Remote Assistance and Access Level

Posted on 2011-05-10
Last Modified: 2012-05-11
Hhi guys hope you are well and can assist.

Guys, we have an AD 2003 environment with Windows XP and Windows 7.

We are using Remote Assistance but do not want the helpers of Remote Assistance to have local admin access.

We want them to be able to do stuff, so the group policy we have set is as follows:

Computer Configuration >> Administrative Templates >> System >> Remote Assistance >> Offer Remote Assistance

There are 2 options in here to set the degree of access for these helpers:

1) Allow helpers to remotely control the computer
2) Allow helpers to only view the computer.

My question is this.

We have selected option 1) above.

Does that mean that the helper has FULL LOCAL ADMIN access to the machine in which they help, regardless of whether the helper is a member of the local admins group on the destination computer in which they help?

Basically, we want to allow certain users to offer help by way of Remote Assistance but NOT allow them FULL LOCAL ADMIN access to the machine.

Any help greatly appreciated.
Question by:Simon336697
    LVL 70

    Accepted Solution

    Remote Assistance helpers take over the current logged in users session (with the users permission), so the have only the rights that the local user has.
    LVL 23

    Assisted Solution

    by:Brian Gee
    ^ I concur with the above. Strictly remote control, no login permissions change upon remote control initiation.
    LVL 1

    Author Comment

    Hi guys, thanks for your help.

    I thought that the Remote Assistance helpers actually log on to the destination machine by activating the Help Assistant account, which is a Terminal Service account.

    as per below:

    ".............Because Remote Assistance uses the Terminal Service account of Help Assistant, the permissions of the account have some effects on Remote Assistance..."

    I see this account on XP systems, but do not see this on Windows 7 machines.

    LVL 1

    Author Comment

    As per following:

    "...Terminal Services on the Expert computer passes the credentials for the HelpAssistant account to the GINA on the Novice's computer. If the credentials are accepted, the Expert logs on to the Novice's computer using the HelpAssistant account.
    Remote Assistance displays a message asking the Novice if they want to start a Remote Assistance session with the Expert at that time. If the Novice is logged on to multiple sessions, each session receives this prompt...."
    LVL 23

    Assisted Solution

    by:Brian Gee
    What happens if I select the "Allow <helper> to respond to User Account Control prompts" check box?

    This check box appears on the message that you see when your helper asks to share control of your desktop. If you select this check box, your helper can respond to requests from the computer for administrator consent or administrator credentials, such as a user name or password. Then your helper can run administrator-level programs without needing your participation.

    You can allow your helper to run administrator-level programs only if you can run them yourself. You will be asked for consent or credentials before giving your helper these abilities.
    LVL 2

    Assisted Solution

    they got the full admin privileges
    to restrict them provide access rights only for "read only"
    now they can help on every manner without annoying u

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now