Offer Remote Assistance - "Permission denied" - Windows XP SP2

R

Research Services

We are having problems getting "Offer Remote Assistance" to work in our
Child Domain (part of an Active Directory Forest). In Offer Remote
Assistance, when we Click the Connect Button from a Windows XP SP2 computer
with Windows Firewall Enabled, an error box "Permission denied" is displayed
immediately, as if it never even gets far enough to try to communicate to
the destination XP SP2 computer (no hard drive activity, no event log
activity, no dropped traffic by the firewall). Interestingly, when we put
in a W2K3 box as the destination, we received a different error "Access to
the requested resource has been disabled by your administrator" and it
actually does "talk" to the W2K3 box over the network as you can hear the
disk grind at the moment it attempts to connect. We have not used GPOs to
Enable Remote Assistance on our W2K3 boxes.



So, the list of what we have done with related Microsoft KB Articles:



http://support.microsoft.com/?kbid=301527

- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
'Offer Remote Assistance' at

Computer Configuration / Administrative Templates / System / Remote
Assistance

- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above

- Added/Changed the DCOM Registry Key as such on ALL involved computers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

"EnableDCOM"="Y"

- Opened all of the items below in the Windows Firewall through Group
Policy:

%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote
Assistance

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance -
Windows Messenger and Voice

135:TCP:*:Enabled:Remote Assistance Port

- We have even Enabled to "*" 'Allow remote administration exception',
'Allow file and printer sharing exception' and 'Allow Remote Desktop
exception' in the Firewall as well



http://support.microsoft.com/?kbid=884910

- Even though all of our computers are Windows XP SP2, since we have left
this group Policy as 'Not Configured' we don't believe it applies to us.
(And attempting to modify this as KB stated caused all sorts of other DCOM
related problems)



http://support.microsoft.com/?kbid=310629

Simple File Sharing is disabled since all computers are within our Domain
(Domain Computers), so this article doesn't apply to us. We have verified
that this checkbox is NOT selected on all of the computers involved.



Right-Click, Properties on 'My Computer', Remote Tab on all involved
computers has the 'Allow Remote Assistance invitations to be sent from this
computer' checked.



Resultant Set of Policies (RSoP) verifies that all appropriate Group
Policies are being applied correctly.



All involved computers are on the same subnet and no other firewalls exist
other than the Group Policy-enforced Windows Firewall configured as
mentioned above. In fact removing the Windows Firewall on both the 'Expert'
and 'Novice' computers generates the same error message 'Permission denied'.



The 'Remote Desktop Help Session Manager' service is set to Automatic and in
the Running state on the computer that the 'Offer Remote Assistance' is
being made from and under the security context of a Local AND Domain
Administrator account - this user is part of one of the groups added to the
Group Policy above.



'Offer Remote Assistance' is being initiated from a Shortcut to:

hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm



Remote Desktop works correctly for all involved computers.



Generating a Remote Assistance request and sending via email works
perfectly. Only Unsolicited (Offer) Remote Assistance does not work.



We use Group Policy to "lock down" most of the Security Settings under 'User
Rights Assignments' and 'Security Options'.



Any suggestions would be greatly appreciated - thank for help in advance.
 
M

mikemelling

Have you configured "Offer Remote Assistance" in Group Policy (Computer
Config/Admin Templates/System/Remote Assistance)?
 
R

Research Services

Yes, this is mentioned above but I'll list it here again in case we are
missing something.


"- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
'Offer Remote Assistance' at

Computer Configuration / Administrative Templates / System / Remote
Assistance

- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above"
 
G

Guest

I was having the same issue with several XP SP2 systems and I don't know
where the problem originated, but I did get it fixed. You can test this out
for yourself. Look up the registry entry that was mentioned in the Support
Article on a SP1 box, then look at the SP2 box registry key. You will notice
that there are two new keys with the SP2 system. These keys map to two group
policies that can be changed but I noticed that the windows XP SP2 system did
not have all the keys it needed. I looked at a working SP2 system to find
the correct keys and they are posted below:

I didn't give you the registy file itself, but want you to actually view the
differences between the various systems. I hope that this helps you out...

--------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,58,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,00,00,24,00,1f,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\
00,fd,37,42,40,07,e9,94,2d,8a,a7,32,3f,f0,03,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"
"LegacyImpersonationLevel"=dword:00000003
"LegacyAuthenticationLevel"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"
 
R

Research Services

Thank you - I'll take a look!





Chuck said:
I was having the same issue with several XP SP2 systems and I don't know
where the problem originated, but I did get it fixed. You can test this
out
for yourself. Look up the registry entry that was mentioned in the
Support
Article on a SP1 box, then look at the SP2 box registry key. You will
notice
that there are two new keys with the SP2 system. These keys map to two
group
policies that can be changed but I noticed that the windows XP SP2 system
did
not have all the keys it needed. I looked at a working SP2 system to find
the correct keys and they are posted below:

I didn't give you the registy file itself, but want you to actually view
the
differences between the various systems. I hope that this helps you
out...

--------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\

14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\

00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\

00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\

00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,\

14,00,00,00,02,00,58,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\

00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\

00,01,00,00,00,00,00,00,24,00,1f,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\

00,fd,37,42,40,07,e9,94,2d,8a,a7,32,3f,f0,03,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\

14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\

00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\

00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"
"LegacyImpersonationLevel"=dword:00000003
"LegacyAuthenticationLevel"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"



Research Services said:
Yes, this is mentioned above but I'll list it here again in case we are
missing something.


"- Through Group Policy, have Enabled both 'Solicited Remote Assistance'
and
'Offer Remote Assistance' at

Computer Configuration / Administrative Templates / System / Remote
Assistance

- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above"
 
R

Research Services

Do you know where or how these 3 registry entries are set from the GUI?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
DefaultLaunchPermission
MachineLaunchRestriction
MachineAccessRestriction

On computers that are able to Offer Remote Assistance compared to mine that
cannot, these entries are different.
Thank you!





Chuck said:
I was having the same issue with several XP SP2 systems and I don't know
where the problem originated, but I did get it fixed. You can test this
out
for yourself. Look up the registry entry that was mentioned in the
Support
Article on a SP1 box, then look at the SP2 box registry key. You will
notice
that there are two new keys with the SP2 system. These keys map to two
group
policies that can be changed but I noticed that the windows XP SP2 system
did
not have all the keys it needed. I looked at a working SP2 system to find
the correct keys and they are posted below:

I didn't give you the registy file itself, but want you to actually view
the
differences between the various systems. I hope that this helps you
out...

--------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\

14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\

00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\

00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\

00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,\

14,00,00,00,02,00,58,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\

00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\

00,01,00,00,00,00,00,00,24,00,1f,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\

00,fd,37,42,40,07,e9,94,2d,8a,a7,32,3f,f0,03,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\

14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\

00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\

00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"
"LegacyImpersonationLevel"=dword:00000003
"LegacyAuthenticationLevel"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"



Research Services said:
Yes, this is mentioned above but I'll list it here again in case we are
missing something.


"- Through Group Policy, have Enabled both 'Solicited Remote Assistance'
and
'Offer Remote Assistance' at

Computer Configuration / Administrative Templates / System / Remote
Assistance

- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top