Remotely access control panel

holly_johnson

Hi,

Is there any way that I can open a users control panel without remotely accessing their pc?
I am trying to uninstall unauthorised software, and don't want the hassle of explaining to them what I'm doing if I remotley control the pc.
I have tried mapping to their C:\windows\system32\control.exe, but it opens my control panel. I have all the usual remote control software, but none allow me to open this.
I cannot add an mmc snap in either.
I could do it through sms, but that involves having the uninstall files for all of the applications (hundreds). Also, Windows Remote Desktop logs off the user if I try to use that!

Any ideas?

Capt'n Midnight

Even if you could chances are that the uninstall would fail because their session would have files open.

Different apps uninstall in different ways - some have an uninstall utility that you could run remotely. If it can be run from the DOS prompt then you could use PSEXEC or other tools.

XP PRO ?

If they are members of the local admin group then you are just wasting your time as they will be back again pretty soon..

seamus

At best I guess, you could set up a logon script which ran the known uninstall programs for certain softwares, every time the user logged on. Easy enough to bypass though I'd say.

holly_johnson

Yes they have XP Pro SP1 running on a Win2K3 domain.
Yes they are members of the local admin group in order for Lotus Notes to
run.
Dunno about the login script; there's so much stuff (screensavers, games etc) that I think it would be a huge task, and programming is definitely NOT my forté!
TBH, I'm surprised that there is so much stuff, I have pretty stringent rules on the proxy and Websense boxes, I dunno how it gets through! It has certainly opened my eyes to locking down harder!

I know I am probably wasting my time, but has to be done. Looks like my only alternative is to mail them and get into the argy bargy of why have they got the stuff etc.

Capt'n Midnight

suggest you try to find out what rights they really need for notes - far too many apps need "admin rights" when in reality they just need access to part of the reg or a few folders

ps. if anyone has a list of minimum rights autocad needs for XP I'd like to know.

Zaph0d

So long as you have admin rights on the user's machine, just install VNC on his machine remotely, then take control and have your way with it.

First, install vnc server on your own machine and set a password, then copy the installed files and the registry entry to the remote machine, then start the vnc server service on the remote machine. Wait until the user is at lunch.

de8o

I agree fully with Capt'n Midnight, most people use the option of giving admin to everybody. This is a huge security hole, and will in the end cause far more support issues, as users install unwanted apps and delete system files.

As our rollout to active directory, we have used this as an opportunity to strip back permissions. We have nearly 100 apps, and have managed to get them all working without admin rights (including Lotus Notes). If you put in the time it is worth it. Use filemon and regmon from sysinternals to locate problems.

If you need further assistance you can pm me.

holly_johnson

Zaph0d wrote:

So long as you have admin rights on the user's machine, just install VNC on his machine remotely, then take control and have your way with it.

First, install vnc server on your own machine and set a password, then copy the installed files and the registry entry to the remote machine, then start the vnc server service on the remote machine. Wait until the user is at lunch.

I have Dameware remote control, I just didn't want the user to know I was taking over the machine to avoid the whining and moaning about removing the software.

holly_johnson

de8o wrote:

I agree fully with Capt'n Midnight, most people use the option of giving admin to everybody. This is a huge security hole, and will in the end cause far more support issues, as users install unwanted apps and delete system files.

As our rollout to active directory, we have used this as an opportunity to strip back permissions. We have nearly 100 apps, and have managed to get them all working without admin rights (including Lotus Notes). If you put in the time it is worth it. Use filemon and regmon from sysinternals to locate problems.

If you need further assistance you can pm me.

I fully agree with you and Capt'n Midnight about the Lotus Notes, it is a legacy application only used for databases that really shouldn't need admin rights. I would be interested to know how you sorted it out - I must admit I haven't really spent any time on it.

seamus

holly_johnson wrote:

Dunno about the login script; there's so much stuff (screensavers, games etc) that I think it would be a huge task, and programming is definitely NOT my forté!

There's plenty of stuff that can be locked down with Group Policy. In our place, most of our users are local admin on their own machines, mainly because a huge number of support calls we get deal with "I can't install this app/printer/memory stick because I haven't got rights and I'm not in the office". The default machine image still restricts their access to certain core files, and then the domain Group Policy sets machine policy and locks down things like the screensaver (actually the logon script resets the screen saver at each logon), Internet Settings, etc etc. Ultimately any of the users could get around these things, being admin on the machine, but IMO, if they can, then they know enough not to screw up their machine.

TBH, I'm surprised that there is so much stuff, I have pretty stringent rules on the proxy and Websense boxes, I dunno how it gets through! It has certainly opened my eyes to locking down harder!

Email. The amount of screensavers, novelty pointers (God they irritate me so much) and other crap that comes through email is staggering. Is your email system set up to filter out executables and screensavers?

holly_johnson

I have group policy setting Internet Explorer Settings and access to the C drive and desktop etc.
I do filter executables, screensavers images etc from mails.
Those smileys and mouse pointers do my head in too... just took one user to download them and that was it! The same with Hotbar.. that was a nightmare trying to remove that!

I know I obviously have a hole somewhere that needs closing, I will just have to plough through it until I find it. In the meantime I am still stuck with the awful job of listening to crap from users about removing the stuff because I can't find a way to do it silently. If I was to go the sms route, I'd be here till kingdom come!

seamus

Yeah, Hotbar is a pain in the ass.

Something I've been meaning to talk to our domain admin team here about is getting an anti-spyware package installed via group policy. It's still a huge support call generator, and we've found ourselves installing 3 or 4 tools to get the machines cleaned. I'm not sure how people feel about MS AntiSpyware (being a beta), but anyone I've installed it for here has had little or no spyware problems since. The real-time protection is the key I think, as users aren't going to run their own spyware scans every week or so.

holly_johnson

I agree. I have installed MS Anti Spyware on quite a few machines here (the worst offenders) and it has proved very effective. However, I would be reluctant to roll it out until it goes out of beta.