Microsoft KB Archive/884910

= You cannot offer remote assistance to a user whose computer is running Windows XP Service Pack 2 =

Article ID: 884910

Article Last Modified on 7/30/2007

-

APPLIES TO


 * Microsoft Windows XP Service Pack 2

-





SYMPTOMS
When you try to offer remote assistance to a user whose computer is running Microsoft Windows XP Service Pack 2 (SP2), you are not successful. In this scenario, you may receive the following message:

Permission denied



CAUSE
This problem may occur if the following conditions are true:  One or both the following Group Policy settings are enabled on the computer that is running Windows XP SP2:

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

 The users who try to offer remote assistance are not added to the security permissions of these policies.



RESOLUTION
To resolve this problem on a computer that is a member of a domain, follow these steps:  Create a security group in your domain to contain the remote assistance helper's user accounts. For example, create a group that is named Remote Assistance Helpers. Modify the Group Policy where you enabled the DCOM security-related policies, and then add the Remote Assistance Helpers group with both local and remote access permissions. To do this, follow these steps:  Open the Group Policy object. To do this on the local Windows computer, click Start, click Run, type gpedit.msc, and then click OK.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.</li> Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax if this policy is enabled.</li> Click Edit Security, and then click Add.</li> Click Locations, click your domain, and then click OK.</li> Type Remote Assistance Helpers, click Check Names, and then click OK.</li> Click to select the Remote Access check box in the Allow column, and then click OK.</li> Click Apply, and then click OK.</li> Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax if this policy is enabled.</li> Follow steps d through f to add the Remote Assistance Helpers security group to this policy.</li> Click to select all the check boxes in the Allow column, and then click OK.</li> Click Apply, and then click OK.</li> Close the Group Policy Object Editor snap-in.</li></ol> </li> Add the domain group to the helpers list in the Offer Remote Assistance Group Group Policy if it is not already added. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the Windows XP client computer, click Start, click Run, type gpedit.msc, and then click OK.</li> Expand Computer Configuration, expand Administrative Templates, expand System, click Remote Assistance, and then double-click Offer Remote Assistance.</li> Click Show, click Add, type \Remote Assistance Helpers, and then click OK.</li> <li>Click OK, click Apply, and then click OK.</li></ol> </li></ol>

To resolve this problem on a computer that is not a member of a domain, use the following methods.

Allow Remote Assistance support
To fully enable both Solicited Remote Assistance and Offer-based Remote Assistance connections, you must make the following changes to Group Policy settings. In Solicited Remote Assistance, an invitation is sent from the novice computer. You must perform the following changes on a computer that is running Windows XP with Service Pack 2 or Windows XP 64-bit with Service Pack 1.

Allow Solicited Remote Assistance
If the Allow local program exceptions Windows firewall setting is set to Not Configured (default) or Enabled, no additional configuration is necessary.

If the Allow local program exceptions Windows firewall setting is set to Disabled, or if you have already enabled the Define program exceptions Windows firewall setting, you must add the following program exceptions:
 * %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice
 * %WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance

Note For computers that are running Windows Server 2003 with Service Pack 1, do not add the exception for Sessmgr.exe. Instead, enable the Windows Firewall: Allow Remote Desktop Exception setting.

Enable Offer-based Remote Assistance
Add the following entry to the Windows Firewall: Define port exceptions setting:

135:TCP:*:Enabled:Offer Remote Assistance

Add the following entries to the Windows Firewall: Define program exceptions setting:
 * %Windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance
 * %Windir%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice
 * %Windir%\System2\Sessmgr.exe:*:Enabled:Remote Assistance

For more information about adding entries to the Windows Firewall settings, click the following article number to view the article in the Microsoft Knowledge Base:

301527 How to configure a computer to receive Remote Assistance offers in Windows Server 2003 and in Windows XP

Note When you open TCP port 135, you also allow remote procedure call (RPC) traffic.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy determines which users or groups can log on either remotely or locally.

The DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting determines which users or groups may start a process remotely or locally.

For additional information about security-related policy settings in Windows XP Service Pack 2, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/bb457148.aspx

For more information about Remote Assistance in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

300546 Overview of Remote Assistance in Windows XP

Keywords: kbnofix kbbug kbsecurity kbpolicy kbinfo kbtshoot kbprb KB884910

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.