The Onsite Manager sees everything on your customer networks, but in order to do so, certain configurations may need to be performed. These changes must be made to the Domain Profile.
The Domain Profile is used when the machine is connected or logged into the Domain, and the Standard Profile when it is not. Computers with Device Managers installed that may physically leave the network should not have the Standard Profile configured with the policies described below, because the ports being opened are not required for monitoring and management. You can manage this by creating a separate organizational unit (OU) for these devices.
Once the changes have been made, the Group Policy must be updated on each device for the changes to take effect. The policy will be updated the next time a user logs into the Domain from the device, or may be updated manually on each device.
Caution: The GPO settings contained within this document are based on common network deployment models. Some networks may have tighter security requirements which some settings within this document do not meet. It is highly recommended that you consult your customer’s corporate network security policies before making GPO setting changes. Items within this document that you may want to reference with your customer’s corporate network security policy include the following:
- limiting which computers have access to remotely connect to other computers on the network. For example some networks may want to lock down so that only the Onsite Manager can access other workstations whereas others may allow all the computers within a complete subnet.
- Remote Desktop Connection. This document provides settings that allow a user to remotely connect to other PCs using Microsoft’s RDP client. This may not apply for networks that prefer to use other clients such as VNC.
Important: Because there is no way to predict what OUs exist on any given system, this guide works with defaults. Depending on your environment, you may have to apply the policies against objects other than those listed here.
Small Business Server and other Windows versions may have different paths in the management console to get to the policies, or different utilities to get there outside of the management console. However, the policy names and required settings will be consistent with those presented here. Technical Support is limited to best-effort advice when configuring GPOs in live environments.