Share via

Remote OCSP console for non-administrators

Gareth Williams 0 Reputation points
2023-08-31T05:58:36.5433333+00:00

We have a requirement to for a non-administrator account to be able to view (read-only) ADCS's OCSP console remotely. The OCSP responder is running on Server Core, so can't be managed locally. We need a help-desk operator to be able to log in to an admin box, open the OCSP console, re-target the console to the Server Core instance running OCSP, and check the status of the responder (but not change anything).

Looking at the console (when connected with an administrator account) I see that under Responder Properties > Security tab I can add permissions for users and/or groups to have Read and/or Manage Online Responder permissions. I've therefore added a group to this list and given it both Read and Manage Online Responder (just for now, until I get it to work), and made sure the operator is a member of that group.

However, when the operator logs in, I get and RPC error:

Computer: va1.example.org An Online Responder is not installed on this computer or the Online Responder Service may not be running. The PRC server is unavailable. (Exception from HRESULT: 0x800706BA)

This works with an account that is an administrator, so its not firewall/network related. The only thing that changes in the user. My suspicion is that's its something along the lines of DCOM permissions or similar, but I haven't a clue how to investigate that on Server Core as dcomcnfg.exe won't connect to a remote computer for me.

Has anyone had any similar experiences?

Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,766 Reputation points
    2023-09-01T08:13:05.91+00:00

    Hello there,

    Go to the GPO section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment; Find the policy Allow log on through Remote Desktop Services;After the server is promoted to the DC, only the Administrators group (these are Domain Admins) remains in this local policy

    You can also use RDS Collections to provide remote desktop access in an RDS farm. Open Server Manager -> Remote Desktop Services –> Tasks -> Edit Deployment Properties.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

  2. Gareth Williams 0 Reputation points
    2023-11-10T07:55:07.88+00:00

    It turns out that for remote management/viewing of OCSP to work, the remote user needs to be a member of the Distributed COM Users local group on the OCSP server.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.