Offering Remote Assistance in Windows XP
Step by step directions on how to configure XP through group policies in order
to allow Remote Assistance to function without the cumbersome invitation system.
Last Revised: May 24th, 2007
The goal of this document is to help you use invitation-free Remote Assistance on
XP workstations in your Active Directory domain. The key components are a few
Group Policy settings and and optional .msi package to streamline the connection
process. Offered Remote Assistance (ORAS) is a much faster and better option in
many ways to other remote control programs such as VNC or the slew of web-based
options. One key benefit is that it's already paid for as part of your XP license
so there is ZERO additional cost. The other major benefit is that it uses the RDP
protocol which is exponentially faster than VNC over slow connections.
- Required Materials
- Setting the GPO
- Connecting via Offered Remote Assistance (ORAS)
- Optional auto-allow .msi Package
Here are the things you will need to get started. I have included links to files where appropriate.
Install the GPMC on your workstation or a server you have RDP access to. If you have not used it before
it represents a major leap in management of your GPOs. Take a moment to familiarize yourself with it as the
basics of creating, editing and assigning GPOs will not be covered here. Also not covered is importing XP's
administrative templates into a Windows 2000 server. If you are running Windows 2000 servers, you'll want
to do a quick search on how to accomplish this.
Setting the GPO
The first step is to create, assign and then enable a GPO that tells your workstations to turn on their
persistant Remote Assistance listener so that you can connect to PCs without your users having to go
through the atrocious process of sending you an invitation.
- Create a new GPO and assign it to the OU(s) where your user accounts are stored. Disable it until your editing is complete.
Computer Configuration navigate to
Administrative Templates/System/Remote Assistance
Offer Remote Assistance
- Set the policy to
Enabled change the drop-down box to
Allow helpers to remotely control the computer
- Open the
Helpers list by clicking
- This is where you will add AD users/groups who are permitted to connect via Remote Assistance. Dommain Admins are a good start,
as well as secondary group of users who may not be admins but need to support users, such as a help desk.
- PLEASE NOTE: This
box is NOT a typical AD user search box. Your entries will NOT be verified for accuracy like when assigning file permissions.
If you type
YOURDOMAIN\Domain Admnis it will gladly accept this entry and your configuration will NOT function.
- Add group and user names in the format of
- Enable the GPO.
Connecting via Offered Remote Assistance
Once the GPO has been assigned, it'll take a GP refresh for the workstations to configure the policy. Depending
on how your AD environment is set up, this could take 30 minutes or a reboot. Make sure that the workstation
you wish to test ORAS on has had enough time to apply the new policy. If you're in doubt, double check using
The optional package listed below disables the two "Allow/Deny" prompts on the end-user side by changing the
ORAS scripts to auto-click "Allow". This lets you connect, take control, and reconnect at will. It is not
required for ORAS to function on your domain, but is included as a convienence.
- Create a new shortcut on your desktop or another handy location. Enter
as the location. Name it "Offer Remote Assistance"
- Enter the hostname or IP of a computer you wish to support.
- If there are no users logged in, you will get an error. Otherwise the user logged in should show in the second box.
Start Remote Assistance
- Upon connecting, the remote user will be shown a dialog box announcing your username and that you wish to share their session.
Instruct them to click "Allow" and you will be shown their desktop in view-only mode.
- Click "Take Control" and after another "Allow or Deny" dialog at the end-user's side, you will be now BOTH be control
of the keyboard and mouse. Please note that control is shared, and that if both you and the end-user use the mouse at
the same time, you can expect poor results.
- When finished, you can close the support window, your view/control session is terminated the user can carry on
with their business.
Optional auto-click .msi Package
This package, when installed, will modify two .htm files burried deep in the C:\Windows folder to enable
automatic Allowing of ORAS connections and take-control requests. This may not be desirable in all
situations, where you may be worried that some help-desk personnel could sneak into an unlocked workstation
where an administrator was logged in, or in an environment where you truly wanted all users to control
whether or not even administrators could view their sessions. If those sound like problems for you, then
you can either selectively apply the package to certain workstations, or not apply it at all. This step
is ENTIRELY optional.
Take a moment to examine the contents of the zip file before applying it to any workstations in your domain.
I have not compiled all the files into the .msi so that you can make sure that I am in no way sneaking a root
kit or virus on to your network. You could also load and examine the .msi itself using any number of .msi
- Create, assign, and disable a GPO on the OU(s) where your XP workstations are stored.
- Unzip the contents of oras_update.zip and place on a network share with appropriate permissions.
Computer Configuration/Software Settings add the .msi using a UNC as an assigned package.
- Allow time for your workstations to reboot and apply the update.
If everything has gone as planned, you should now be able to connect into and support all of your
XP workstations using nothing other than the RDP server that all XP installs come with. If you have
any questions beyond the basics of creating and configuring GPOs, feel free to send me an email.
Emails requesting help with basic GPO/AD tasks will be politely directed to purchase this book:
Mastering Windows Server 2003