I have been searching the Internet for the past week for the answer to my question, but couldn't find any conclusive answer, so I ask here.
Based on your experience and/or knowledge, what policies could/should be enforced through Group Policy to ensure that all computers in the domain are manageable remotely using the triumvirate of psexec, remote WMI, and remote registry?
Background of my question: when I audited the computers in the domain, I would encounter computers that are not psexec-able, or remote WMI queryable, or remote regedit-able, or a combination of the three. This forced me to every time devise workarounds, a job that took away too much valuable time. So, rather than wasting time again and again, I'd rather enforce uniformity via a domain-wide GPO.
PS: The targets of operation are Windows XP SP3 and Windows 7 Professional/Enterprise.
Best Answer
Mmmm... thoughts:
PSExec - just requires the remote PC to be contactable via RPC and SMB. Plus, you need the appropriate rights at the other end to remotely interact with the Service Control Manager (this could be forced via Group Policy Preferences). So, assuming the PC is operational...: If the PC is on the domain, then the Windows Firewall should let you in, unless you've tweaked the domain-connected firewall settings. Anti-virus products might see PSExec as a "Potentially unwanted Program". So, possibly some registry settings here to ensure it's allowed to execute.
WMI - Again, needs RPC to be functioning. You might want to force the WMI services to be running via GPOs. One snag with WMI is when a 3rd party product fecks up the WMI repository. Seen this so many times. Only fix is a manual recompile.
Remote Registry - Again, RPC and privs. Plus, you could force the service to be running via GPOs.