Sign in with
Sign up | Sign in
Your question
Closed

Offer Remote Assistance - "Permission denied" - Windows XP..

Last response: in Windows XP
Share
Anonymous
January 12, 2005 5:47:47 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

We are having problems getting "Offer Remote Assistance" to work in our
Child Domain (part of an Active Directory Forest). In Offer Remote
Assistance, when we Click the Connect Button from a Windows XP SP2 computer
with Windows Firewall Enabled, an error box "Permission denied" is displayed
immediately, as if it never even gets far enough to try to communicate to
the destination XP SP2 computer (no hard drive activity, no event log
activity, no dropped traffic by the firewall). Interestingly, when we put
in a W2K3 box as the destination, we received a different error "Access to
the requested resource has been disabled by your administrator" and it
actually does "talk" to the W2K3 box over the network as you can hear the
disk grind at the moment it attempts to connect. We have not used GPOs to
Enable Remote Assistance on our W2K3 boxes.



So, the list of what we have done with related Microsoft KB Articles:



http://support.microsoft.com/?kbid=301527

- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
'Offer Remote Assistance' at

Computer Configuration / Administrative Templates / System / Remote
Assistance

- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above

- Added/Changed the DCOM Registry Key as such on ALL involved computers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]

"EnableDCOM"="Y"

- Opened all of the items below in the Windows Firewall through Group
Policy:

%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:o ffer Remote
Assistance

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance -
Windows Messenger and Voice

135:TCP:*:Enabled:Remote Assistance Port

- We have even Enabled to "*" 'Allow remote administration exception',
'Allow file and printer sharing exception' and 'Allow Remote Desktop
exception' in the Firewall as well



http://support.microsoft.com/?kbid=884910

- Even though all of our computers are Windows XP SP2, since we have left
this group Policy as 'Not Configured' we don't believe it applies to us.
(And attempting to modify this as KB stated caused all sorts of other DCOM
related problems)



http://support.microsoft.com/?kbid=310629

Simple File Sharing is disabled since all computers are within our Domain
(Domain Computers), so this article doesn't apply to us. We have verified
that this checkbox is NOT selected on all of the computers involved.



Right-Click, Properties on 'My Computer', Remote Tab on all involved
computers has the 'Allow Remote Assistance invitations to be sent from this
computer' checked.



Resultant Set of Policies (RSoP) verifies that all appropriate Group
Policies are being applied correctly.



All involved computers are on the same subnet and no other firewalls exist
other than the Group Policy-enforced Windows Firewall configured as
mentioned above. In fact removing the Windows Firewall on both the 'Expert'
and 'Novice' computers generates the same error message 'Permission denied'.



The 'Remote Desktop Help Session Manager' service is set to Automatic and in
the Running state on the computer that the 'Offer Remote Assistance' is
being made from and under the security context of a Local AND Domain
Administrator account - this user is part of one of the groups added to the
Group Policy above.



'Offer Remote Assistance' is being initiated from a Shortcut to:

hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm



Remote Desktop works correctly for all involved computers.



Generating a Remote Assistance request and sending via email works
perfectly. Only Unsolicited (Offer) Remote Assistance does not work.



We use Group Policy to "lock down" most of the Security Settings under 'User
Rights Assignments' and 'Security Options'.



Any suggestions would be greatly appreciated - thank for help in advance.
Anonymous
January 27, 2005 9:45:44 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Have you configured "Offer Remote Assistance" in Group Policy (Computer
Config/Admin Templates/System/Remote Assistance)?



--
mikemelling
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1345511.html
Anonymous
January 28, 2005 10:56:35 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Yes, this is mentioned above but I'll list it here again in case we are
missing something.


"- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
'Offer Remote Assistance' at

Computer Configuration / Administrative Templates / System / Remote
Assistance

- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above"



"mikemelling" <mikemelling.1jjlms@mail.mcse.ms> wrote in message
news:mikemelling.1jjlms@mail.mcse.ms...
>
> Have you configured "Offer Remote Assistance" in Group Policy (Computer
> Config/Admin Templates/System/Remote Assistance)?
>
>
>
> --
> mikemelling
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message1345511.html
>
Related resources
February 21, 2005 6:41:04 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

I was having the same issue with several XP SP2 systems and I don't know
where the problem originated, but I did get it fixed. You can test this out
for yourself. Look up the registry entry that was mentioned in the Support
Article on a SP1 box, then look at the SP2 box registry key. You will notice
that there are two new keys with the SP2 system. These keys map to two group
policies that can be changed but I noticed that the windows XP SP2 system did
not have all the keys it needed. I looked at a working SP2 system to find
the correct keys and they are posted below:

I didn't give you the registy file itself, but want you to actually view the
differences between the various systems. I hope that this helps you out...

--------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,58,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,00,00,24,00,1f,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\
00,fd,37,42,40,07,e9,94,2d,8a,a7,32,3f,f0,03,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"
"LegacyImpersonationLevel"=dword:00000003
"LegacyAuthenticationLevel"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"



"Research Services" wrote:

> Yes, this is mentioned above but I'll list it here again in case we are
> missing something.
>
>
> "- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
> 'Offer Remote Assistance' at
>
> Computer Configuration / Administrative Templates / System / Remote
> Assistance
>
> - Added a couple of Domain Admin Groups who are also in the Local
> Administrators group on all computers with the <domain>\<group> format to
> the Group Policy above"
>
>
>
> "mikemelling" <mikemelling.1jjlms@mail.mcse.ms> wrote in message
> news:mikemelling.1jjlms@mail.mcse.ms...
> >
> > Have you configured "Offer Remote Assistance" in Group Policy (Computer
> > Config/Admin Templates/System/Remote Assistance)?
> >
> >
> >
> > --
> > mikemelling
> > ------------------------------------------------------------------------
> > Posted via http://www.mcse.ms
> > ------------------------------------------------------------------------
> > View this thread: http://www.mcse.ms/message1345511.html
> >
>
>
>
Anonymous
February 22, 2005 5:37:19 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Thank you - I'll take a look!





"Chuck" <Chuck@discussions.microsoft.com> wrote in message
news:80FE139D-932C-432C-89EF-D6CF6C0F8A1D@microsoft.com...
>I was having the same issue with several XP SP2 systems and I don't know
> where the problem originated, but I did get it fixed. You can test this
> out
> for yourself. Look up the registry entry that was mentioned in the
> Support
> Article on a SP1 box, then look at the SP2 box registry key. You will
> notice
> that there are two new keys with the SP2 system. These keys map to two
> group
> policies that can be changed but I noticed that the windows XP SP2 system
> did
> not have all the keys it needed. I looked at a working SP2 system to find
> the correct keys and they are posted below:
>
> I didn't give you the registy file itself, but want you to actually view
> the
> differences between the various systems. I hope that this helps you
> out...
>
> --------------------
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
> "DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
>
> 14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
>
> 00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
>
> 00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
>
> 00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
> 20,00,00,00,20,02,00,00
> "MachineLaunchRestriction"=hex:01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,\
>
> 14,00,00,00,02,00,58,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
>
> 00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
>
> 00,01,00,00,00,00,00,00,24,00,1f,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\
>
> 00,fd,37,42,40,07,e9,94,2d,8a,a7,32,3f,f0,03,00,00,01,02,00,00,00,00,00,05,\
> 20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
> "MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
>
> 14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
>
> 00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
>
> 00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
> 05,20,00,00,00,20,02,00,00
> "EnableDCOM"="Y"
> "LegacyImpersonationLevel"=dword:00000003
> "LegacyAuthenticationLevel"=dword:00000002
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
> "{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
> "{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
> "{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
> "{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"
>
>
>
> "Research Services" wrote:
>
>> Yes, this is mentioned above but I'll list it here again in case we are
>> missing something.
>>
>>
>> "- Through Group Policy, have Enabled both 'Solicited Remote Assistance'
>> and
>> 'Offer Remote Assistance' at
>>
>> Computer Configuration / Administrative Templates / System / Remote
>> Assistance
>>
>> - Added a couple of Domain Admin Groups who are also in the Local
>> Administrators group on all computers with the <domain>\<group> format to
>> the Group Policy above"
>>
>>
>>
>> "mikemelling" <mikemelling.1jjlms@mail.mcse.ms> wrote in message
>> news:mikemelling.1jjlms@mail.mcse.ms...
>> >
>> > Have you configured "Offer Remote Assistance" in Group Policy (Computer
>> > Config/Admin Templates/System/Remote Assistance)?
>> >
>> >
>> >
>> > --
>> > mikemelling
>> > ------------------------------------------------------------------------
>> > Posted via http://www.mcse.ms
>> > ------------------------------------------------------------------------
>> > View this thread: http://www.mcse.ms/message1345511.html
>> >
>>
>>
>>
Anonymous
February 23, 2005 11:12:59 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Do you know where or how these 3 registry entries are set from the GUI?

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
DefaultLaunchPermission
MachineLaunchRestriction
MachineAccessRestriction

On computers that are able to Offer Remote Assistance compared to mine that
cannot, these entries are different.
Thank you!





"Chuck" <Chuck@discussions.microsoft.com> wrote in message
news:80FE139D-932C-432C-89EF-D6CF6C0F8A1D@microsoft.com...
>I was having the same issue with several XP SP2 systems and I don't know
> where the problem originated, but I did get it fixed. You can test this
> out
> for yourself. Look up the registry entry that was mentioned in the
> Support
> Article on a SP1 box, then look at the SP2 box registry key. You will
> notice
> that there are two new keys with the SP2 system. These keys map to two
> group
> policies that can be changed but I noticed that the windows XP SP2 system
> did
> not have all the keys it needed. I looked at a working SP2 system to find
> the correct keys and they are posted below:
>
> I didn't give you the registy file itself, but want you to actually view
> the
> differences between the various systems. I hope that this helps you
> out...
>
> --------------------
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
> "DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
>
> 14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
>
> 00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
>
> 00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
>
> 00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
> 20,00,00,00,20,02,00,00
> "MachineLaunchRestriction"=hex:01,00,04,80,6c,00,00,00,7c,00,00,00,00,00,00,00,\
>
> 14,00,00,00,02,00,58,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
>
> 00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
>
> 00,01,00,00,00,00,00,00,24,00,1f,00,00,00,01,05,00,00,00,00,00,05,15,00,00,\
>
> 00,fd,37,42,40,07,e9,94,2d,8a,a7,32,3f,f0,03,00,00,01,02,00,00,00,00,00,05,\
> 20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
> "MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
>
> 14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
>
> 00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
>
> 00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
> 05,20,00,00,00,20,02,00,00
> "EnableDCOM"="Y"
> "LegacyImpersonationLevel"=dword:00000003
> "LegacyAuthenticationLevel"=dword:00000002
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
> "{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
> "{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
> "{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
> "{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"
>
>
>
> "Research Services" wrote:
>
>> Yes, this is mentioned above but I'll list it here again in case we are
>> missing something.
>>
>>
>> "- Through Group Policy, have Enabled both 'Solicited Remote Assistance'
>> and
>> 'Offer Remote Assistance' at
>>
>> Computer Configuration / Administrative Templates / System / Remote
>> Assistance
>>
>> - Added a couple of Domain Admin Groups who are also in the Local
>> Administrators group on all computers with the <domain>\<group> format to
>> the Group Policy above"
>>
>>
>>
>> "mikemelling" <mikemelling.1jjlms@mail.mcse.ms> wrote in message
>> news:mikemelling.1jjlms@mail.mcse.ms...
>> >
>> > Have you configured "Offer Remote Assistance" in Group Policy (Computer
>> > Config/Admin Templates/System/Remote Assistance)?
>> >
>> >
>> >
>> > --
>> > mikemelling
>> > ------------------------------------------------------------------------
>> > Posted via http://www.mcse.ms
>> > ------------------------------------------------------------------------
>> > View this thread: http://www.mcse.ms/message1345511.html
>> >
>>
>>
>>
September 7, 2010 6:54:58 PM

This is the only key that was needed to correct the issue on my PC

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
Anonymous
September 14, 2010 12:47:22 PM

This topic has been closed by Fihart
!