R
Research Services
We are having problems getting "Offer Remote Assistance" to work in our
Child Domain (part of an Active Directory Forest). In Offer Remote
Assistance, when we Click the Connect Button from a Windows XP SP2 computer
with Windows Firewall Enabled, an error box "Permission denied" is displayed
immediately, as if it never even gets far enough to try to communicate to
the destination XP SP2 computer (no hard drive activity, no event log
activity, no dropped traffic by the firewall). Interestingly, when we put
in a W2K3 box as the destination, we received a different error "Access to
the requested resource has been disabled by your administrator" and it
actually does "talk" to the W2K3 box over the network as you can hear the
disk grind at the moment it attempts to connect. We have not used GPOs to
Enable Remote Assistance on our W2K3 boxes.
So, the list of what we have done with related Microsoft KB Articles:
http://support.microsoft.com/?kbid=301527
- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
'Offer Remote Assistance' at
Computer Configuration / Administrative Templates / System / Remote
Assistance
- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above
- Added/Changed the DCOM Registry Key as such on ALL involved computers:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
- Opened all of the items below in the Windows Firewall through Group
Policy:
%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote
Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance -
Windows Messenger and Voice
135:TCP:*:Enabled:Remote Assistance Port
- We have even Enabled to "*" 'Allow remote administration exception',
'Allow file and printer sharing exception' and 'Allow Remote Desktop
exception' in the Firewall as well
http://support.microsoft.com/?kbid=884910
- Even though all of our computers are Windows XP SP2, since we have left
this group Policy as 'Not Configured' we don't believe it applies to us.
(And attempting to modify this as KB stated caused all sorts of other DCOM
related problems)
http://support.microsoft.com/?kbid=310629
Simple File Sharing is disabled since all computers are within our Domain
(Domain Computers), so this article doesn't apply to us. We have verified
that this checkbox is NOT selected on all of the computers involved.
Right-Click, Properties on 'My Computer', Remote Tab on all involved
computers has the 'Allow Remote Assistance invitations to be sent from this
computer' checked.
Resultant Set of Policies (RSoP) verifies that all appropriate Group
Policies are being applied correctly.
All involved computers are on the same subnet and no other firewalls exist
other than the Group Policy-enforced Windows Firewall configured as
mentioned above. In fact removing the Windows Firewall on both the 'Expert'
and 'Novice' computers generates the same error message 'Permission denied'.
The 'Remote Desktop Help Session Manager' service is set to Automatic and in
the Running state on the computer that the 'Offer Remote Assistance' is
being made from and under the security context of a Local AND Domain
Administrator account - this user is part of one of the groups added to the
Group Policy above.
'Offer Remote Assistance' is being initiated from a Shortcut to:
hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm
Remote Desktop works correctly for all involved computers.
Generating a Remote Assistance request and sending via email works
perfectly. Only Unsolicited (Offer) Remote Assistance does not work.
We use Group Policy to "lock down" most of the Security Settings under 'User
Rights Assignments' and 'Security Options'.
Any suggestions would be greatly appreciated - thank for help in advance.
Child Domain (part of an Active Directory Forest). In Offer Remote
Assistance, when we Click the Connect Button from a Windows XP SP2 computer
with Windows Firewall Enabled, an error box "Permission denied" is displayed
immediately, as if it never even gets far enough to try to communicate to
the destination XP SP2 computer (no hard drive activity, no event log
activity, no dropped traffic by the firewall). Interestingly, when we put
in a W2K3 box as the destination, we received a different error "Access to
the requested resource has been disabled by your administrator" and it
actually does "talk" to the W2K3 box over the network as you can hear the
disk grind at the moment it attempts to connect. We have not used GPOs to
Enable Remote Assistance on our W2K3 boxes.
So, the list of what we have done with related Microsoft KB Articles:
http://support.microsoft.com/?kbid=301527
- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
'Offer Remote Assistance' at
Computer Configuration / Administrative Templates / System / Remote
Assistance
- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above
- Added/Changed the DCOM Registry Key as such on ALL involved computers:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
- Opened all of the items below in the Windows Firewall through Group
Policy:
%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote
Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance -
Windows Messenger and Voice
135:TCP:*:Enabled:Remote Assistance Port
- We have even Enabled to "*" 'Allow remote administration exception',
'Allow file and printer sharing exception' and 'Allow Remote Desktop
exception' in the Firewall as well
http://support.microsoft.com/?kbid=884910
- Even though all of our computers are Windows XP SP2, since we have left
this group Policy as 'Not Configured' we don't believe it applies to us.
(And attempting to modify this as KB stated caused all sorts of other DCOM
related problems)
http://support.microsoft.com/?kbid=310629
Simple File Sharing is disabled since all computers are within our Domain
(Domain Computers), so this article doesn't apply to us. We have verified
that this checkbox is NOT selected on all of the computers involved.
Right-Click, Properties on 'My Computer', Remote Tab on all involved
computers has the 'Allow Remote Assistance invitations to be sent from this
computer' checked.
Resultant Set of Policies (RSoP) verifies that all appropriate Group
Policies are being applied correctly.
All involved computers are on the same subnet and no other firewalls exist
other than the Group Policy-enforced Windows Firewall configured as
mentioned above. In fact removing the Windows Firewall on both the 'Expert'
and 'Novice' computers generates the same error message 'Permission denied'.
The 'Remote Desktop Help Session Manager' service is set to Automatic and in
the Running state on the computer that the 'Offer Remote Assistance' is
being made from and under the security context of a Local AND Domain
Administrator account - this user is part of one of the groups added to the
Group Policy above.
'Offer Remote Assistance' is being initiated from a Shortcut to:
hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm
Remote Desktop works correctly for all involved computers.
Generating a Remote Assistance request and sending via email works
perfectly. Only Unsolicited (Offer) Remote Assistance does not work.
We use Group Policy to "lock down" most of the Security Settings under 'User
Rights Assignments' and 'Security Options'.
Any suggestions would be greatly appreciated - thank for help in advance.