Thursday, August 27, 2009

Enabling Windows 7 Remote Management via Group Policy

I’ve been searching for a comprehensive article/blog-post/kb, etc on this for a while but have only been able to find pieces of the overall solution I was looking for.  The challenge?

Enable remote management capabilities on Windows 7 clients within an Active Directory domain environment using Group Policy.

Which capabilities?

  1. Be able to PING clients
  2. Be able to connect to clients via Remote Desktop
  3. Be able to connect to clients via Computer Management
  4. Be able to connect to clients through Event Viewer, RegEdit, etc.

You may notice that my “solution” doesnt’ involve a great deal of security options.  That’s because I’m pretty comfortable with the boundary security on my network environment, which will not be described herein.  Suffice it to say that I am only interested in being able to enable and use these capabilities.  If you need increased security, you can configure additional options via Group Policy settings to suit your needs.

Computer Configuration \ Policies \ Administrative Templates

Network \ Network Connections \ Windows Firewall \ Domain Profile

  • Allow ICMP Exceptions:
    • ENABLED - Allow inbound echo request
  • Allow Inbound remote administration:
    • ENABLED: Enter asterisk (*) in IPv4 address box
  • Allow inbound Remote Desktop:
    • ENABLED: Enter asterisk (*) in IPv4 address box

Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Connections:

  • Allow users to connect remotely using Remote Desktop services

Windows Components \ Windows Remote Management (WinRM) \ WinRM Service:

  • Allow automatic configuration of listeners
    • ENABLED: Enter asterisk (*) in IPv4 address box

If you need a nudge in the right direction for how to add these settings:

  1. Open Group Policy Management (aka “GPMC”)
  2. Expand Forest: <name> / Domains / <your-domain> / Group Policy Objects
  3. Right-click and select “New”
  4. Enter a name for the GPO (e.g. “Remote Management”) and click OK
  5. Right-click on the new GPO and select “Edit”
  6. Follow the guideline above to locate and enable the settings
  7. Right-click on the very top of the tree-view panel on the name of the GPO and select “Properties”
  8. Check the box “Disable User Configuration settings”
  9. Click “Yes” to accept the warning.
  10. Close the Group Policy Management Editor
  11. Right-click on the desired computer OU in the GPMC and select “Link an existing GPO” and select your new GPO.
  12. That’s it.

You can then either wait for the regular GPO refresh cycle to run (about 90 minutes on average, sometimes less) or go to a client and open a CMD console (remember to right-click and choose “Run as Administrator”) and at the command prompt, enter “GPUPDATE /FORCE” and press Enter.  You should be able to connect to that client from another client on your domain immediately after that.  If you still cannot, double-check your GPO settings and double-check where you linked the GPO (which OU) related to the computer account within AD.  You can (and should) use GPRESULT on the remote client to diagnose GPO issues.

Feedback is always welcome.  Enjoy!


Gordon MZ said...

Great article, but My SBS 2003 server only has the XP GPO templates. How do you install the Win 7 ones so that all the GPO policies you mention correlate?

skatterbrainz said...

Wow - I apologize for not seeing this comment until now. I really dropped the ball it seems. If you are still in search of an answer, try this link and let me know if it helps?