Enable Privileges for CNE Domain Groups

 

When the Enable Privileges for CNE Domain Groups item is enabled, Spector CNE will use pre-configured Domain-Level Groups to determine who has access to specific items in the Control Center (Manage Computers, Configure Computers, and Monitor Computers).

 

Currently, when logged on to the CNE Control Center machine as a Domain Administrator, a user will have full control over all aspects of the CNE installation. However, there may be situations where it is desired that the Control Center’s user only have access to specific items. For instance, it may not be important or desirable for a Human Resources representative or manager to change management or configuration settings when all that is required is to review the Client recordings. The CNE Domain Groups allow this flexibility.

 

 

Creating the CNE Domain Groups

 

  1. Open the Active Directory Users and Computers item on the Domain Controller

  2. Create five (5) Security Groups with the following names:

 

    1. Spector CNE Admins

    2. Spector CNE Managers

    3. Spector CNE Configurers

    4. Spector CNE Monitors

    5. PowerUsers

 

Note: Be careful to use the exact spelling and case specified above. Otherwise, Spector CNE will not properly detect the presence of these groups.

 

The Spector CNE Admins will group will have all privileges (the same as Domain Admins). The other three (3) groups will have the privilege of using the specific view in the console. For example, the Spector CNE Monitors Group can only use the Monitor Computer function in the Control Center.

 

A user can be in more than one of the groups listed. Therefore, she or he will have the appropriate permissions for each group. Please note that all of the views will remain visible in the console, but the menu items will be grayed out if the user does not have the privilege to work in the corresponding view. A user can be in the Spector CNE Admins group in the domain (and not in the other groups—they may not even exist) and as far as the console is concerned, the user will automatically be considered in the other three (3) groups.

 

  1. Add the Spector CNE Admins, Spector CNE Managers, Spector CNE Configurers, and Spector CNE Monitors groups as members of the PowerUsers group. This group will be discussed shortly

  2. Add the domain users as members of the Spector CNE groups, as appropriate. Users who only need to have monitor privileges should be added to the Spector CNE Monitors group

 

 

Configuring the Client Workstations

 

In order for the Control Center to communicate with the desired computers monitored by Spector Client (Client), the user logged on to and using the Control Center computer must have Local Administrative Permissions on the monitored computers. This is not a problem when the user logged on is a Domain Administrator. However, if the logged on user is not a Domain Administrator, other options are available. For example, the same Human Resources Specialist referenced above probably would not be a Domain Administrator. However, in order for the Control Center to work properly on the desired computers, this HR employee would have to be a local Administrator on the remote computer. There are two ways of achieving this goal without physically visiting the computers.

 

  1. Using the Active Directory Organizational Units and Group Policies

  2. Through the Microsoft CUsrMgr Utility

 

Both methods have pros and cons. Each is discussed in depth below.

 

 

Active Directory Organizational Units and Group Policies

 

  1. Open the Active Directory Users and Computers item on your Domain Controller

  2. Create a new Organizational Unit. The name is not particularly important, but CNE Computers is recommended

  3. Add the Windows 2000/XP computers you wish to have a Client monitor to this Organizational Unit

 

This method only works with the Windows 2000 and XP Pro operating systems. It will not work with Windows NT4 since NT4 does not support the Active Directory Group Policies. Once you have added the appropriate computers, you need to create a Group Policy for this Organizational Unit

 

 

 

 

 

 

 

  1. Right click on the Organizational Unit just created and select Properties

  2. Click on the Group Policy tab and select New. Name the new Group Policy as  you wish

  3. Click on the Options button and select No Override. This will prevent other policies from disabling the settings required for the Client to work

  4. Double click on your new policy to create the required settings. When the Group Policy opens, you will need to scroll to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Startup

  5. Double click on Startup

  6. Click on the Show Files… button. You will need to create a logon script at this point. The script can contain anything you wish, but it must also contain the following line: NET LOCALGROUP "Administrators” /ADD %DOMAINNAME%\PowerUsers

  7. Replace %DOMAINNAME% with the name of your domain

  8. Save the script (you can use a *.bat or *.cmd filename extension)

  9. Add the script in the dialog box by clicking on the Add button

  10. Close the various windows and your policy is complete

 

The reason that a startup script is used instead of a user logon script is because a logon script runs under the security context of the user who is logging on. If this user were not a local administrator, then the proper credentials would not exist to modify the local Administrators group. A startup script runs, however, using administrative credentials and can modify the local Administrators group as needed.

 

 

Microsoft Console User Manager Utility

 

The Microsoft Console User Manager Utility (CUsrMgr Utility) is packaged with the Windows 2000 Resource Kit. It allows for remote modifications by Domain Administrators to user and group accounts located on Client computers. There are many documents available on the Internet describing its features and use. Below, you will find an outline of the steps necessary to modify only those items necessary for the Client's functionality.  

 

One of the advantages of using this tool is that it works with Windows XP, 2000, and NT4. If you are using a NT4 domain or simply still have NT4 computers on your current domain, this tool may be used.

 

  1. Log on to a machine using a Domain Administrator account

  2. Open to a command prompt

  3. Locate the CUsrMgr.exe file and type the following entry

 

cusrmgr -m \\%computername% -alg Administrators -u PowerUsers

 

This will add the PowerUsers group to the local Administrator account. Make sure to replace %computername% with the Client you wish to modify

 

This utility will run from a batch file. If needed, it is possible to make mass changes across your network.

 

 

Windows 9x/ME Considerations

 

Unfortunately, there appears to be no way to add users or groups remotely to the Remote Administration list on Windows 9x/ME computers. Therefore, when initially setting up these computers to use a Client, it is advisable to add the PowerUsers group to the Remote Administration list.

 

  1. Open the Windows 9x/ME Control Panel (Start Menu > Settings > Control Panel)

  2. Double click on Passwords

  3. Click on Remote Administration

  4. Select Add and include the PowerUsers group

  5. Click on the OK button

  6. Reboot your computer

 

Unfortunately, Windows 9x/ME does not support the “multi-layered” approach to NT/2000/XP support when applying permissions. Therefore, it is necessary to add each individual user to the PowerUsers group at the Domain Controller. You cannot rely on the fact that the individual users are already members of Spector CNE Admins, Spector CNE Monitors, etc. as you can with the NT-based operating systems. If 9x/ME computers are part of your Client plans, you do not need to include the Spector CNE… groups in the PowerUsers group since the individual users must be added.

 

 

Related Topics:

Knowledge Base

Technical Support