• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 792
  • Last Modified:

Remote Assistance and Access Level

Hhi guys hope you are well and can assist.

Guys, we have an AD 2003 environment with Windows XP and Windows 7.

We are using Remote Assistance but do not want the helpers of Remote Assistance to have local admin access.

We want them to be able to do stuff, so the group policy we have set is as follows:

Computer Configuration >> Administrative Templates >> System >> Remote Assistance >> Offer Remote Assistance

There are 2 options in here to set the degree of access for these helpers:

1) Allow helpers to remotely control the computer
2) Allow helpers to only view the computer.

My question is this.

We have selected option 1) above.

Does that mean that the helper has FULL LOCAL ADMIN access to the machine in which they help, regardless of whether the helper is a member of the local admins group on the destination computer in which they help?

Basically, we want to allow certain users to offer help by way of Remote Assistance but NOT allow them FULL LOCAL ADMIN access to the machine.

Any help greatly appreciated.
4 Solutions
Remote Assistance helpers take over the current logged in users session (with the users permission), so the have only the rights that the local user has.
Brian GeeCommented:
^ I concur with the above. Strictly remote control, no login permissions change upon remote control initiation.
Simon336697Author Commented:
Hi guys, thanks for your help.

I thought that the Remote Assistance helpers actually log on to the destination machine by activating the Help Assistant account, which is a Terminal Service account.

as per below: http://support.microsoft.com/kb/305898

".............Because Remote Assistance uses the Terminal Service account of Help Assistant, the permissions of the account have some effects on Remote Assistance..."

I see this account on XP systems, but do not see this on Windows 7 machines.

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Simon336697Author Commented:
As per following:  http://support.microsoft.com/kb/300692

"...Terminal Services on the Expert computer passes the credentials for the HelpAssistant account to the GINA on the Novice's computer. If the credentials are accepted, the Expert logs on to the Novice's computer using the HelpAssistant account.
Remote Assistance displays a message asking the Novice if they want to start a Remote Assistance session with the Expert at that time. If the Novice is logged on to multiple sessions, each session receives this prompt...."
Brian GeeCommented:
What happens if I select the "Allow <helper> to respond to User Account Control prompts" check box?

This check box appears on the message that you see when your helper asks to share control of your desktop. If you select this check box, your helper can respond to requests from the computer for administrator consent or administrator credentials, such as a user name or password. Then your helper can run administrator-level programs without needing your participation.

You can allow your helper to run administrator-level programs only if you can run them yourself. You will be asked for consent or credentials before giving your helper these abilities.

they got the full admin privileges
to restrict them provide access rights only for "read only"
now they can help on every manner without annoying u

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now