Recently we were looking for a way to save one of our departments some funds by discontinuing their use of TeamViewer to remotely access machines and do work that they need to complete. We use Microsoft’s System Center for imaging and deployment but it was not configured to allow anyone outside of the technology department to use the remote access tools in the System Center Configuration Manager (SCCM) Console.
We had an administrative group setup in SCCM that allowed our network engineer, technicians, and technology systems specialists to have full access to the console, but we had not setup other users to be able to use it for remote access for two reasons:
1. We needed to examine what roles were available to as to limit their ability in the console
2. We just were not sure how.
We began to dig in and study the roles made available in SCCM and found the Remote Tools Operator role. Upon research, we discovered that this was the exact role that we needed to assign for these users. We assigned these users the role and set off to install the console software on their desktops and show them how to use the tools available. This went off without a hitch while I was at their respective desks and walked them through the process, but that is where the simple things ended.
We discovered later that when they would attempt to remote control a machine that they had not previously logged into, they would be prompted with an error that they did not have the rights to use the remote control and have a login prompt asking for a user with the rights to login. I was stumped. This led me to dig in more.
I discovered that simply giving the user the role in SCCM DID NOT give them the ability to remote control machines in our domain that they had not logged into previously. To fix this, the client settings had to be altered under the remote tools properties. There is a setting for users who could remote control systems using the console. We created a group in our Active Directory (AD) called Remote-Tools-Operators, adding these two users into this group, then setup that group to be imported into SCCM. Once this group was imported and made into a collection via a query state (so as to update it self if we needed to add more users to it) we added it that remote operators client settings and waited while it replicated out across the domain, they were able to quickly and easily remote control most machines they needed to do their work.
This system has not proven to be perfect for us. We find from time to time there are machines that our Remote Tools Operators are unable to login to and they are still presented with a login prompt for credentials that have permission. Trying to force a machine to update its client settings does not always appear to fix the issue and we find it easier to tell SCCM to do a re-install of the client software. In most cases this fixes the issue, but occasionally it does not, and we must physically login to the machine and do a manual installation ourselves.