[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1956
  • Last Modified:

Scheduled tasks RemoteAssistanceTask removes members of "Offer Remote Assistance Helpers"

Goal:  
Allow Helpdesk staff start a solicited Remote Assistance session to any workstation within our domain.  (All workstations are running Windows 7 or Windows 8.)

Setup steps:
Enable the Remote Assistance
Enable the firewall exception on the workstations
Add the "Helpdesk Staff" group to the local "Offer Remote Assistance Helpers" group on all the workstations.

Once this is complete, I can type "msra /offerRa <computername>", and it will start a Remote Assistance on the remote <computername>. The end user doesn't have to initiate the Remote Assistance tool.  

Problem:
I created a GPO (using Restricted Groups) to add the "Helpdesk staff" to the local "Offer Remote Assistance Helpers" group on the workstations.    The GPO applies successfully...but...the "Offer Remote Assistance Helpers" group membership keeps getting wiped out.    

Found the culprit:
After a few hours of troubleshooting,I found a scheduled task called "RemoteAssistanceTask" (located under "Task Scheduler Library\Microsoft\Windows\RemoteAssistance".  The task is triggered when Group Policy is applied; the task runs this command: "%windir%\system32\RAServer.exe /offerraupdate".    I'm not sure what the command does - but it definitely removes the membership of the "Offer Remote Assistance Helpers" group.

I disabled the task, and ran GPUpdate /force, and the group membership was updated as I expected.   ...and it didn't change.

I want to apply this GPO to all the workstations in the domain, but the scheduled task keeps "un-doing" the GPO change!!  

I could disabled that task...but:
The task is there by default, but don't know what it does,

I don't want to touch each computer
...and I want to make this work!

...............
SO....
...............

Anyone have any input on that scheduled task?  Why is it there?  How do I manage the membership of the "Offer Remote Assistance Helpers" on all the domain computers?
0
kevin_buchanan
Asked:
kevin_buchanan
  • 13
  • 11
1 Solution
 
yo_beeDirector of ITCommented:
Are you adding them to Member Of or Is a Member

They should be in Member Of.

Also Under Computer Config > Admin Template > System > Remote Assistance > Offer Remote Assistance > Enable > add the users/groups you want to this.
> Solicated Remote Assistance >Enable
0
 
kevin_buchananAuthor Commented:
I'm away from my computer, so at this very moment I can't remember… But, it is in the quote bottom section in quote.

As stated, if I disable that job then the group policy applies as it should, So I am confident that the GPO is working correctly. My question is it about group policy, as much as it is about that job that removes members from the " offer remote assistance "group
0
 
yo_beeDirector of ITCommented:
I would not disable that job as it is a default job created by the system.
I would recommend that you us the GPO settings I posted and see if they stick.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kevin_buchananAuthor Commented:
and that is the problem...they do NOT "stick".  Re-read my original statement.  I stated in my original problem, that scheduled task is causing it to remove the users from that group!

I'm not proposing to disable that job...but...I can't use GPO to update the list b/c it is wiped out everytime GPO is applied.  I know it is a 'system default' job, but I can't find any documentation about what it is supposed to do.  

I guess I may have to open a ticket with Microsoft Tech Support.


Problem:
I created a GPO (using Restricted Groups) to add the "Helpdesk staff" to the local "Offer Remote Assistance Helpers" group on the workstations.    The GPO applies successfully...but...the "Offer Remote Assistance Helpers" group membership keeps getting wiped out.    

Found the culprit:
After a few hours of troubleshooting,I found a scheduled task called "RemoteAssistanceTask" (located under "Task Scheduler Library\Microsoft\Windows\RemoteAssistance".  The task is triggered when Group Policy is applied; the task runs this command: "%windir%\system32\RAServer.exe /offerraupdate".    I'm not sure what the command does - but it definitely removes the membership of the "Offer Remote Assistance Helpers" group.

I disabled the task, and ran GPUpdate /force, and the group membership was updated as I expected.   ...and it didn't change.

I want to apply this GPO to all the workstations in the domain, but the scheduled task keeps "un-doing" the GPO change!!  

I could disabled that task...but:
The task is there by default, but don't know what it does,
I don't want to touch each computer
...and I want to make this work!
0
 
yo_beeDirector of ITCommented:
Try removing the group from the Restricted groups and just add:
and add this setting "Computer Config > Admin Template > System > Remote Assistance > 
Offer Remote Assistance > Enable > 
add the users/groups you want to this.
 > Solicated Remote Assistance >Enable
"

Follow this screenshot
This should work.
I
0
 
kevin_buchananAuthor Commented:
"yo bee":

I tried the GPO setting you suggested, but that doesn't work either.  On my "test machines", I have tried the "gpupdate /force" and I have rebooted twice.  Still will not work.

But - if I add my account to the "Offer Remote Assistance Helpers" group, then it works instantly.
0
 
kevin_buchananAuthor Commented:
"yo bee":  Just an FYI... I ran the Resultant Set of Policies, and it shows that the GPO applied (the one you gave me).  But - if my account isn't in the "Offer Remote Assistance Helpers" group, then I can't start a Solicited Remote Assistance Session.
0
 
yo_beeDirector of ITCommented:
Did you remove the Group from the Restricted User Setting in GPO and just have it added to the Offer Remote Assistance GPO setting?
0
 
kevin_buchananAuthor Commented:
Yes, I removed from the restricted group setting.
0
 
yo_beeDirector of ITCommented:
You still do not see them in the Test computer Local Group?
0
 
kevin_buchananAuthor Commented:
No, I don't.  Any changes made to the offer remote assistance helpers group, is automatically cleared out every time group policy is updated.  Well, automatically probably isn't the best descriptor: There is a scheduled task that is triggered when group policy is applied, and whatever that task is doing, causes that group to be empty.
0
 
yo_beeDirector of ITCommented:
Can you post all your GPO apply to the computers?
I would like to see the settings.
0
 
kevin_buchananAuthor Commented:
Will do.  Just left work.  Will post this evening.
0
 
yo_beeDirector of ITCommented:
I will try and help as best I can.
0
 
kevin_buchananAuthor Commented:
sorry for the delay:

Here is the "GPRESULT /v"  output

I have highlighted the "Remote Access Assistance", which is the GPO I am using to apply the change you suggested.

Here is the "GPRESULT /v"  output


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/20/2014 at 4:51:49 PM



RSOP data for DomainName\admin on ITNETDIR : Logging Mode
----------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\admin
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=ITNETDIR,OU=Test,OU=Information Technology Computers,OU=Information Technology,DC=DomainName,DC=org
    Last time Group Policy was applied: 8/20/2014 at 4:31:02 PM
    Group Policy was applied from:      RH-DC2.DomainName.org
    Group Policy slow link threshold:   0 kbps
    Domain Name:                        DomainName
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Add IT to Local Admins
        HTTP_1-1_Settings
        No Sync
        PC Restricted Groups
        WSUS3
        Remote Access Assistance
        Default Domain Policy
        Folder Rights
        Firewall Disabled
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Shared drive
            Filtering:  Disabled (GPO)

        Internet Explorer
            Filtering:  Disabled (GPO)

        Log On-Off Audit
            Filtering:  Disabled (GPO)

        Office Settings
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        ITNETDIR$
        Domain Computers
        CERTSVC_DCOM_ACCESS
        System Mandatory Level
       
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  4294967295

            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  10

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  4

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  8

        Audit Policy
        ------------
            GPO: Default Domain Policy
                Policy:            AuditAccountManage
                Computer Setting:  Success, Failure

            GPO: Default Domain Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Success, Failure

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            GPO: Default Domain Policy
                Policy:            PasswordComplexity
                Computer Setting:  Enabled

            GPO: Default Domain Policy
                Policy:            ClearTextPassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            ForceLogoffWhenHourExpire
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            RequireLogonToChangePassword
                Computer Setting:  Not Enabled

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59022
                ValueName:         MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            @wsecedit.dll,-59023
                ValueName:         MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
                Computer Setting:  1

        Event Log Settings
        ------------------
            GPO: Default Domain Policy
                Policy:            MaximumLogSize
                Computer Setting:  1024
                Log Name:          Security

            GPO: Default Domain Policy
                Policy:            RetentionDays
                Computer Setting:  0
                Log Name:          Application

            GPO: Default Domain Policy
                Policy:            MaximumLogSize
                Computer Setting:  1024
                Log Name:          Application

            GPO: Default Domain Policy
                Policy:            RetentionDays
                Computer Setting:  0
                Log Name:          Security

            GPO: Default Domain Policy
                Policy:            MaximumLogSize
                Computer Setting:  1024
                Log Name:          System

            GPO: Default Domain Policy
                Policy:            RetentionDays
                Computer Setting:  0
                Log Name:          System

        Restricted Groups
        -----------------
            GPO: Add IT to Local Admins
                Groupname: DomainName\IT
                Members:   N/A
                           
            GPO: PC Restricted Groups
                Groupname: DomainName\Domain Users
                Members:   N/A
                           
        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            GPO: Folder Rights
                ObjectName: C:\Program Files\MEDITECH

            GPO: Folder Rights
                ObjectName: C:\ProgramData

            GPO: Folder Rights
                ObjectName: C:\Program Files\VALCO DATA SYSTEMS

            GPO: Folder Rights
                ObjectName: C:\ProgramData\DESKTOP

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\domain administrators
                State:       disabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RescheduleWaitTimeEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiry
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeout
                Value:       30, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName/IT
                Value:       82, 0, 72, 0, 78, 0, 67, 0, 47, 0, 73, 0, 84, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\helpdesk
                State:       disabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows Defender\Signature Updates\CheckAlternateHttpLocation
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
                Value:       4, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS\TemplateName
                Value:       0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
                Value:       9, 0, 0, 0
                State:       Enabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowFullControl
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS\EfsOptions
                Value:       22, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS\CacheTimeout
                Value:       224, 1, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\SMSADMIN
                State:       disabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicitedFullControl
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootWarningTimeoutEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RescheduleWaitTime
                Value:       60, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\System\GroupPolicyMinTransferRate
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Firewall Disabled
                KeyName:     SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: HTTP_1-1_Settings
                KeyName:     Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS\RsaKeyLength
                Value:       0, 8, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer
                Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 114, 0, 104, 0, 45, 0, 119, 0, 115, 0, 117, 0, 115, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\BEALY
                State:       disabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\UserAuthentication
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer
                Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 114, 0, 104, 0, 45, 0, 119, 0, 115, 0, 117, 0, 115, 0, 0, 0
                State:       Enabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\TrustedServers
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\Restricted
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\helpdesk
                State:       disabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\IncludeRecommendedUpdates
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootRelaunchTimeout
                Value:       60, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RebootRelaunchTimeoutEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdates
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows Defender\SpyNet\SpyNetReporting
                State:       disabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fUseMailto
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AcceptTrustedPublisherCerts
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows Defender\Scan\CheckForSignaturesBeforeRunningScan
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiryUnits
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\helpdesk
                State:       disabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName/network
                Value:       114, 0, 104, 0, 110, 0, 99, 0, 47, 0, 110, 0, 101, 0, 116, 0, 119, 0, 111, 0, 114, 0, 107, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Remote Access Assistance
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings
                State:       disabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\SMS REMOTE
                State:       disabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ServerList
                State:       disabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS\SuiteBAlgorithm
                Value:       0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\helpdesk
                State:       disabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows Defender\Signature Updates\CheckAlternateDownloadLocation
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall
                State:       disabled

            GPO: WSUS3
                KeyName:     Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
                Value:       3, 0, 0, 0
                State:       Enabled

            GPO: No Sync
                KeyName:     Software\Policies\Microsoft\Windows\NetCache\Enabled
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\InForest
                Value:       0, 0, 0, 0
                State:       Enabled


USER SETTINGS
--------------
    CN=Buchanan Kevin,OU=Information Technology Users,OU=Information Technology,DC=DomainName,DC=org
    Last time Group Policy was applied: 8/20/2014 at 4:51:29 PM
    Group Policy was applied from:      RH-DC2.DomainName.org
    Group Policy slow link threshold:   0 kbps
    Domain Name:                        DomainName
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Internet Explorer
        Shared drive
        Log On-Off Audit
        Office Settings
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        No Sync
            Filtering:  Disabled (GPO)

        PC Restricted Groups
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        HTTP_1-1_Settings
            Filtering:  Disabled (GPO)

        Firewall Disabled
            Filtering:  Disabled (GPO)

        Remote Access Assistance
            Filtering:  Disabled (GPO)

        Folder Rights
            Filtering:  Disabled (GPO)

        WSUS3
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Power Users
        BUILTIN\Users
        BUILTIN\Administrators
        Remote Desktop Users
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        XD-DMZ ALL
        FLDR_RHAIN_Messages_RO
        IT
        FLDR_ExitCare_RW
        FLDR_General Accounting_RW
        XenAppTest Meditech 6.07 Test
        Management
        FLDR_BWS Reference Material_RO
        FLDR_Lean_RW
        Customer Service Survey - Contributers
        XenAppTest Meditech 6 Live
        RHAIN Message Admins
        FLDR_Press Ganey Reports_RO
        FLDR_ExitCare_RO
        FLDR_HIPAA_RW
        XenApp Users
        NoPWManager
        DI - Readers
        FLDR_Management_RW
        XenApp External Form Designer
        OTRS_Agents_Maint
        Exitcare Users
        Network Management
        XenApp External Dimensional Insight
        XenApp External Visio
        networking
        FLDR_Corporate Compliance_RO
        XenApp External My Documents
        SP_Financial Statements
        XenApp External Shared Drive
        IT Workshop Schedule
        VDI Users
        XenApp External Meditech 6.0 Test
        Virtual Center Users
        AVAMAR Administrators
        Department Directors
        Patient Satisfaction
        MisysUser
        ElectronicPARUsers
        Domain Admins
        FLDR_IMPAC Ref Guides_RW
        RAHALL
        FLDR_Administration_LIST
        EGateManagement
        Citrix ThinClient Users
        ITOncall_Network
        Farm Administrators
        XenDesktop External RHWEB
        FLDR_Administration-Admin Policies Wanda had - Sandra signed_RW
        Delegated PW Reset
        XenApp External Meditech 6.0
        OTRS_Agents_IT
        United Way Videos - Readers
        FLDR_RHAIN_Messages_RW
        FLDR_Clinical - Chart Review_RO
        DDI TIMEKEEPERS
        FLDR_BWS Reference Material_RW
        Privacy-Security Team
        Subversion Readers
        VMWare Admins
        OwnCloud Users
        Transitional Unit Availability Calendar Approvers
        FLDR_HIPAA PRVI & SEC COMM_RW
        HealthRiskAssessmentGroup
        FLDR_User Accounts to be disabled_RO
        FLDR_Transitional Unit_RW
        XenAppTest Microsoft Office
        Cancer Center - Readers
        FLDR_Lean_RO
        XenApp External Office 2007
        XD-DMZ RHWEB
        RTCUniversalServerReadOnlyGroup
        Exchange View-Only Administrators
        EV Users
        6.0 Meditech Portal
        vpn users
        Schema Admins
        TermPAR Access
        All Company
        Network Monitor
        Cardio Access
        RTCUniversalUserReadOnlyGroup
        HQI
        RTCUniversalGlobalWriteGroup
        RTCUniversalServerAdmins
        CSServerAdministrator
        Exchange Public Folder Administrators
        RTCUniversalGlobalReadOnlyGroup
        EMC SourceOne
        Enterprise Admins
        All Staff
        CsPersistentChatAdministrator
        Exchange Organization Administrators
        CSAdministrator
        SMEX Admin Group
        Exchange Recipient Administrators
        DDI TIMEKEEPERS
        Denied RODC Password Replication Group
        CERTSVC_DCOM_ACCESS
        High Mandatory Level
       
    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Shut down the system
        Remove computer from docking station
        Increase a process working set
        Change the time zone
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Create symbolic links

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            GPO: Log On-Off Audit
                Name:         LogONTracker.vbs
                Parameters:  
                LastExecuted: 8:51:33 PM

        Logoff Scripts
        --------------
            GPO: Log On-Off Audit
                Name:         LogOFFTracker.vbs
                Parameters:  
                LastExecuted: This script has not yet been executed.

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations\Allow User Locations
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\rh-helpdesk.DomainName.org
                Value:       114, 0, 104, 0, 45, 0, 104, 0, 101, 0, 108, 0, 112, 0, 100, 0, 101, 0, 115, 0, 107, 0, 46, 0, 114, 0, 104, 0, 110, 0, 99, 0, 46, 0, 111, 0, 114, 0, 103, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\ArchiveGranularity
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\ArchiveOld
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\ArchivePeriod
                Value:       6, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations\All Applications\AllAppPolLocation1\Path
                Value:       92, 0, 92, 0, 114, 0, 104, 0, 110, 0, 99, 0, 46, 0, 111, 0, 114, 0, 103, 0, 92, 0, 115, 0, 104, 0, 97, 0, 114, 0, 101, 0, 100, 0, 36, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\DeleteExpired
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\11.0\Word\Security\Level
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\clickonssi.com
                Value:       99, 0, 108, 0, 105, 0, 99, 0, 107, 0, 111, 0, 110, 0, 115, 0, 115, 0, 105, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Options\Calendar\Internet Free/Busy\Lock FB Range
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations\All Applications\AllAppPolLocation1\Description
                Value:       84, 0, 114, 0, 117, 0, 115, 0, 116, 0, 32, 0, 83, 0, 104, 0, 97, 0, 114, 0, 101, 0, 100, 0, 32, 0, 68, 0, 114, 0, 105, 0, 118, 0, 101, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\SQM\DisableCustomerImprovementProgram
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\mcstrategies.com
                Value:       109, 0, 99, 0, 115, 0, 116, 0, 114, 0, 97, 0, 116, 0, 101, 0, 103, 0, 105, 0, 101, 0, 115, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\FBUpdateSecs
                Value:       132, 3, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Main\GotoIntranetSiteForSingleWordEntry
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\mias.Company.org
                Value:       109, 0, 105, 0, 97, 0, 115, 0, 46, 0, 114, 0, 97, 0, 110, 0, 100, 0, 111, 0, 108, 0, 112, 0, 104, 0, 104, 0, 111, 0, 115, 0, 112, 0, 105, 0, 116, 0, 97, 0, 108, 0, 46, 0, 111, 0, 114, 0, 103, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\ArchiveDelete
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\9.0\Excel\Security\Level
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations\AllowNetworkLocations
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\CommandBar\ShowCompatibilityViewButton
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\gsorad.com
                Value:       103, 0, 115, 0, 111, 0, 114, 0, 97, 0, 100, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\9.0\Word\Security\Level
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\FBPublishRange
                Value:       12, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://www.healthstream.com
                Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 119, 0, 119, 0, 119, 0, 46, 0, 104, 0, 101, 0, 97, 0, 108, 0, 116, 0, 104, 0, 115, 0, 116, 0, 114, 0, 101, 0, 97, 0, 109, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\DoAging
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\New Windows\ListBox_Support_Allow
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\*.gsorad.com
                Value:       42, 0, 46, 0, 103, 0, 115, 0, 111, 0, 114, 0, 97, 0, 100, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\rh-helpdesk-tes.DomainName.org
                Value:       114, 0, 104, 0, 45, 0, 104, 0, 101, 0, 108, 0, 112, 0, 100, 0, 101, 0, 115, 0, 107, 0, 45, 0, 116, 0, 101, 0, 115, 0, 46, 0, 114, 0, 104, 0, 110, 0, 99, 0, 46, 0, 111, 0, 114, 0, 103, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\ArchiveMount
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\EveryDays
                Value:       14, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\synergy
                Value:       115, 0, 121, 0, 110, 0, 101, 0, 114, 0, 103, 0, 121, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\PhishingFilter\Enabled
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations\All Applications\AllAppPolLocation1\Date
                Value:       0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations\All Applications\AllAppPolLocation1\AllowSubFolders
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Default Domain Policy
                KeyName:     Software\Policies\Microsoft\Windows\System\GroupPolicyMinTransferRate
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\172.26.1.40
                Value:       49, 0, 55, 0, 50, 0, 46, 0, 50, 0, 54, 0, 46, 0, 49, 0, 46, 0, 52, 0, 48, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
                Value:       0, 62, 2, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\nc.gov
                Value:       110, 0, 99, 0, 46, 0, 103, 0, 111, 0, 118, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\12.0\Outlook\Preferences\PromptForAging
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\11.0\Excel\Security\Level
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Internet Explorer
                KeyName:     Software\Adobe\Acrobat Reader\9.0\Originals\bBrowserIntegration
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\10.0\Word\Security\Level
                Value:       2, 0, 0, 0
                State:       Enabled

            GPO: Office Settings
                KeyName:     Software\Policies\Microsoft\Office\11.0\Access\Security\Level
                Value:       1, 0, 0, 0
                State:       Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: Internet Explorer
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   N/A
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

        Internet Explorer URLs
        ----------------------
            GPO: Internet Explorer
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

            URL:                    http://www.healthstream.com/hlc/Company
            Make Available Offline: No

            URL:                    http://GBR02BCS
            Make Available Offline: No

            URL:                    http://www.micromedexsolutions.com
            Make Available Offline: No

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: Internet Explorer
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       Yes
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: Internet Explorer
                Import the current Program Settings: No
0
 
yo_beeDirector of ITCommented:
I will review this tomorrow and get back to you in the mornin
0
 
kevin_buchananAuthor Commented:
Thanks!   I've stared at this issue too many hours, so I appreciate another set of eyes!
0
 
yo_beeDirector of ITCommented:
No problem
0
 
yo_beeDirector of ITCommented:
Do you have access to GPMC ?
Run a Group Policy Result from within GPMC and save it.
It is a cleaner and easier report to read.

Here is the report on my computer and user
Neo-GPO-RESULT.htm
0
 
yo_beeDirector of ITCommented:
Looking at your RSOP it looks like you have two GPO's
Default Domain & Remote Access Assistance these might be canceling each other out, but I am not seeing DomainName\helpdesk in the Remote Access Assistance             GPO.  

GPO: Default Domain Policy
                 KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName\helpdesk
                 State:       disabled


I am not a fan of adding settings to the Default Domain policy and it is also best practice to not edit it, but rather create a copy and apply the copy or just completely create your own and do not have the Default Domain one linked to any OU.

I would remove any of the Remote Assistance Setting from the Default Domain Policy, but before doing so make a backup of it just in case.
Once Removed make sure that the groups are added to the setting as well as ENABLE it.

It looks like you have yours Disabled
0
 
kevin_buchananAuthor Commented:
I found the problem...and as embarrassing as it is, I was using and incorrect domain\name format.  I was using a / instead of a \.  

A careless and thoughtless mistake!   It is working now.
0
 
yo_beeDirector of ITCommented:
Happy to hear that.

Was it this one?

 GPO: Remote Access Assistance
                 KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\DomainName/IT
                Value:       82, 0, 72, 0, 78, 0, 67, 0, 47, 0, 73, 0, 84, 0, 0, 0
                 State:       Enabled
0
 
kevin_buchananAuthor Commented:
Yes.  the "/" slash did it!  I reversed it to a "\", and it worked.
0
 
yo_beeDirector of ITCommented:
I did not look at that one because you mentioned Helpdesk not IT.
I did not think that it was a group you were concerned with, but I am glad you figured it out.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 13
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now