Offering Remote Assistance in Windows XP

Step by step directions on how to configure XP through group policies in order to allow Remote Assistance to function without the cumbersome invitation system.


Joshua Cantara
Last Revised: May 24th, 2007

Summary

       The goal of this document is to help you use invitation-free Remote Assistance on XP workstations in your Active Directory domain. The key components are a few Group Policy settings and and optional .msi package to streamline the connection process. Offered Remote Assistance (ORAS) is a much faster and better option in many ways to other remote control programs such as VNC or the slew of web-based options. One key benefit is that it's already paid for as part of your XP license so there is ZERO additional cost. The other major benefit is that it uses the RDP protocol which is exponentially faster than VNC over slow connections.

Index

  1. Required Materials
  2. Setting the GPO
  3. Connecting via Offered Remote Assistance (ORAS)
  4. Optional auto-allow .msi Package

Required Materials

Here are the things you will need to get started. I have included links to files where appropriate. Install the GPMC on your workstation or a server you have RDP access to. If you have not used it before it represents a major leap in management of your GPOs. Take a moment to familiarize yourself with it as the basics of creating, editing and assigning GPOs will not be covered here. Also not covered is importing XP's administrative templates into a Windows 2000 server. If you are running Windows 2000 servers, you'll want to do a quick search on how to accomplish this.

Setting the GPO

The first step is to create, assign and then enable a GPO that tells your workstations to turn on their persistant Remote Assistance listener so that you can connect to PCs without your users having to go through the atrocious process of sending you an invitation.

Connecting via Offered Remote Assistance

Once the GPO has been assigned, it'll take a GP refresh for the workstations to configure the policy. Depending on how your AD environment is set up, this could take 30 minutes or a reboot. Make sure that the workstation you wish to test ORAS on has had enough time to apply the new policy. If you're in doubt, double check using rsop.msc. The optional package listed below disables the two "Allow/Deny" prompts on the end-user side by changing the ORAS scripts to auto-click "Allow". This lets you connect, take control, and reconnect at will. It is not required for ORAS to function on your domain, but is included as a convienence.

Optional auto-click .msi Package

This package, when installed, will modify two .htm files burried deep in the C:\Windows folder to enable automatic Allowing of ORAS connections and take-control requests. This may not be desirable in all situations, where you may be worried that some help-desk personnel could sneak into an unlocked workstation where an administrator was logged in, or in an environment where you truly wanted all users to control whether or not even administrators could view their sessions. If those sound like problems for you, then you can either selectively apply the package to certain workstations, or not apply it at all. This step is ENTIRELY optional. Take a moment to examine the contents of the zip file before applying it to any workstations in your domain. I have not compiled all the files into the .msi so that you can make sure that I am in no way sneaking a root kit or virus on to your network. You could also load and examine the .msi itself using any number of .msi editors.

Conclusion

       If everything has gone as planned, you should now be able to connect into and support all of your XP workstations using nothing other than the RDP server that all XP installs come with. If you have any questions beyond the basics of creating and configuring GPOs, feel free to send me an email. Emails requesting help with basic GPO/AD tasks will be politely directed to purchase this book: Mastering Windows Server 2003