Offering Remote Assistance in Windows XP

Step by step directions on how to configure XP through group policies in order to allow Remote Assistance to function without the cumbersome invitation system.

Joshua Cantara jcantara@grappone.com
Last Revised: May 24th, 2007

Summary

The goal of this document is to help you use invitation-free Remote Assistance on XP workstations in your Active Directory domain. The key components are a few Group Policy settings and and optional .msi package to streamline the connection process. Offered Remote Assistance (ORAS) is a much faster and better option in many ways to other remote control programs such as VNC or the slew of web-based options. One key benefit is that it's already paid for as part of your XP license so there is ZERO additional cost. The other major benefit is that it uses the RDP protocol which is exponentially faster than VNC over slow connections.

Index

Required Materials
Setting the GPO
Connecting via Offered Remote Assistance (ORAS)
Optional auto-allow .msi Package

Required Materials

Here are the things you will need to get started. I have included links to files where appropriate.

An Active Directory domain running Windows 2000 and/or 2003 servers.
Workstations running Windows XP.
Microsoft's Group Policy Management Console (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx)
My auto-allow package (oras_update.zip)

Install the GPMC on your workstation or a server you have RDP access to. If you have not used it before it represents a major leap in management of your GPOs. Take a moment to familiarize yourself with it as the basics of creating, editing and assigning GPOs will not be covered here. Also not covered is importing XP's administrative templates into a Windows 2000 server. If you are running Windows 2000 servers, you'll want to do a quick search on how to accomplish this.

Setting the GPO

The first step is to create, assign and then enable a GPO that tells your workstations to turn on their persistant Remote Assistance listener so that you can connect to PCs without your users having to go through the atrocious process of sending you an invitation.

Create a new GPO and assign it to the OU(s) where your user accounts are stored. Disable it until your editing is complete.
Under Computer Configuration navigate to Administrative Templates/System/Remote Assistance


Open Offer Remote Assistance
Set the policy to Enabled change the drop-down box to Allow helpers to remotely control the computer
Open the Helpers list by clicking Show
This is where you will add AD users/groups who are permitted to connect via Remote Assistance. Dommain Admins are a good start,
as well as secondary group of users who may not be admins but need to support users, such as a help desk.
PLEASE NOTE: This
box is NOT a typical AD user search box. Your entries will NOT be verified for accuracy like when assigning file permissions.
If you type YOURDOMAIN\Domain Admnis it will gladly accept this entry and your configuration will NOT function.
Add group and user names in the format of DOMAIN\GroupOrUserName
Enable the GPO.



Connecting via Offered Remote Assistance
Once the GPO has been assigned, it'll take a GP refresh for the workstations to configure the policy. Depending
on how your AD environment is set up, this could take 30 minutes or a reboot. Make sure that the workstation
you wish to test ORAS on has had enough time to apply the new policy. If you're in doubt, double check using 
rsop.msc.

Create a new shortcut on your desktop or another handy location. Enter
hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/Unsolicited/UnSolicitedRCUI.htm
as the location. Name it "Offer Remote Assistance"
Enter the hostname or IP of a computer you wish to support.
If there are no users logged in, you will get an error. Otherwise the user logged in should show in the second box.
Click Start Remote Assistance
Upon connecting, the remote user will be shown a dialog box announcing your username and that you wish to share their session.
Instruct them to click "Allow" and you will be shown their desktop in view-only mode.
Click "Take Control" and after another "Allow or Deny" dialog at the end-user's side, you will be now BOTH be control
of the keyboard and mouse. Please note that control is shared, and that if both you and the end-user use the mouse at
the same time, you can expect poor results.
When finished, you can close the support window, your view/control session is terminated the user can carry on
with their business.

The optional package listed below disables the two "Allow/Deny" prompts on the end-user side by changing the
ORAS scripts to auto-click "Allow". This lets you connect, take control, and reconnect at will. It is not
required for ORAS to function on your domain, but is included as a convienence.

Optional auto-click .msi Package
This package, when installed, will modify two .htm files burried deep in the C:\Windows folder to enable
automatic Allowing of ORAS connections and take-control requests. This may not be desirable in all
situations, where you may be worried that some help-desk personnel could sneak into an unlocked workstation
where an administrator was logged in, or in an environment where you truly wanted all users to control
whether or not even administrators could view their sessions. If those sound like problems for you, then
you can either selectively apply the package to certain workstations, or not apply it at all. This step
is ENTIRELY optional.

Create, assign, and disable a GPO on the OU(s) where your XP workstations are stored.
Unzip the contents of oras_update.zip and place on a network share with appropriate permissions.
Under Computer Configuration/Software Settings add the .msi using a UNC as an assigned package.
Allow time for your workstations to reboot and apply the update.

Take a moment to examine the contents of the zip file before applying it to any workstations in your domain.
I have not compiled all the files into the .msi so that you can make sure that I am in no way sneaking a root
kit or virus on to your network. You could also load and examine the .msi itself using any number of .msi
editors.

Conclusion
      
If everything has gone as planned, you should now be able to connect into and support all of your
XP workstations using nothing other than the RDP server that all XP installs come with. If you have
any questions beyond the basics of creating and configuring GPOs, feel free to send me an email. 
Emails requesting help with basic GPO/AD tasks will be politely directed to purchase this book:
Mastering Windows Server 2003