Local Administrator rights are required to install, remove, start, stop, or even upgrade/downgrade the Mini Remote Client Agent Service on the remote machine. Therefore, provided this person has Local Administrator rights on the remote machine, then they will have sufficient rights to install the Client Agent Service on the remote machine and make a connection. If they do not have Local Administrator rights on the remote machine, then the only way they could connect would be if an Administrator has already pre-installed the Mini Remote Client Agent Service on the remote machine.
However, once the Client Agent has been installed on a remote machine, anyone that does not have local Administrator rights (only has Local User rights) on a remote machine will require permission from the User in order to connect. The only exception to this rule would be if the remote machine was currently at the Logon Desktop or Lock Screen (i.e. WINLOGON), hence there is no user present to give permission. A non-Admin would then be able to connect to the remote machine without permission, if an only if it is currently at the Logon Desktop or Lock Screen, and the "Disconnect if at Logon Desktop" setting was disabled within the Mini Remote Client Agent Service on the remote machine (it's enabled by default).
Now, let’s go into a little more detail about non-Administrators because there are several settings within the Client Agent that pertain to non-Administrator accounts. If you look at the bottom of the Access Tab within the Client Agent Service, you will see three settings. "Permission Required for these Account Types", "Disconnect if at Logon Desktop", and "View only for these account types", and each of these settings only pertain to non-Administrators (not to Administrators).
Another thing to keep in mind is that when you connect to a remote machine, it will be in one of two states:
1. Machine is sitting at the "Logon Desktop" or "Lock" Screen. Hence a user is not present on the remote machine. 2. Machine is not at the Logon Desktop or Lock screen, hence a user is currently logged into the desktop.
Scenario 1:
A non-Administrator tries to connect and the remote machine is currently at the Logon Desktop or Lock Screen. The non-Administrator will only be allowed to connect if the "Disconnect if at Logon Desktop" feature has been disabled (it is enabled by default). If it's enabled, their connection request will be denied with a dialog box stating: "The remote machine is currently at the Logon Desktop. Your credentials do not allow you to access the remote machine at the current desktop state".
Scenario 2:
A non-Administrator tries to connect and the remote machine is NOT currently at the Logon Desktop or Lock Screen (hence user is logged in). Then you must look at the "Permission Required for these account types" field.
A. If "Permission Required for these Account Types" is enabled, then whoever is currently logged into the desktop of the remote machine will be presented with a Permission Required dialog box asking to Accept or Decline this non-Administrator's connection request. If they press the Accept button, then the non-Administrator will be allowed to connect. If they press the Decline button, or if the dialog times out with no response, then the non-Administrator will not be allowed to connect.
B. If "Permission Required for these Account Types" is NOT enabled, then the non-Administrator's connection will be immediately denied with a dialog box stating: "The Remote machine is not currently at the Logon Desktop. Your credentials do not allow you to access the remote machine at the current desktop state".
