Help remote users run Windows Server 2003 SP1

Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!

Often, it is not possible to offer remote assistance to a user whose computer is running Microsoft Windows Server 2003 with Service Pack 1 (SP1). You may receive the following message: "Permission denied."

This problem may occur if the following conditions are true:

One or both of the following Group Policy settings are enabled on the computer that is running Windows Server 2003 with SP1:
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

The users who try to offer remote assistance do not have security permissions for these policies. To resolve this problem, follow these steps:

1. Create a security group in your domain to contain the user accounts of remote assistance helpers. For example, create a group that is named "Remote Assistance Helpers."

2. Modify Group Policy settings for the Active Directory container where you enabled the DCOM security-related policies. (For example, modify the site, the domain, or the organizational unit.) Add the Remote Assistance Helpers group, and then assign both local and remote access permissions to the group. To do this, follow these steps:
   
   a. Click Start, point to All Programs, point to Administrative Tools and then click Active Directory Users and Computers.
   b. Locate the container where you enabled the DCOM security-related policies.
   c. Right-click the container, click Properties and then click the Group Policy tab.
   d. In the list of Group Policy Object Links, click the Group Policy Object (GPO) that contains the DCOM security-related policies and then click Edit.
   e. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies and then click Security Options.
   f. Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax if policy is enabled.
   g. Click Edit Security and then click Add.
   h. Click Locations, click your domain and then click OK.
   i. Type Remote Assistance Helpers, click Check Names and then click OK.
   j. Click to select the Remote Access check box in the Allow column and then click OK.
   k. Click Apply and then click OK.
   l. Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax if policy is enabled.
   m. Follow steps d through f to add the Remote Assistance Helpers security group to this policy.
   n. Click to select all the check boxes in the Allow column and then click OK.
   o. Click Apply and then click OK.
   p. Close Group Policy Object Editor, click OK on the Active_Directory_Container Properties dialog box and then close Active Directory Users and Computers.

3. Add the domain group to the helpers list in the Offer Remote Assistance Group policy if it is not already added. To do this, follow these steps:
   
   a. Click Start, point to All Programs, point to Administrative Tools and then click Active Directory Users and Computers.
   b. Locate the container where you enabled the DCOM security-related policies.
   c. Right-click the container, click Properties and then click the Group Policy tab.
   d. In the list of Group Policy Object Links, click the GPO that contains the DCOM security-related policies and then click Edit.
   e. Expand Computer Configuration, expand Administrative Templates, expand System, click Remote Assistance and then double-click Offer Remote Assistance.
   f. Click Show, click Add, type Domain_Name\Remote Assistance Helpers Group and then click OK.
   g. Click OK, click Apply and then click OK.

This article first appeared in myITforum.com, the online destination for IT professionals who manage their corporations' Microsoft Windows systems. It is also part of the TechTarget network of industry specific IT Web sites. The centerpiece of myITforum.com is a collection of member forums where IT professionals exchange technical tips, share their expertise and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS).

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Windows Server 2003 Administration How to install Windows Server 2003 patches when offline Validating Windows server clusters with ClusPrep Exploring the Windows Server 2003 Resource Kit: Clusfileport.dll Exploring the Windows Server 2003 Resource Kit: Cmdhere.inf and CMGetCer.inf Windows server security management: Security expert roundup Windows server management with Remote Desktop Avoid DC restoration problems with authoritative restore Exploring the Windows Server 2003 Resource Kit: Confdisk.exe Exploring the Windows Server 2003 Resource Kit: Compress.exe and Expand.exe Exploring the Windows Server 2003 Resource Kit: Clusterrecovery.exe Microsoft Windows Server 2003 Administration Research Microsoft Systems and Network Troubleshooting DNS troubleshooting best practices Troubleshooting tops Windows admins' most tedious tasks Troubleshooting Windows application crashes or hangs Troubleshooting poor Windows logon performance in Active Directory environments Immediate steps for Windows disaster recovery Quick hits: Troubleshooting service account failure, batch job execution Case Study: Troubleshooting Windows service dependency failures Troubleshooting common Windows service failures How can I boot to a floppy and receive a command prompt without being directed to the system drive? RRAS utility in Windows Server 2003 traces network problems Microsoft Group Policy Management How to use Group Policy to centralize system configurations Group Policy management gets a boost with MDOP 2009 R2 Using software restriction policies in Windows Group Policy makes strides in Windows Server 2008 R2 Using Active Directory to manage Macs in a Windows environment Group Policy Object modeling simplifies network security Microsoft Group Policy Tutorial Is a Group Policy setting changing my user rights? Mastering account lockout values in Group Policy Group Policy Object security in Windows RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Group Policy Object  (SearchWindowsServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.