Quickly Offer Windows Remote Assistance by Adding a Context Menu Item in Active Directory

Published on
15,875 Points
2 Endorsements
Last Modified:
This article assumes the following products are in use (other versions may also work):
 Microsoft Windows Server 2008 R2
 Microsoft Windows 7 SP1
 Microsoft Active Directory

Section One: Configure Unsolicited Windows Remote Assistance
1. Connect to a Directory Controller, launch Group Policy Management, and Edit your relevant Computer (Workstation) policy.

2. In Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > System > Remote Assistance

3. Double-click the 'Offer Remote Assistance' policy

4. Select 'Allow helpers to remotely control the computer'

5. Click the Show... button, and enter the domain\user or domain\group who will have access to provide remote assistance (i.e. your IT team).

6. Click OK. You may wish to configure the other policies in this location to suit your organisation.

7. By default, helpers are unable to remotely respond to UAC requests (frustrating if the user needs to enter administrator credentials and you can't see their screen due to the Secure Desktop). To change this behaviour, navigate to Computer Configuration >Policies > Windows Settings > Security Settings > Local Policies > Security Options.

8. Enable the "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" policy.

At this point (after the policies replicate and take effect throughout your domain), your helpdesk team (running Windows 7) can now click Start, type Windows Remote Assistance (or part thereof), then click 'Help someone who has invited you', then 'Advanced connection option for help desk', and then type the computer name or IP address for the user who has requested assistance to connect.

The purpose of this article (in the following sections) is to speed up this process by launching Windows Remote Assistance by right-clicking on a computer object in Active Directory, then clicking a new menu item we will create called 'Offer Remote Assistance'.

Section Two: Create a VB Script to Run When the New Context Menu Item is Clicked
1. Open Notepad and copy the following code:
Const E_ADS_PROPERTY_NOT_FOUND = -2147463155

' Receive the computer name from Active Directory Users and Computers
Set wshArguments = WScript.Arguments
Set objComputer = GetObject(wshArguments(0))

' Launch Windows Remote Assistance (msra)
Set wshShell = WScript.CreateObject("WScript.Shell")
wshShell.Run "msra /offerRA " & objComputer.CN

Set wshShell = Nothing
Set objComputer = Nothing
Set wshArguments = Nothing

Open in new window

2. Click File > Save > and name the file ADOfferRemoteAssistance.vbs

3. Ensure that Windows has not added a .txt file extension to the filename.

4. Copy the file to a publicly accessible location within your domain, such as \\DirectoryController\NETLOGON\ADScripts\ADOfferRemoteAssistance.vbs (avoid creating spaces in the file path).

At this point the script is ready to use (you may wish to expand it further with Operating System recognition or other error handling). If you double-click the script to run it, it will fail due to the computer object parameter being absent.

Section Three: Add the Context Menu to Active Directory
1. Connect to your Directory Controller (RDP) again and launch adsiedit.msc

- Warning - Carelessly making changes in ADSI Edit can cause serious problems in your network directory. No responsibility will be assumed by Experts-Exchange or the article author for changes you make to your system.

2. Connect to your domain controller (or click Action > Settings if already connected), then change the Connection Point to 'well known Naming Context' Configuration, and click OK.

3. In the left panel, expand your server (Default naming context) > CN=Configuration... >
CN=DisplaySpecifiers > CN=409

4. In the middle panel, right-click CN=computer-Display, and click Properties.

5. Select the adminContextMenu attribute and click the Edit button. (If you are lacking permissions you will see a View button instead).

6. Examine the list of Values. Each begins with a unique number, then a context menu description, followed by the command to run, delimited by commas.

7. If you already have a non-working entry for 'Remote Control', you may wish to remove it.

8. Enter the following value in the text box, replacing the first number with a unique one if necessary, and changing the file path to match where you saved your VB Script file:
2,Offer Remote Assistance,\\DirectoryController\NETLOGON\ADscripts\ADOfferRemoteAssistance.vbs

Open in new window

9. Click Add, then OK, OK. If you already had Active Directory Users and Computers running on your workstation or server, close and relaunch it again to see the changes.

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month