Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to configure a computer to receive Remote Assistance offers in Windows Server 2003 and in Windows XP


View products that this article applies to.

Introduction

This article describes how to configure a computer that is running Windows XP or Windows Server 2003 to receive Remote Assistance offers.

The Remote Assistance tool can be configured to enable an expert user to start a Remote Assistance session by using the Offer Remote Assistance feature. The Remote Assistance session lets the expert user help a novice user.

This feature requires the computer of the expert user and the computer of the novice user to be members of the same domain or members of trusted domains. Domains are used in corporate networks for security. Domains are typically managed by a network administrator. The Offer Remote Assistance feature is not a practical option for most home-based networks.

For more information about Remote Assistance, click the following article numbers to view the articles in the Microsoft Knowledge Base:
300546 Overview of Remote Assistance in Windows XP
308013 How to use the "Offer Remote Assistance" policy setting

Requirements

To configure the computer of the novice user to accept Remote Assistance offers, you must make sure that the following requirements are met:
  • Group Policy for the computer of the novice user must be configured to enable Remote Assistance offers.
  • The computers of the novice and expert users must be members of the same domain or members of trusted domains.
  • Both computers must have Windows XP or Windows Server 2003 installed.
To configure the Group Policies for the Remote Assistance tool, you need a list of expert users from which the computers of the novice users can accept Remote Assistance offers. This list must contain Domain User groups and Domain User accounts.

Note Experts who use Offer Remote Assistance will be unable to connect to a novice user's computer when Solicited Remote Assistance is disabled on the novice user's computer. (This problem does not occur on computers that are running Windows XP with Service Pack 2.)

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
826088 If the Solicited Remote Assistance policy is disabled, you cannot offer assistance to a Novice computer

In a domain environment, the Group Policy that is used to configure Remote Assistance is usually deployed from the Active Directory directory service. You do this by linking a group policy object (GPO) to an organizational unit (OU) in which the novice user's computer resides.

The following steps outline this configuration and assume that the OU structure is already present. As an alternative procedure, you can use the local policy on each novice user's computer. This policy is available through GPEdit.msc. However, this procedure requires much more administrative overhead, and we do not recommend it.

How to configure the Offer Remote Assistance policy setting

  1. Log on to a domain controller or an administrative workstation as an administrator of the domain, and then open the Active Directory Users and Computers snap-in.
  2. Right-click the OU in which the novice user's computer resides, and then click Properties.
  3. On the Group Policy tab, click New, and then enter a name for the newly created GPO.
  4. On the Group Policy tab, select the newly created GPO, and then click Edit.
  5. In the navigation pane of the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, and then click Remote Assistance.
  6. In the details pane of the Group Policy Object Editor, click Enabled for the Offer Remote Assistance policy.
  7. Under Permit remote control of this computer, select one of the following options:
    • Allow helpers to only view the computer.
    • Allow helpers to remotely control the computer.
    These options correspond to the actions that you want an expert user to take.
  8. Click Show.
  9. Click Add to add domain user accounts or domain user groups.

    Note These entries should take one of the following formats:
    • domain_name\user_name
    • domain_name\group_name
    For example, the entry might be "contoso\Domain Admins."
  10. Click OK to close the Show Contents dialog box, and then click OK to close the Offer Remote Assistance Properties dialog box.
  11. Close the Group Policy Object Editor.
Important Use caution when you populate the properties of the Offer Remote Assistance Group Policy because you cannot verify the domain accounts that you enter. We recommend that you extensively test this policy setting before you perform a large policy rollout.

Note The Offer Remote Assistance policy is not available in Windows XP Home Edition.

Note Remote Assistance uses DCOM. In Windows XP and in Windows Server 2003, the DCOM entry is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
The String value of the DCOM entry is EnableDCOM = Y. If this value is set to "N," or if this value is missing, Remote Assistance will not work.

How to configure Windows Firewall for offer-based Remote Assistance

  1. Log on to a domain controller or an administrative workstation as an administrator of the domain, and then open the Active Directory Users and Computers snap-in.
  2. Right-click the OU in which the novice user's computer resides, and then click Properties.
  3. On the Group Policy tab, click New, and then enter a name for the newly created GPO.

    Or, you can skip this step and go to step 4. In this case, use the policy that you created in the "How to configure the Offer Remote Assistance policy setting" section.
  4. On the Group Policy tab, select the GPO, and then click Edit.
  5. In the navigation pane of the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
  6. In the details pane of the Group Policy Object Editor, click Enabled for the Windows Firewall: Define program exceptions policy.
  7. Click Show to display the Show Contents dialog box.
  8. Click Add to add the following exceptions:
    • %WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
    • %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance
    • %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance � Windows Messenger and Voice
  9. Click OK to close the Show Contents dialog box, and then click OK to close the Windows Firewall: Define program exceptions Properties dialog box.
  10. In the details pane of the Group Policy Object Editor, click Enabled for the Windows Firewall: Define port exceptions policy.
  11. Click Show to display the Show Contents dialog box.
  12. Click Add to add the following exception:
    "135:TCP:*:Enabled:Offer Remote Assistance"
  13. Click OK to close the Show Contents dialog box, and then click OK to close the Windows Firewall: Define program exceptions Properties dialog box.
  14. Close the Group Policy Object Editor.

How to configure the policy to enable Remote Connections

  1. Log on to a domain controller or an administrative workstation as an administrator of the domain, and then open the Active Directory Users and Computers snap-in.
  2. Right-click the OU in which the novice user's computer resides, and then click Properties.
  3. On the Group Policy tab, click New, and then enter a name for the newly created GPO.

    Or, you can skip this step and go to step 4. In this case, use the policy that you created in the "How to configure the Offer Remote Assistance policy setting" section.
  4. On the Group Policy tab, select the GPO, and then click Edit.
  5. In the navigation pane of the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Terminal Services.
  6. In the details pane of the Group Policy Object Editor, click Enabled for the Allow users to connect remotely using Terminal Services policy.
  7. Click OK to close the Allow users to connect remotely using Terminal Services Properties dialog box.
  8. Close the Group Policy Object Editor.

Additional considerations

Remote assistance relies on full network connectivity between the expert user's computer and the novice user's computer over the following network ports:
  • TCP port 135
  • TCP port 3389
  • All TCP ports that are greater than 1024
If port filtering exists for any of these ports between the two computers, Remote Assistance will not work.

For more information about how to restrict the ports that are required for RPC, click the following article number to view the article in the Microsoft Knowledge Base:
300083 How to restrict TCP/IP ports on Windows 2000 and Windows XP

↑ Back to the top


Keywords: KB301527, kbenv, kbhowtomaster

↑ Back to the top

Article Info
Article ID : 301527
Revision : 8
Created on : 12/6/2007
Published on : 12/6/2007
Exists online : False
Views : 465