Samba – How to allow all members of a domain to login remotely to a Windows XP Machine

Why are you singling out Remote Desktop? Why not include VNC, GoToMyPC and so on?

There is no fool-proof way to do this really. If you make the effort to block as much as possible you are going to have to do a lot of work.

You can setup your firewall to block everything except what you explicatively permit and then allow only the things you control. Give your administrators some way to temporarily open holes or vpn around the firewall. You cannot simply block the common port for your users since users could simply setup a VPN/Tunnel of some sort.

Or you can use a tool to build a whitelist of all the allowed application on your machines and block everything else.

If you are getting errors trying to resolve the DNS name and the WINS server is not returning proper responses (which what the SMB_NETLOGON packets are), this means that your Win7 machine will not be able to discover a domain controller to talk to. This is inline with the error message you are getting.

To help you troubleshoot those types of errors, enable Netlogon logging by running "nltest /dbflag:2000ffff" and after reproducing the problem look at %windir%\debug\netlogon.log. You will see the machine trying to locate a domain controller and what the errors it is getting are. Once you fix those, it should work fine.

Since you mentioned that the WINS server is supplied by the university, is it actually reachable from the VM? Likely you can't do NetBIOS name resolution because your WINS server is unreachable and your DNS configuration is busted (the error in step 2).