Windows RDS MMC Snap-in Launcher (MSC)

PAM can be used to remotely launch MMC Snap-ins (MSC) in a secure RDP session. Using this feature, not only can it reduce the amount of effort one has to go through with traditional RemoteApp launching but it does so using the Privileged Session Management features of System to enable video and event recording, auditing, permissions, workflow approval and notifications.

 

If you are looking to provide users access to secured MSC console applications but do so in a more controlled and audited nature, then the PAM is the solution for you.

For our Linux users, the System also supports a similar feature where remote commands like connecting to a MySQL database can be automatically sent upon login. Read more about it here.

To launch published application that are not MMC snap-ins, please see our RDS Launcher guide here.

Cases and scenarios

The following use cases and scenarios are covered when configuring the System to use your Windows RemoteApp infrastructure.

  • Provides end-users the ability to securely launch MMC Snap-in consoles without providing direct access to the host server.
  • Easily capture video and keystroke recordings of all activity during their remote MSC sessions.
  • Quickly share access using permissions and workflows to ensure users have access to the remote applications during the times when they need it the most.

MMC Launcher

System MMC Snap-in Launcher works with your existing Windows Desktop Services RemoteApp environment by:

  • Creating a secure connection to your Windows Desktop Services RemoteApp host.
  • Launching the defined MSC snap-in without requiring additional user input or authentication.

  • Once launched, enabling controls (mouse and keyboard) for the user so they can utilize the MMC console.

  • Recording keystrokes and (optionally) video of the user’s session with the MMC console.

  • Retaining support of native RDS Administrative Connections options.

Pre-requisites

To use the RDS MMC Snap-in Launcher, the following pre-requisites are required:

  • Fully implemented, configured and working Windows Remote Desktop Services deployment. If you have not deployed a Windows Remote Desktop Services host yet, there are many online tutorials available with this one being an example: http://www.concurrency.com/blog/w/rds8-quick-and-easy,-remoteapp-on-windows-server-2
  • The credentials entered into the System record must be included in the Collections properties as a member of User Group.
  • The credentials entered into the System record must be able to connect to the RDS host server using RDP.
  • The MMC application (for example, c:\Windows\System32\mmc.exe) must be a Published Application on the RDS host.

1. System Configuration to Launch MMC Snap-ins

Step 1: To configure the System to launch your MMC Snap-ins:

  1. Login to the PAM with a System Administrator account.
  2. Navigate to Administration > Record Types and click the New Record Type button.
  3. Enter the following values to create your new record type:

    • Name: Windows MMC Snap-in Launcher or another name of your choosing.

    • Description: (optional) Enter a description of this record type

    • Session Manager: RDP

    • Parent Type: Windows Host

  4. Click the Save button to save your new record type

  5. Now click the Add Field button to create a custom field for this new record type. Use the following values for this new field:

    • Field Type: String

    • Name: RemoteApp

    • Display Name: MMC Snap-in Location or another name of your choosing

    • Order: 500

    • Helper: (optional) Enter the full path to the MSC snap-in file on the RDS server

    • Default Value: leave empty

  6. Click the Save button to save your new field.

  7. Click the Save button to save your new record type.

RDS-MMC-Snap-in-Launcher1.png

Your record type is now ready to be used to create your MMC Snap-in Launcher record.

2. Create a record

Step 2: To create a record used to launch your MMC Snap-in:

  1. Login to the PAM and navigate to the container where you will create your Windows MMC Snap-in Launcher record.
  2. Click the Add Record button and select your new Record Type from the dropdown menu.
  3. Create your record using the following values as guidance:

    • Name: Enter a name for your record

    • Description: (optional) Enter a description of your record

    • Host: Enter the host name or IP address of your Windows RDS host

    • Port: Enter the RDP port of your Windows RDS host (default is 3389)

    • User: Enter a domain user account. This may be the same username you would use to login to the RD Web Access portal or a shared, privileged account with appropriate access to your RDS Collection and the snap-in to be launched.

    • Password: Enter the User account’s password.

    • MMC Snap-in Location: Enter the path of the MSC snap-in that will be launched on the RDS server from this record. For example, C:\Windows\System32\lusrmgr.msc to launch the Local Users and Groups snap-in or C:\Windows\System32\gpedit.msc to launch the Local Group Policy Editor on the RDS host server.

      Please consult with your Windows RDS Administrator if you need assistance with any of the values specific to your Remote App environment.

  4. Click the Save and Return button to save your new record.

RDS-MMC-Snap-in-Launcher2.png

3. Testing Record

Step 3: Testing your Record

With the new record saved, you are ready to test your configuration. Return to this record’s View and click the Connect button to test this record’s function.

The expected result is that System will launch a remote RDP session to your RDS host, authenticating using the User and Password stored in the record.

Once the remote session is established, it will immediately launch the MMC Snap-in that was defined in the MMC Snap-in Location field of the record.

You can now use the MMC Snap-in and when finished, simply close the browser tab or window to complete your System session.

RDS-MMC-Snap-in-Launcher3.png

Launching MMC snap-ins

Use the following String fields to customize the behavior of the launch of the Remote Application technology on the RDS server remote applications:

  • RemoteApp – the name of the remote application to start
  • RemoteAppArgs – optional parameters of the remote application
  • RemoteAppDir – initial folder to launch remote application in

Troubleshooting

Possible errors and decisions.

  • The remote session to your RDS server fails with connection error 519
    • This failure is usually caused by an incorrect host, port or domain credentials stored in the record. Please verify that your User and Password are accurate and confirm with your RDS Administrator that the Host and Port are accurate. You should also make sure that RDP access to this host is available and your domain account is permitted to connect with this RDP session.
  • The remote session to your RDS server connects but the MMC Snap-in fails to launch.
    • This behavior may occur when the MMC console is not a published application on your remote host or this user does not have RDS permissions to launch the MMC console. Please check that both the MMC application is a published application and the User in the System record has permissions to use the published application.