You cannot offer remote assistance to a user whose computer is running Windows XP Service Pack 2

Symptoms

When you try to offer remote assistance to a user whose computer is running Microsoft Windows XP Service Pack 2 (SP2), you are not successful. In this scenario, you may receive the following message:
Permission denied

Cause

This problem may occur if the following conditions are true:
  • One or both the following Group Policy settings are enabled on the computer that is running Windows XP SP2:
    DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
    DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
  • The users who try to offer remote assistance are not added to the security permissions of these policies.

Resolution

To resolve this problem on a computer that is a member of a domain, follow these steps:
  1. Create a security group in your domain to contain the remote assistance helper's user accounts. For example, create a group that is named Remote Assistance Helpers.
  2. Modify the Group Policy where you enabled the DCOM security-related policies, and then add the Remote Assistance Helpers group with both local and remote access permissions. To do this, follow these steps:
    1. Open the Group Policy object. To do this on the local Windows computer, click Start, click Run, type gpedit.msc, and then click OK.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
    3. Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax if this policy is enabled.
    4. Click Edit Security, and then click Add.
    5. Click Locations, click your domain, and then click OK.
    6. Type Remote Assistance Helpers, click Check Names, and then click OK.
    7. Click to select the Remote Access check box in the Allow column, and then click OK.
    8. Click Apply, and then click OK.
    9. Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax if this policy is enabled.
    10. Follow steps d through f to add the Remote Assistance Helpers security group to this policy.
    11. Click to select all the check boxes in the Allow column, and then click OK.
    12. Click Apply, and then click OK.
    13. Close the Group Policy Object Editor snap-in.
  3. Add the domain group to the helpers list in the Offer Remote Assistance Group Group Policy if it is not already added. To do this, follow these steps:
    1. On the Windows XP client computer, click Start, click Run, type gpedit.msc, and then click OK.
    2. Expand Computer Configuration, expand Administrative Templates, expand System, click Remote Assistance, and then double-click Offer Remote Assistance.
    3. Click Show, click Add, type domainname\Remote Assistance Helpers, and then click OK.
    4. Click OK, click Apply, and then click OK.
To resolve this problem on a computer that is not a member of a domain, use the following methods.

Allow Remote Assistance support

To fully enable both Solicited Remote Assistance and Offer-based Remote Assistance connections, you must make the following changes to Group Policy settings. In Solicited Remote Assistance, an invitation is sent from the novice computer. You must perform the following changes on a computer that is running Windows XP with Service Pack 2 or Windows XP 64-bit with Service Pack 1.

Allow Solicited Remote Assistance

If the Allow local program exceptions Windows firewall setting is set to Not Configured (default) or Enabled, no additional configuration is necessary.

If the Allow local program exceptions Windows firewall setting is set to Disabled, or if you have already enabled the Define program exceptions Windows firewall setting, you must add the following program exceptions:
  • %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice
  • %WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
Note For computers that are running Windows Server 2003 with Service Pack 1, do not add the exception for Sessmgr.exe. Instead, enable the Windows Firewall: Allow Remote Desktop Exception setting.

Enable Offer-based Remote Assistance

Add the following entry to the Windows Firewall: Define port exceptions setting:
135:TCP:*:Enabled:Offer Remote Assistance
Add the following entries to the Windows Firewall: Define program exceptions setting:
  • %Windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance
  • %Windir%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice
  • %Windir%\System32\Sessmgr.exe:*:Enabled:Remote Assistance
For more information about adding entries to the Windows Firewall settings, click the following article number to view the article in the Microsoft Knowledge Base:

301527 How to configure a computer to receive Remote Assistance offers in Windows Server 2003 and in Windows XP

Note When you open TCP port 135, you also allow remote procedure call (RPC) traffic.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy determines which users or groups can log on either remotely or locally.

The DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting determines which users or groups may start a process remotely or locally.

For additional information about security-related policy settings in Windows XP Service Pack 2, visit the following Microsoft Web site:For more information about Remote Assistance in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

300546 Overview of Remote Assistance in Windows XP

Properties

Article ID: 884910 - Last Review: Jun 20, 2014 - Revision: 1

Feedback