Remote Assistant account

[WildOptic]

Currently at work we are switching to Server 2003. We have a HUGE network and are currently looking into using the helpassistant account to remotely tech support the rollover to exchange/outlook/server2003. However, to keep things secure we would like to delete the current helpassistant account and recreate it with a new password. When this is done we get the error program cannot start when trying to open a remote connection. Any ideas or anyone that has experience with this issue?

[Curv Boll]

Help assistant account??

Not sure of this account, if you are using remote assistance which remains

as slow as a week in jail then there are several ways to do this.

1. If the user on your network requires assistance from a remote expert

then the user can request help and as long as your network firewall has port

3389 open the expert should be able to accept the invitation to help with nothing

further required.

2. The expert can can initiate the help session himself without an invitation as long

as the default group policy on the domian controller has his account in "allow remote assistance" under administrative templates.

Remember that you must enable remote assistance on win 2003 by going to system properties > remote tab.

A much wiser and faster type of remote connection would be remote desktop!

Which is also enabled on the remote tab.

However with remote desktop you must add the remote expert account to the "remote desktop users" group. Administrators have this logon right by default.

Good luck

CB

[WildOptic]

The issue again focuses on how to repair the helpassistant account if it has been deleted or the password has been changed.

[Curv Boll]

ok,

i must be missing something here,

you are changing over to 2003 server with your own mail server,

this will obviously be done in house ??

once you have 2003 server setup you will find that all remote connections

are disabled by default, you can enable remote desktop

or remote assistant.

There is no default help assistant account in 2003.

once enabling remote desktop admin on the server are automatically given the

remote desktop permission. You can add more users to have this right by adding them to the group.

You can also remove them from that group just as easily.

With remote assitant, there are no rights required for remote experts

as the invitation is sent from the network to them which automatically includes the

the right to connect.

You can alter that by adding the remote expert to the allow remote assistant permission so that they can initiate the connection.

My question is, where does this help assistant account come into play as its not on

2003.

CB

[WildOptic]

Sorry for the confusion. This account is on XP machines that we may come across with 1. helpassistant account non-existent or 2. with a changed password.

[WildOptic]

Seems that running sessmrg -service in safe mode repairs the helpassistant accounts and was albe to solve the issue "program could not start". This also allowed remote assistant connections work properly so long has "NT Authority\Interactive" account was in the users group.(normally isnt with our setup/a script will fix that).

Now the trick is there anyway to create a script to force xp to boot into safe mode so we can get the user to run sessmgr - service in safe mode then reboot normally to be able to allow remote connections again. Thanks for the great input curv boll.(made us thing about testing the nt authority\interactive account)

Thanks, WildOptic

[Curv Boll]

Hi WildOptic,

Glad to see your getting towards the goal,

sadly though i personally don't think a script / batch file

could boot you into safe mode as a user normally reaches safe mode before

the system has reached the stage where it executes system scripts.

The other problem is that there is no way to hold script info in the memory buffer

whilst the machine reboots. This means that executing a script to reboot and

enter into safe mode is not possible to my knowledge.

Perhaps some1 else knows of a way,

can i ask why you want to do this? Perhaps there is another way

cheers

CB

[WildOptic]

The reason we would like to do this is becuase we have a unknown number of machines that may have this issue and it would just be time saving while on the phone for users that just cant hit F8 in time. We have found a way to edit the boot.ini via script to boot into safe mode on next boot. It easy to push the script into the pc over the network. However the next issue is we realized the the only way to log into safe mode is with the admin account. The users on our networks wont be able to log in as there is no local admin account for anyone other than networking and techs. We tried running the repair in safemode with networking however, this doesn't repair the issue properly. We are talking over 5000+ machines with an unknown number with this issue. We are trying to keep from forcing the need to physically bring in the machine for us to trouble shoot and issues with users switching to exchange(only option available) after the server change from NT to Server 2003. Its a fun time needless to say has a number of users rush out to make sure they have W2000 or XP in order to be able to connect and get upset that they must switch to exchange for email instead of dos based pine, netscape(yes some have that still), and old versions of outlook. Well another day and I'm off to work to brainstorm some more. WildOptic

[Curv Boll]

Quite a situation you got there,

i have a friend who had hundreds of computers across several sites.

they did not have norton ghost so they could not PUSH an image to fix the remote

clients.

Instead they created 2 partitions on each client, they created an image of the client

and stored it on the second partition.

then whenver users called up with a problem on the system partition that

they could not fix, remote admin would connect to the faulty system and

edite the autoexec file to boot to the alternate partition.

All the user then had to do was reboot the machine and they were working again.

This gave admin time to allow for them to visit each location and repair the

system partitions with problems.

I know the above is far from your situation but i remember thinking this was a

great idea for admin covering several locations and time ebing an issue.

it may or may not be of any use to you,

good luck all the same.

CB

[WildOptic]

Wow...no ghost! Well, for LAB computers we have a hardware then runs an image of a master drive on boot. So if theres an issue just reboot. Of course you can't save anything on the system but its only a lab pc so its ok. However, we might have found a way to get the fix running in safe mode with networking. I will update after more testing here this morning. WildOptic.

[WildOptic]

Ok seems we have found a way automate safe mode with networking on boot and have the user type in the run command for the fix. From that point on all is well. Thanks curv boll for the great input. The switch from NT to server 2003 just got easier for us all!

[Curv Boll]

Hi WildOptic,

I am not sure i helped at all but glad to see you guys have worked up a

clever solution to your problem.

Thanks for letting me know, makes the conversation worth it.

depending on how good your users are you might think about

running that command in safe mode by means of the user running it as a

batch file.

(like i say, all depends on your type of user and the complexity of the command)

CB

[WildOptic]

Yes we already have the batch file setup to run in safe mode. So far all test have worked fine. And we have even got the chance to try it with a user today.

[Curv Boll]

Nice,

good luck with your plans

CB