Using group policy and Active Directory services in LogMeIn Central

Before implementing the Administrative Template, you should have a working knowledge of the Windows Group Policy and Active Directory feature set.

Sample Background Material

Understanding the Structure of a Group Policy Object https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
Managing Group Policy ADMX Files Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx
Local Group Policy Editor https://technet.microsoft.com/library/cc725970.aspx?itpid=article.

Download the Administrative Template

To implement Group Policy control over the application, you must first download and install the Administrative Template.

Download and save the appropriate files for your operating system from the Support page:
- For Windows 10, 8, 7, Server 2008R2 or 2012, download both logmein.admx ( https://secure.logmein.com/support/logmein.admx) and logmein.adml ( https://secure.logmein.com/support/logmein.adml)

Add a group policy

Once you have downloaded the required Administrative Template files, you can add a Group Policy.

Open a Run prompt by pressing the Windows key + R.
Navigate to the Policy definitions of the domain by typing \\{Fully Qualified Domain Name of domain}\SYSVOL\{Fully Qualified Domain Name of domain}\policies\PolicyDefinitions where {Fully Qualified Domain Name of domain} is the name of your domain.
Example: \\mydomain.net/SYSVOL/mydomain.net\policies\PolicyDefinitions
Copy the logmein.admx file into the folder.
Create a new folder named en-US and copy the logmein.adml file into that folder.
The logmein.adml file contains information related to the language of the Group Policy and is in English by default.

Results: The policy should now appear in your Group Policy Management Editor console for that domain. You can now edit your Group Policy.

Important: The policy can be edited under User Configuration > Policies > Administrative Templates and Computer Configuration > Policies > Administrative Templates depending on whether you want to apply the settings to users or computers in your domain.

What to do next:

Tip: Create a backup of the Group Policy templates before making changes.

Edit group policy settings

Once you have added a Group Policy, you must define the settings that you want to deploy to your hosts.

Open Active Directory Users & Computers.
Right-click a domain or organizational unit and select Properties.
Go to the Group Policy tab.
Select the Policy and select Edit.

Settings that can be applied to both computers and users are found under Computer Configuration and User Configuration.

Option	Description
Allow use of File Sharing	To prevent users from sharing files on the host via the File Sharing feature, set this policy to Disabled.
Allow access to the Detailed Mode (Dashboard) interface	To prevent users from accessing the Detailed Mode (Dashboard) interface (or "classic view"), set this policy to Disabled.
Allow remote reboot	To prevent users from using the remote reboot function in the host software, set this policy to Disabled.
Specify Remote Control Permissions	Enable or disable Remote Control specific settings. Allow Remote Printing: Enable this option to allow client-side users to print host-side documents to a device connected to the client during remote control. Allow Clipboard Transfer: Enable this option to allow the host computer's clipboard contents to be synchronized with the client clipboard.
Specify File Transfer permissions	Enable or disable File Transfer specific settings. Copy Files from the Host: Enable this option to allow the client-side user to copy files from the host. Copy Files to the Host: Enable this option to allow the client-side user to copy files to the host.
Allow Desktop Sharing	Enable this option to allow the host-side user to invite others to access the host via the Desktop Sharing feature.

Important: When a policy is set at both the computer and user level, computer-level settings will take precedence unless Computer policy settings override user policy settings is set to Disabled.

Settings that can be applied only at the computer level are found under Computer Configuration.

Option	Description
Specify File Transfer permissions	Enable or disable File Transfer specific settings. Copy Files from the Host: Enable this option to allow the client-side user to copy files from the host. Copy Files to the Host: Enable this option to allow the client-side user to copy files to the host.
Allow Desktop Sharing	Enable this option to allow the host-side user to invite others to access the host via the Desktop Sharing feature.
Computer policy settings override user policy settings	By default, computer policy settings take precedence over user policy settings. Set this policy to Disabled to allow user policies to take precedence over computer policies. Note: Use caution when allowing user policies to take precedence over computer policies. This could permit a user (if explicit user policies allow) to perform tasks that existing host computer policies might forbid.
Allow LogMeIn Installation	To prevent users from installing the host on the computer to which the policy object applies, set this policy to Disabled.

The one setting that can be applied only at the user level is found under User Configuration only.

Option	Description
Allow users to access LogMeIn	This is a User level setting. To prevent a user or user group from starting remote sessions with hosts, set this policy to Disabled.

Results:

The template is applied at the network level. When the host software detects the presence of group policies, it will use these settings first, then apply preferences configured elsewhere (for example, via Host Preference Packages).

Sample implementation 1: Remote control only

Allow the host to be controlled remotely, but disallow everything else.

Enable all remote control permissions.
1. Under Administrative Templates select Computer Configuration.
2. Select LogMeIn Policies and double-click Specify Remote Control permissions.
3. On the Policy tab, select Enabled.
4. Under Policy Details, select Allow Remote Control, Allow remote printing, and Allow clipboard transfer.
Disable all other functions.
1. Under LogMeIn Policies, double-click Allow use of File Sharing.
2. On the Policy tab, select Disabled.
  Result: Repeat substep a. and b. for Allow access to the Detailed Mode (Dashboard) interface, Allow remote reboot, and Specify File Transfer permissions.

Results: Remote Control will be the only host feature available on computers to which you apply this policy. All other host functionality will be disabled.

Sample implementation 2: Allow access to the host for only one unit in your organization

Allow the "Sales" unit to use the host, but disallow the host for every other user in your organization.

Create a Policy for your root organization, and one for the "Sales" unit.
1. Perform the steps described in Add a group policy both for the root organization (LogMeIn Policy) and the “Sales” unit (LogMeIn Policy-Sales).
Disable access to the host at the root level of your organization.
1. Right-click the root organization and select Properties > Group Policy tab.
2. Select the Policy and select Edit.
3. In the Group Policy window, expand User Configuration > Administrative Templates and select LogMeIn Policies.
4. Double-click Allow users to access LogMeIn.
5. Set the policy to Disabled.
6. Save your changes.
Allow use of the host for "Sales".
1. Right-click the “Sales” organizational unit, and select Properties > Group Policy tab.
2. Select the Policy you created for the Sales unit and select Edit.
3. In the Group Policy window, expand User Configuration > Administrative Templates and select LogMeIn Policies.
4. Double-click Allow users to access LogMeIn.
5. Set the policy to Enabled.
6. Save your changes.
Result: LogMeIn will only be enabled on computers that are members of the Sales unit of your organization.

Sample implementation 3: Disable the host for a specific domain

Block the installation of the host software for a specific domain.

Create a Policy for the domain you want to restrict.
1. Perform the steps described in Add a group policy.
Disable the right to install the host for your new domain.
1. Right-click the domain and select Properties > Group Policy tab.
2. Select the Policy and select Edit.
3. In the Group Policy window, expand Computer Configuration > Administrative Templates and select LogMeIn Policies.
4. Double-click Allow LogMeIn Installation.
5. Set the policy to Disabled.
6. Save your changes.

Results: LogMeIn will refuse to install in the domain to which this policy has been applied. Furthermore, any existing installations will stop running once the policy has been propagated.