Allowing RWW on SBS 2003 & Windows 7 to play nicely - group policy / adm template howto

If you're trying to RWW to a Windows 7 PC that is joined to an SBS 2003 domain, you may be seeing a popup error along the lines of " vbscript +"an internal error has occurred". In this scenario, RWW portal doesn't allow you to connect, but you can RDP successfully from your PC directly to the target PC in question.

Assuming that you've covered off firewall issues (you are allowing TCP 4125 to both the SBS box and the Win7 client, right?), then your next place to look at is the authentication level required by the target PC. To do this (on the target PC):

  1. Click start, type remote. Choose "allow remote access to your computer"
  2. The bottom half of the screen has some remote desktop settings. Assuming that it is enabled... you're looking for the setting "Allow connections from computers running any version of Remote Desktop (less secure)". By default Windows 7 will have "Allow connections only from computers runnign Remote Desktop with Network Level Authentication (more secure)".
  3. Change it to middle setting - "Allow connections from computers running any version of Remote Desktop (less secure)".
  4. Test. If this fixes it... then you've solved the problem for that particular computer. Next step is to make it a group policy, so that you don't have to replicate for every new Win7 PC.
  5. If you're running SBS 2008 then you don't need to go through the adm route - the settings are there in Group Policy Management Console, and they're well documented elsewhere so I'm not going to cover here. If you're running SBS 2003 however these settings don't exist, so we need to create and add an Administrative Template that is aware of the settings in question.

So... onto the next part. How to create and load this administrative template (adm). First you'll need some tools:

- Reg2Adm
- gpedit.msc on machine that has correct setting
- regedit on machine that has correct setting
- Group Policy Management Console on SBS box

You can change the setting either via gpedit.msc on the local box OR via regedit. Either way, you need to export a reg file via regedit, which will form the basis for the new ADM template.

  1. gpedit.msc: Local computer policy / Administrative Templates / Windows Components / Remote Desktop Services / Security / Set client connection encryption level.
  2. Enable the setting, and set to "client compatible"
  3. regedit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel = 2
  4. Export the key from regedit (right click, export, save as reg file). This will also export numerous other settings that you won't need here.
  5. Remove extraneous settings using notepad
  6. Open up the regfile in Reg2Adm, and create template:
  7. File, new. Import (select reg file).
  8. Click "Create Template". This will populate the "Adm text page" tab.
  9. Optionally File, save as to save an adm file OR copy  the "Adm text page" text into clipboard
  10. Get the adm file onto the target server (either copy / paste the file, or paste the clipboard into a blank notepad, save the file with an appropriate name e.g. ".adm"
  11. Open up Group Policy Management Console (gpmc). Find the most appropriate branch of the tree - for e.g. Windows Vista / 7 policy. Right click / Edit.
  12. Once the policy opens up, right click on "Administrative Templates". Add / Remove Templates. Click Add - browse to your adm file you created and choose "Open". Your new template will be listed in the list of current policy templates. Close the window. Close the policy and save if required.
  13. Open the settings tab (RHS) of gpmc and confirm that the setting that you have added appears here. If so... then great!
  14. Test - make sure it actually applies as expected (you did test that the registry change in question is the one you're after beforehand, right? At this point you should just be testing the distribution of the setting, not that you've picked the right setting!!!).
  15. If all OK then sit back & relax. If not then start troubleshooting!
Meet the two newest members of our team
Sharing Exchange 2003 folders when the user doesn'...

Related Posts


No comments made yet. Be the first to submit a comment
Mobile Version | Desktop Version