This group is used by Microsoft System Center Configuration Manager 2007 remote tools to store the permitted viewers configured in the permitted viewers list. This group is created only for computers running Windows XP, Windows Server 2003, and Windows Vista, not for Windows 2000 clients.
Required Rights and Permissions
This group must have the following DCOM permissions on the Remote Tools Agent component:
- Local Launch
- Local Activation
- Local Access
This group must have the following DCOM permissions on the Remote Tools Launcher component:
- Local Launch
- Local Activation
- Local Access
This group must have the following DCOM permissions on the Remote Tools Server component:
- Remote Launch
- Remote Activation
- Local Access
- Remote Access on Remote Tools Server
This group also requires Remote Launch and Remote Activation on the Configuration Manager 2007 client computer.
Important |
---|
By default, Remote Activation is granted only to the members of built-in Administrators group. Allowing the ConfigMgr Remote Control Users group Remote Activation permission would allow any member of that group to attempt DCOM attacks against the client computer, and increases attack surface of the computer. You can mitigate this threat by carefully monitoring who is a member of the ConfigMgr Remote Control Users group. For more information regarding risk associated with allowing remote activation, see http://go.microsoft.com/fwlink/?LinkId=86101. |
It will also be given rights to control the computer via Remote Desktop if Configuration Manager 2007 is configured to manage the Remote Desktop settings on the Remote Tools Client Agent settings on the Remote Desktop tab.
Group Location
This group is created on the supported Configuration Manager 2007 client computers when the client receives a policy enabling remote tools.
Important |
---|
If remote tools is disabled at a later time, this group is not removed. If you disable remote tools, you should always manually delete the ConfigMgr Remote Control Users group. |
Type of Group
This group is a local group. If the client is a domain controller, this group is a domain local group that is shared among all domain controllers in the domain.
Membership
By default, there are no members in this group. As you add users to the Permitted Viewers list, they are automatically added to this group. You should always add users to the Permitted Viewers list instead of adding them directly to this group.