LogMeIn.com if it adheres to your security model. Or, to continue remote desktop, you could just remove the techs from the local admin group, and add them to the remote desktop group. They can use remote desktop, but with a restricted account. Remote desktop has it's limitations for interaction with logged on users, so it don't like it for this role. It's good for administering servers, that's about it.
________________________________ From: Malcolm Reitz [mailto:[email protected]] Sent: Wednesday, March 04, 2009 11:44 AM To: NT System Admin Issues Subject: Support techs remote access rights to user PCs We are having an internal discussion on how to handle computer access rights for our application support and desktop support techs. Right now, certain techs are in an AD group which is in the local Administrators group on some PCs. This lets them resolve end-user issues by accessing the user PCs with Remote Desktop, Remote Registry, or simple connections to a share. However, it also means they can get to anything on the users' PCs and there is no auditable access tracking. So, we'd like to remove this access privilege and have the techs use other support methodologies, such as Remote Assistance, which requires the users to be aware of what's going on. There are cases, though, where the app support guys say they have to make batch updates to groups of PCs (such as to point them to a new license server) and they're balking at giving up their local admin rights. I've already thought of some ways to handle these issues, but I'd like to hear what some of you have done. We're running XP SP2/SP3 desktops on 2008 AD domains. The PCs are managed with SCCM 2007 SP1. Thanks, -Malcolm ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
