Offer Remote Assistance Not Requesting Permission

[Simon Purdue]

Hi,

I'm looking to implement the Offer Remote Assistance feature of Windows XP
on our company domain and have hit a problem with the novice's computer not
displaying the dialog window asking if they want to allow the expert to
connect. All that happens is that the expert's computer shows a logon
dialog window in the Remote Assistance window. If I logon using my admin
account, it locks the novice's computer and I have control. However, I have
also seen it log the novice user off their machine as well.

How can I get the expert to interactively connect to the novice's computer?

I've done the following steps to enable Offer Remote Assistance: -

1. Enabled the Offer Remote Assistance in Group Policy (Computer
Configuration\Administrative Templates\System\Remote Assistance.
- Enabled the option to "Allow helpers to remotely control the computer"
- Granted permission to a Domain group : DOMAINNAME\Domain Helpdesk
- My Domain Admin account is a member of this group.

2. Enabled Solicited Remote Assistance. "Allow helpers to remotely control
the computer". 30 Day ticket.

3. I've run the Resultant Set of Policies over my machine and the novice's
computer and both reports show that the policy has been set on both
machines.

Looking at all the KB articles, it appears that I've configured it
correctly, but yet I cannot get a connection. I know it does work as I
successfully got it working in a test lab.

Any help would be appreciated.

Regards
Simon

 

[Robert Cohen]

the problem is you are mixing two different programs Remote Assistance and
Remote Desktop. Remote Desktop allows you to remotely log onto another
user. If you log on it logs the user currently on off and when logged in,
the monitor on the computer is locked.

Remote Assistance is achieved through windows messenger. You ask for remote
assistance and the user has to approve it and then you have to take control
(which the user also has to approve). But once approved, you can interact
on a user's desktop and do things. The user will see what you are doing and
all. You can even have the user do things and for you to observe.

But these are two different systems.

 

[Bill Sanderson]

I understand why you think this, but the "offer remote assistance" feature
doesn't require an invitation. It should work, when policy is set correctly
at the novice end, in a domain, and with the expert being an administrator
in that domain.

The novice end machines must probably also be joined to the domain, but I'm
not absolutely certain of that necessity.

 

[Simon Purdue]

Thanks guys for your replies.

The Offer Remote Assistance is only really intended for companies who want
to be able to take remote control of an end user's desktop. It's this that
I want to do.

From the MS documentation, you set the Offer Remote Assistance only from a
Domain Controller's Group Policy or by setting it manually on the novices PC
using GPEDIT.MSC.

Bill, you're right in saying that both machines must be in a domain or
across domains where each domain trusts each other. Both machines are a
member of the same domain. By the way, I'm editing the Default Domain
Policy and changing the setting Computer Configuration\Administrative
Templates\System\Remote Assistance.

Thanks
Simon

 

[Shenan Stanley]

Thanks guys for your replies.

The Offer Remote Assistance is only really intended for companies who
want to be able to take remote control of an end user's desktop.
It's this that I want to do.

From the MS documentation, you set the Offer Remote Assistance only
from a Domain Controller's Group Policy or by setting it manually on
the novices PC using GPEDIT.MSC.

Bill, you're right in saying that both machines must be in a domain or
across domains where each domain trusts each other. Both machines
are a member of the same domain. By the way, I'm editing the Default
Domain Policy and changing the setting Computer
Configuration\Administrative Templates\System\Remote Assistance.

I believe that Robert's confusion came from your first paragraph of your
original post.

I'm looking to implement the Offer Remote Assistance feature of
Windows XP on our company domain and have hit a problem with the
novice's computer not displaying the dialog window asking if they
want to allow the expert to connect. All that happens is that the
expert's computer shows a logon dialog window in the Remote
Assistance window. If I logon using my admin account, it locks the
novice's computer and I have control. However, I have also seen it
log the novice user off their machine as well.

<..snip..>

While it is strange that you sometimes don't get a dialog window on the
client asking them if they want to allow the expert to connect when you
offer remote assistance, the latter part of the paragraph implies you then
choose to log in as an administrator and that can log the novice user off.

Well, as far as my experience with remote assistance, you either have the
client user accept your offer for help or you don't when you offer Remote
Assistance. The only way I know of that you can then continue and log on as
an administrator is to not offer remote assistance but to use remote
desktop. And when you use remote desktop, unless you log in as the user in
question, you DO log off that user. Also, with remote desktop, even if you
log in as the user in question, it will lock the screen and they cannot SEE
what you are doing.

I believe that may be what Robert was referring to earlier.

Now, as for your problem, have you looked at the resultant set of policies
on the machines giving you this trouble? Is it always the same machines or
is it user related?

 

[Simon Purdue]

Shenan,

Thanks for the reply.

I've been doing some more testing on our test lab which has a replica domain
controller to that of one on our production network. I set the policy to
offer remote assistance and solicited remote assistance and made sure that
remote assistance and remote desktop is selected on the two XP clients
(System Properties/Remote)

The RSoP on the test lab shows that offer remote assistance and solictited
remote assistance have been applied to both XP clients. When I initiate a
connection from the expert machine, it autologons to the novice's machine
(do you know what account it uses?) and then prompts the novice user for
permission for the expert to connect. So for some reason, it's working fine
in the test lab but not in production. This is with a PC that's been on the
production network, removed from the domain and joined to the test lab
domain.

I've run RSoP on two XP clients on the production network and they have both
picked up the remote assistance settings from the Default Domain Policy.
I've compared the RSoP polices on both XP machines and they are virtually
identical (the expert has extra security group memberships - including
BUILTIN\Remote Desktop Users). There must be something peculiar to the
production network that is stopping the auto logon to the novice's machine.
The user account's I'm using are always the same - my domain admin account
and a test user account with only Domain User membership (both of these
accounts worked fine in the test lab).

I tried logging on to the novice's machine through the logon prompt in the
remote assistance window and the error message it gave was "The local policy
of this system does not permit you to logon interactively". This would make
sense as a normal user cannot make a Remote Desktop/Terminal Services
connection to another machine unless they have admin rights or the logon
interactively right.

Thanks again,
Simon

 

[Bill Sanderson]

My impression is that this account is used:

IUSR_machinename

There have been messages here from folks who've done corporate image
rollouts where they removed this account in an attempt to tighten security,
only to find it was needed.

I don't believe there's been any resolution giving a way to re-create it.

 

[Matt Hickman]

Thanks guys for your replies.

The Offer Remote Assistance is only really intended for companies who want
to be able to take remote control of an end user's desktop. It's this that
I want to do.

From the MS documentation, you set the Offer Remote Assistance only from a
Domain Controller's Group Policy or by setting it manually on the novices PC
using GPEDIT.MSC.

Bill, you're right in saying that both machines must be in a domain or
across domains where each domain trusts each other. Both machines are a
member of the same domain. By the way, I'm editing the Default Domain
Policy and changing the setting Computer Configuration\Administrative
Templates\System\Remote Assistance.

Is the novice doing it as a solicited request? Is he/she using Messenger
for this? If so, are your helpers on the Novice's contact list?

Are your helpers using the "help and support center" to initiate
remote assistance?

--
Matt Hickman
..there is nothing that makes a man feel so helpless as taking his pants
away from him.
Robert A. Heinlein (1907 - 1988)
"If This Goes On--" ASF c.1940

Contact List?

 

[Guest]

Matt

I'm not sure what you mean "is the novice user doing it as a solicited request". I've configured the novice's and expert's machine to accept Remote Assistance and Remote Desktop from System Properties\Remote. I've enabled the Offer Remote Assistance through the Default Domain Policy

The helpers are in a domain global group call Domain IT Helpdesk and this group is specified in the allow helpers section of offer remote assistance in the Default Domain Policy. Yes, the helpers are using Help and Support\Tools\Offer Remote Assistance

Thanks
Simo

----- Matt Hickman wrote: ----

Thanks guys for your replies
to be able to take remote control of an end user's desktop. It's this tha
I want to do
Domain Controller's Group Policy or by setting it manually on the novices P
using GPEDIT.MSC
across domains where each domain trusts each other. Both machines are
member of the same domain. By the way, I'm editing the Default Domai
Policy and changing the setting Computer Configuration\Administrativ
Templates\System\Remote Assistance

Is the novice doing it as a solicited request? Is he/she using Messenger
for this? If so, are your helpers on the Novice's contact list

Are your helpers using the "help and support center" to initiat
remote assistance

--
Matt Hickman
..there is nothing that makes a man feel so helpless as taking his pant
away from him
Robert A. Heinlein (1907 - 1988)
"If This Goes On--" ASF c.194

Contact List

 

[Guest]

Just to let you know, I reinstalled a clean XP from our Volume media kit and tried again. This time the Offer Remote Assistance worked on the production network! Not sure exactly why, but I can only put it down to a configuration issue with the novice's computer.

 

[Matt Hickman]

Matt,

I'm not sure what you mean "is the novice user doing it as a solicited

request". I've configured the novice's and expert's machine to accept Remote
Assistance and Remote Desktop from System Properties\Remote. I've enabled the
Offer Remote Assistance through the Default Domain Policy.

A "solicited request" is when the user sends an invitation to the
expert/helper from the help and support center either through messenger
or e-mail. The helper then uses that invitation to connect to the
user.

The helpers are in a domain global group call Domain IT Helpdesk and this

group is specified in the allow helpers section of offer remote assistance in
the Default Domain Policy. Yes, the helpers are using Help and
Support\Tools\Offer Remote Assistance.

The user's computer should always display the popup. The stated design
goals of Remote Assistance is that the user has to be there to grant
access. Without that, it sounded like the helpdesk may have been doing
Remote Desktop Connection or something similar.

When you login and it locks the user's desktop, are you both then viewing
the same desktop? Only one of you can have control at a time
and the remote user simply needs to hit the <esc> key to take back control.

--
Matt Hickman
I'm tolerant of groundhogs--some of my best friends are from Earth. As
Daddy says, being born on Luna is luck, not judgement, and most people
Earthside are stuck there. After all Jesus, Guatama Buddha, and Dr. Einstein
were all groundhogs.
Robert A. Heinlein (1907 - 1988)
"The Menace from Earth" c.1957

 

[Ed]

The Expert needs to log on the novice machine using the account:
HelpAssistant.

See the following for more information:

http://support.microsoft.com/kb/300692

Ed Tenholder