About the ConfigMgr Remote Control Users Group

This group is used by Microsoft System Center Configuration Manager 2007 remote tools to store the permitted viewers configured in the permitted viewers list. This group is created only for computers running Windows XP, Windows Server 2003, and Windows Vista, not for Windows 2000 clients.

Required Rights and Permissions

This group must have the following DCOM permissions on the Remote Tools Agent component:

Local Launch
Local Activation
Local Access

This group must have the following DCOM permissions on the Remote Tools Launcher component:

Local Launch
Local Activation
Local Access

This group must have the following DCOM permissions on the Remote Tools Server component:

Remote Launch
Remote Activation
Local Access
Remote Access on Remote Tools Server

This group also requires Remote Launch and Remote Activation on the Configuration Manager 2007 client computer.

Important
By default, Remote Activation is granted only to the members of built-in Administrators group. Allowing the ConfigMgr Remote Control Users group Remote Activation permission would allow any member of that group to attempt DCOM attacks against the client computer, and increases attack surface of the computer. You can mitigate this threat by carefully monitoring who is a member of the ConfigMgr Remote Control Users group. For more information regarding risk associated with allowing remote activation, see http://go.microsoft.com/fwlink/?LinkId=86101.

Important

By default, Remote Activation is granted only to the members of built-in Administrators group. Allowing the ConfigMgr Remote Control Users group Remote Activation permission would allow any member of that group to attempt DCOM attacks against the client computer, and increases attack surface of the computer. You can mitigate this threat by carefully monitoring who is a member of the ConfigMgr Remote Control Users group. For more information regarding risk associated with allowing remote activation, see http://go.microsoft.com/fwlink/?LinkId=86101.

It will also be given rights to control the computer via Remote Desktop if Configuration Manager 2007 is configured to manage the Remote Desktop settings on the Remote Tools Client Agent settings on the Remote Desktop tab.

Group Location

This group is created on the supported Configuration Manager 2007 client computers when the client receives a policy enabling remote tools.

Important
If remote tools is disabled at a later time, this group is not removed. If you disable remote tools, you should always manually delete the ConfigMgr Remote Control Users group.

Type of Group

This group is a local group. If the client is a domain controller, this group is a domain local group that is shared among all domain controllers in the domain.

Membership

By default, there are no members in this group. As you add users to the Permitted Viewers list, they are automatically added to this group. You should always add users to the Permitted Viewers list instead of adding them directly to this group.