Unsolicited Remote Assistance

With the release of Microsoft Windows XP Microsoft introduced a feature called ‘Remote Assistance’. Microsoft described this feature as the means to invite a person on another Microsoft Windows XP box to your Microsoft Windows XP box. You could use MSN Messenger, Windows Messenger or e-mail to send the invites. Although this is a nice feature when your mother calls you when shortcut bars in Internet Explorer suddenly disappear and you want to help her, but in your organization it’s like the computer she gave you on your 6th birthday ‘Wow! Too bad I don’t know how to put it to use yet…’

This post shows you how you can harness the power of Remote Assistance and Active Directory Group Policy Objects (GPO’s) to create Unsolicited Remote Assistance so you can bug the living daylights out of your users. Mwuahaha! [6] (and help them incidentally when they encounter problems using your servers)

Disclaimer

Before you think you’ve reached Systems Administrators Heaven, let me point out to you that although your users don’t have to send invites anymore, they still have to approve before you can take a peek at their desktops. Although you might find this article interesting and I’ve tested this procedure within a lot of organizations it still might contain bugs, just as the software you’re using it on. If you think I’m lame for posting this information while it’s been posted to the Internet a million times, then you’re right, but hey! this is how blogging works.

What do I need?

Let’s start with the simple things. You don’t need much to gain control over your users desktops: Just supply your users with an edition of Microsoft Windows XP on top of their boxes and make the boxes members of your Active Directory. I won’t explain to you how to make a box a member of your Active Directory, because I think I’m safe to assume you already know how to accomplish this task.

Do I really need an Active Directory?

Maybe you forgot, but this is dirteam.com! Of course you need the Active Directory! The Active Directory is your key to success, the stuff dreams are made off, the best thing man invented since slices bread. If you’re not comfortable with the Active Directory you might also use eDirectory with Zenworks for Desktops, but for obvious reasons I won’t go into much detail on how to accomplish this here. (just read between the lines) You might even use this feature to help your mom once in a while by helping her to find back her missing taskbars (she’s the one that gave you the computer to begin with, remember?) and making her little box a member of any Active Directory would be silly, so you could change some vague registry keys to accomplish this. I still believe we agreed the active Directory and Active Directory Group Policy Objects (GPO’s) are the way to go to change large amounts of registry keys on a large amount of computers easily…

Do my users really need Windows XP?

Of course they don’t! At least not for their daily chores… but you’ll need it as a Systems administrator to make this neat feature to work. Besides: supplying them with Microsoft Windows 9x these days would make you look silly towards your users (and reckless towards your colleagues) and supplying them with Microsoft Windows 2000 Professional is like the most stupid thing to do these days in terms of product lifecycle issues. However: Check back when Microsoft Windows Vista gets released, I’ll be updating this article with Microsoft Windows Vista information.

How do I accomplish Unsolicited Remote Assistance?

You enable the use of Unsolicited Remote Assistance by creating and applying some Group Policy Objects (GPO’s) and after that simply start a shortcut which I’ll provide you after you accomplished these first tasks.

Step 1: Define the Unsolicited Administrators

First off open the ‘Active Directory Users and Computers’ MMC snap-in. (dsa.msc) You can do this when you’re logged in as an administrator on one of your Domain Controllers or when you’re logging in as an administrator within your Active Directory on a box where you installed the Microsoft Windows Server Administration Tools. (adminpak.msi)

Make a group for the useraccounts you want to enable to make every desktop in your organization theirs. For instance call it ‘Remote Assistance Group’ or something else if today feels like that day everything is coming your way. Be sure to remember the group name. The group type doesn’t really matter.

Step 2: Automatically start the ‘Help and support’ service

If you haven’t done so already place the computeraccounts of the boxes (where you want to apply Unsolicited Remote Assistance to) in a separate Organization Unit. (OU) The default ‘Computers’ Organization Unit (OU) doesn’t allow for applying Group Policy Objects (GPO’s) so you’ll need to do something to make this possible. Creating a new Organizational Unit (OU) with your organization’s name and creating a structure of Organization Units beneath it in combination of redirusr.exe and redircomp.exe is the way of most organizations. I guess adsiedit.msc might also get the job done of ‘unlocking’ the ‘Computers’ Organization Unit (OU) but I understand when Systems Administrators are reluctant to use this tool. (which I like a lot however!)

When you’re not using the Group Policy Management Console (GPMC):

Right click on the Organizational Unit (OU) en choose properties from the context menu. Open the tab ‘Group Policy’. Create a new Group Policy Object (GPO) with a name that is understandable and humanly readable (for instance: ‘Unsolicited Remote Assistance Policy’) and after that edit it. This will start gpedit.msc

When you’re using the Group Policy Management Console (GPMC):

Great tool isn’t it! erhm … Since you’re using this tool I’ll assume you understand the limitations of Group Policy troubleshooting, migrating, testing and modeling without it and I guess you won’t have any problem with creating a new Group Policy Object (GPO), linking it and opening it for editing.

Within the Group Policy settings browse to ‘Computer Configuration’, ‘Windows Settings’, ‘Security Settings’ and ‘System Services’ like this. In the left part of the policy now find the service named ‘Help and Support’, right click it and ask for its properties. Check the ‘Define this policy’ option and change it to start ‘Automatic’. Don’t forget to finish with the ‘OK’ button.

Step 3: Define the Unsolicited Administrators

In the policy you just created browse to ‘Computer Configuration’, ‘Administrative Templates’, ‘System’ and ‘Remote Assistance’ like this.

In the left part now right click ‘Solicited Remote Assistance’ and select ‘Properties’.
‘Enable’ the policy by selecting it and further down the screen at ‘Permit Remote Control of this computer’ select ‘Allow helpers to remotely control…’. Also select the active period for invitations and the ways invitations can be sent. Just for fun 😉 Press the ‘OK’ button when you feel like you’re done.

Now enter the properties for ‘Offer Remote Assistance’ which also resides in the left part of your screen. Also ‘Enable’ this policy. Just as you did before select ‘Allow helpers to remotely control…’ for ‘Permit Remote Control of this computer’ and now press the ‘Show’ button. Here you can add the users or groups you want to enable to use Unsolicited Remote Assistance. You can add the group you created before by simply adding it. I suggest you use the Domain\Group way of entering this information. Press the ‘OK’ button to close the properties.

Close the Group Policy editor (gpedit.msc)

Step 4: Configuring the firewall

Since you supplied your users with Microsoft Windows XP I also assume you applied ServicePack 2. Perhaps even you’re one of those administrators that sees the joy, the challenge and the gratitude of your users in enabling and configuring the new Windows Firewall that came with it, so let’s configure the firewall on the computers on which you’re planning to use Unsolicited Remote Assistance.

If you don’t use the Windows Firewall

It’s a free country and no one can be forced to use the Windows Firewall.
You may skip to Step 5. If you pass start you will not receive $2000.

If you haven’t imported ServicePack 2 Group Policy settings yet

I suspect you already imported the Group Policy settings that came with Microsoft Windows XP ServicePack 2. Risking being called paranoid again by Paul I’m just going to explain this to you so you don’t get stranded somewhere in the middle of this article.

You’ll need ServicePack 2 installed on a Microsoft Windows XP box in your organization, so if you haven’t done so already: this is as good a time as any…
Log on to this computer as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group. From the Windows XP desktop, click Start, click Run, type mmc, and then click OK, this will start the Microsoft Management Console. On the File menu, click Add/Remove Snap-in and on the Standalone tab, choose Add.
In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add again. In the Select Group Policy Object dialog box, click Browse. In the Browse for a Group Policy Object, find the policy you’ve created earlier to update it with the new Windows Firewall settings. Then click OK and Finish to complete adding snap-ins.

Right, let’s teach our firewall some new tricks!

Open the Group Policy Object (GPO) you created earlier. If you can’t remember by now how to do this just scroll back up a bit and stay of the narcotics next time…

In the policy you just created browse to ‘Computer Configuration’, ‘Administrative Templates’, ‘Network’, ‘Windows Firewall’ and ‘Domain Profile’ like this. In the right side of your screen select ‘Windows Firewall: Allow Remote Desktop exception’. Right click it and select ‘Properties’ in the menu. In the properties select ‘Enable’. Now enter ‘localsubnet’ in the field below if you want to be able to access the desktop of your users from everywhere on the network (which might be an excellent choice!) or enter the IP address of your server or your own computer (separated by commas) to prevent your users to use the Remote Desktop functionality on each other.  When you’re confident enough about the simplicity of this step press ‘OK’ to close the properties.

Step 5: Creating the Unsolicited Remote Assistance shortcut

All that’s left for Unsolicited Remote Assistance features is a shortcut to start up the Unsolicited Remote Assistance screen. Just make a shortcut somewhere convenient, and give it the following location:

“%ProgramFiles%\Internet Explorer\iexplore” hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/Unsolicited/Unsolicitedrcui.htm

Then give this shortcut a convenient name and you’re done!

Step 6: Using the shortcut

If you start the shortcut from any of the computers on which you applied your Group Policy Object (GPO) or any Microsoft Windows Server 2003 box with a started ‘Help and Support’ service you will find a nice Microsoft Internet Explorer screen that gives you the opportunity to supply a target computername. After that you can select the logged-in useraccount to bug.

The user will get the question asking whether it wants to allow the ‘helper’ to access their desktop. When you want to take control of the desktop the user has to give permission again, but this will only be true when you selected . You don’t really think the guys at Microsoft were that oblivious? [:O]

Without Active Directory

To help your mom once in a while, (or anyone else that you consider to be equivalent to the Freudian motherfigure in your life) to implement Unsolicited Remote Assistance in your eDirectory environment or to implement Unsolicited Remote Assistance using scripting instead of Group Policy Objects (GPO’s) I’ll also show how to implement it with just a couple of registry changes, services and the firewall so you can circumvent the steps that you have to take to make it work without Active Directory.

Disclaimer

Just like Microsoft I want to warn you before manually editing the registry. You should backup the registry and make sure you are able to restore it before editing the registry. Read KnowledgeBase article 256986 for more information. Although the changes you’re about to make are note life threatening to your Operating System and you might be able to manually undo them I still urge you to follow the procedure. Also you will be using the commandline which you might find to be very scary…

Services

Before you can use Unsolicited Remote Assistance you have to make sure the ‘Help and Support’ service is started, just like you did in Step 2 using Group Policy Objects (GPO’s) I know a lot of administrators that disable the ‘Help and Support’ service to minimize the possible attack surface that this service might otherwise represent. (which actually happened and was fixed in MS04-15) You can change the startup type of services and actually start or stop services with the sc command. In this case you could use the following two commands to set the startup type of the service to ‘Automatic’ and subsequently start it up:

  • sc config helpsvc start=auto
  • sc start helpsvc

I guess it will suffice to only issue the commands once, because when the startup type of the service is set to ‘Automatic’ the service will launch automatically when the box is rebooted.

Registry

Unsolicited Remote Assistance consists of a minimum of three registry components, that allow you to control it just like you would do in Step 3. They are the following two values:

  • HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
  • HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicitedFullControl

And a minimum of one value in the key:

  • HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit

When you can’t find the above key or values you have to manually create them.

fAllowUnsolicit and fAllowUnsolicitFullControl

The fAllowUnsolicit and fAllowUnsolicitFullControl REG_DWORD values control if Unsolicited Remote Assistance is enabled and whether users or groups that you grant the right to give assistance are allowed to ‘just look’ or ‘interact’. To enable the ‘just look’ functionality change fAllowUnsolicit to 0x00000001 (1) and leave fAllowUnsolicitFullControl as it is, 0x00000000 (0). To unlock ‘interact’ change fAllowUnsolicitFullControl to 0x00000001 (1) as well.

RAUnsolicit

In the RAUnsolicit key you can make new REG_SZ values to represent users and/or groups that you want to allow the right to give assistance. Add users to the computer with strong passwords and then make a value for each account where the name of the value is the username and where the data is the full name.

The Firewall

You should also make sure the Windows Firewall isn’t blocking any RDP traffic, which basically uses TCP port 3389. If you haven’t lost your mind yet, you configured the Windows Firewall to block unwanted traffic. (If you didn’t and you’re perfectly happy with leaving a Microsoft Windows XP computer unprotected, then skip to the Registry part.) This isn’t going to represent a problem today, because there’s another command line tool to help out and it’s good old netsh:

  • netsh firewall set service remotedesktop enable subnet

Instead of ‘subnet’ you could also use ‘custom LocalSubnet’ (or any other addresses you would like the Remote Desktop service listening on) The outcome of this command should be ‘OK’. This way you should be able to programmatically complete Step 4.

Conclusion

In my opinion Unsolicited Remote Assistance is one of the key features systems administrators can unlock to make their lives and the lives of many helpdesk people a little more rewarding. Without deploying expensive or memory humping tools, like Hyena, PCAnywhere or VNC it’s possible to share the desktop with your users and show them what you mean.

Further reading

Handy information on the SC command
Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
How to configure a computer to receive Remote Assistance offers in Windows Server 2003 and in Windows XP

4 Responses to Unsolicited Remote Assistance

  1.  

    I just found another nice feature of Microsoft Live writer that makes sense after a cup of coffee, but didn’t a couple of minutes ago: When you delete a published blogpost in Live Writer it actually deletes the blogpost from the weblog. [:$]

    Luckily I could undelete the blogpost from my hard drive and publish it again. My apologies to the people that already commented on the previously published blogpost.

  2.  

    HI Sander I did this myself a couple of months ago and it works great. However I came across one little issue. The latest version of Tremd Micro PC-Cillin/Office Scan deploys a personal firewall by default which blocks this type of traffic. So I've had to set it to disabled since we run the Windows XP firewall by default. Great article by the way.

  3.  

    Thnx for that piece of feedback, Peter! [Y]

    I can imagine how demotivating it can be when you're trying to get a neat feature like this to work, troubleshooting it for a certain period of time to find out your antivirus application was the problem… Trend Micro isn't the only antivirus application that deploys portblocking measures. A vanilla installation of McAfee VirusScan Enterprise 8.0i contains some portblocking components as well, but fortunately not port 3389.

    Perhaps the 'Without Active Directory' section could help others with their troubleshooting steps?

  4.  

    Here is a random question. I did everything and this works great, however what I would like to do is …

    1.) from Start – Search programs and files enter msra /offerra
    2.) enter the computer name and connect without the EU seeing a Windows Remote Assistance asking if they would like to allow me to connect to the computer.

    Also, Once I have connected to the computer, from my “Helping” screen when I click Request Control I would like to avoid also getting another WRA message asking if I would like to allow the user to share control of the desktop.

    Is this possible??

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.