Microsoft KB Archive/889248

= You cannot offer remote assistance to a user whose computer is running Windows Server 2003 with Service Pack 1 =

Article ID: 889248

Article Last Modified on 10/30/2006

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul>

 Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li></ul> </li></ul>

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
When you try to offer remote assistance to a user whose computer is running Microsoft Windows Server 2003 with Service Pack 1 (SP1), you are not successful. You may receive the following message:

Permission denied

<div class="cause_section">

CAUSE
This problem may occur if the following conditions are true:  One or both of the following Group Policy settings are enabled on the computer that is running Windows Server 2003 with SP1:

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

</li> The users who try to offer remote assistance do not have security permissions for these policies.</li></ul>

<div class="resolution_section">

RESOLUTION
To resolve this problem, follow these steps: <ol> Create a security group in your domain to contain the user accounts of remote assistance helpers. For example, create a group that is named &quot;Remote Assistance Helpers&quot;.</li> Modify Group Policy settings for the Active Directory container where you enabled the DCOM security-related policies. (For example, modify the site, the domain, or the organizational unit.) Add the Remote Assistance Helpers group, and then assign both local and remote access permissions to the group. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.</li> Locate the container where you enabled the DCOM security-related policies.</li> Right-click the container, click Properties, and then click the Group Policy tab.</li> In the list of Group Policy Object Links, click the Group Policy object (GPO) that contains the DCOM security-related policies, and then click Edit.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.</li> Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax if this policy is enabled.</li> Click Edit Security, and then click Add.</li> <li>Click Locations, click your domain, and then click OK.</li> <li>Type Remote Assistance Helpers, click Check Names, and then click OK.</li> <li>Click to select the Remote Access check box in the Allow column, and then click OK.</li> <li>Click Apply, and then click OK.</li> <li>Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax if this policy is enabled.</li> <li>Follow steps d through f to add the Remote Assistance Helpers security group to this policy.</li> <li>Click to select all the check boxes in the Allow column, and then click OK.</li> <li>Click Apply, and then click OK.</li> <li>Close Group Policy Object Editor, click OK on the  Properties dialog box, and then close Active Directory Users and Computers.</li></ol> </li> <li>Add the domain group to the helpers list in the Offer Remote Assistance Group policy if it is not already added. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.</li> <li>Locate the container where you enabled the DCOM security-related policies.</li> <li>Right-click the container, click Properties, and then click the Group Policy tab.</li> <li>In the list of Group Policy Object Links, click the GPO that contains the DCOM security-related policies, and then click Edit.</li> <li>Expand Computer Configuration, expand Administrative Templates, expand System, click Remote Assistance, and then double-click Offer Remote Assistance.</li> <li>Click Show, click Add, type \, and then click OK.</li> <li>Click OK, click Apply, and then click OK.</li></ol> </li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy determines the users or groups that can log on remotely or locally.

The DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting determines the users or groups that may start a process remotely or locally.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Keywords: kbwinservnetwork kbsecurityservices kbnofix kbsecurity kbpolicy kbbug kbtshoot kbprb KB889248

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.