would go with the highest level of security for everyone (permission required).  To be honest this is not such a bad thing since it helps the acceptance level of RC from the user. Gives them a sense of big brother not snooping on them. There is also a setting to only require permission when somebody is logged on.

              • 4. Re: LANDesk Remote permissions
                tlman12 Rookie

                Hey, thank you for the replys.

                 

                this is something being requested by my manager. the situation is we have 4 technicions that are constantly in and out of computers and to have it be approved by the user everytime is going to really put damper on it. a lot of the time an user requests work to be done thorugh an e-mail and supplies us with the IP address and when we get to it we will dial in. most of us are in 2-4 comupters at once and are on the phone as well. (under staffed) but to have to call every user and make sure their their to accept our dial in request would be a pain. (they all know and expect "big brother" is watching them)

                 

                on the other side we have a programming staff of about 6 that occasionally remote into a computer, with the user ont the phone) to attempt to troubleshoot an issue with their application, but my manager dosn't want them to have the ability to just jump inot any computer on a whim.

                 

                so both departments need access to all computers but only one would be feasable to have the restriction.

                 

                I personally don't think that this is going to make any difference but its one of those things like the saying "Locks are only for honest people". I know and i ahve brought up the point that there are free programs out there that allow you to remote into any computer and they don't even needd the agent installed to begin with (dameware being one)

                 

                if it's not a planned feature then i'm just going to take that to my manager and say that it can't be done.

                 

                thanks again for the your help.

                • 5. Re: LANDesk Remote permissions
                  zman Master

                  There is a way to turn off ask for permissions and restat the landesk remote control via a script. Run another script or custom vulnerability to turn it back on.