Offer Remote Assistance - "Permission denied" - Windows XP SP2

We are having problems getting "Offer Remote Assistance" to work in our
Child Domain (part of an Active Directory Forest). In Offer Remote
Assistance, when we Click the Connect Button from a Windows XP SP2 computer
with Windows Firewall Enabled, an error box "Permission denied" is displayed
immediately, as if it never even gets far enough to try to communicate to
the destination XP SP2 computer (no hard drive activity, no event log
activity, no dropped traffic by the firewall). Interestingly, when we put
in a W2K3 box as the destination, we received a different error "Access to
the requested resource has been disabled by your administrator" and it
actually does "talk" to the W2K3 box over the network as you can hear the
disk grind at the moment it attempts to connect. We have not used GPOs to
Enable Remote Assistance on our W2K3 boxes.

So, the list of what we have done with related Microsoft KB Articles:

http://support.microsoft.com/?kbid=301527

- Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
'Offer Remote Assistance' at
Computer Configuration / Administrative Templates / System / Remote
Assistance
- Added a couple of Domain Admin Groups who are also in the Local
Administrators group on all computers with the <domain>\<group> format to
the Group Policy above
- Added/Changed the DCOM Registry Key as such on ALL involved computers:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
- Opened all of the items below in the Windows Firewall through Group
Policy:
%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote
Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance -
Windows Messenger and Voice
135:TCP:*:Enabled:Remote Assistance Port
- We have even Enabled to "*" 'Allow remote administration exception',
'Allow file and printer sharing exception' and 'Allow Remote Desktop
exception' in the Firewall as well

http://support.microsoft.com/?kbid=884910
- Even though all of our computers are Windows XP SP2, since we have left
this group Policy as 'Not Configured' we don't believe it applies to us.
(And attempting to modify this as KB stated caused all sorts of other DCOM
related problems)

http://support.microsoft.com/?kbid=310629
Simple File Sharing is disabled since all computers are within our Domain
(Domain Computers), so this article doesn't apply to us. We have verified
that this checkbox is NOT selected on all of the computers involved.

Right-Click, Properties on 'My Computer', Remote Tab on all involved
computers has the 'Allow Remote Assistance invitations to be sent from this
computer' checked.

Resultant Set of Policies (RSoP) verifies that all appropriate Group
Policies are being applied correctly.

All involved computers are on the same subnet and no other firewalls exist
other than the Group Policy-enforced Windows Firewall configured as
mentioned above. In fact removing the Windows Firewall on both the 'Expert'
and 'Novice' computers generates the same error message 'Permission denied'.

The 'Remote Desktop Help Session Manager' service is set to Automatic and in
the Running state on the computer that the 'Offer Remote Assistance' is
being made from and under the security context of a Local AND Domain
Administrator account - this user is part of one of the groups added to the
Group Policy above.

'Offer Remote Assistance' is being initiated from a Shortcut to:
hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm

Remote Desktop works correctly for all involved computers.

Generating a Remote Assistance request and sending via email works
perfectly. Only Unsolicited (Offer) Remote Assistance does not work.

We use Group Policy to "lock down" most of the Security Settings under 'User
Rights Assignments' and 'Security Options'. See list of settings below:
USER RIGHTS ASSIGNMENTS
Policy Security Setting
Access this computer from the network MYDOMAIN\Domain Admins,MYDOMAIN\Domain
Users
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process LOCAL SERVICE,NETWORK
SERVICE,Administrators
Allow logon through Terminal Services Administrators,Remote Desktop Users
Back up files and directories Administrators
Bypass traverse checking Users
Change the system time MYDOMAIN\Domain Admins,MYDOMAIN\Domain
Users,Administrators
Create a pagefile Administrators
Create a token object
Create global objects Administrators,INTERACTIVE,SERVICE
Create permanent shared objects
Debug programs Administrators
Deny access to this computer from the network
Deny logon as a batch job
Deny logon as a service
Deny logon locally
Deny logon through Terminal Services ASPNET
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system MYDOMAIN\Domain Admins,Administrators
Generate security audits LOCAL SERVICE,NETWORK SERVICE
Impersonate a client after authentication ASPNET,Administrators,SERVICE
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Lock pages in memory
Log on as a batch job
Log on as a service NETWORK SERVICE
Log on locally MYDOMAIN\Domain Admins,MYDOMAIN\Domain Users,Administrators
Manage auditing and security log Administrators
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators
Profile system performance Administrators
Remove computer from docking station Administrators,Users
Replace a process level token LOCAL SERVICE,NETWORK SERVICE
Restore files and directories Administrators
Shut down the system Administrators,Users
Synchronize directory service data
Take ownership of files or other objects Administrators

SECURITY OPTIONS
Policy Security Setting
Accounts: Administrator account status Not Applicable
Accounts: Guest account status Not Applicable
Accounts: Limit local account use of blank passwords to console logon only
Enabled
Accounts: Rename administrator account Not defined
Accounts: Rename guest account Not defined
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Shut down system immediately if unable to log security audits
Disabled
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax Not defined
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
(SDDL) syntax Not defined
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Devices: Restrict floppy access to locally logged-on user only Disabled
Devices: Unsigned driver installation behavior Warn but allow installation
Domain controller: Allow server operators to schedule tasks Not defined
Domain controller: LDAP server signing requirements Not defined
Domain controller: Refuse machine account password changes Not defined
Domain member: Digitally encrypt or sign secure channel data (always)
Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 7 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on Not defined
Interactive logon: Number of previous logons to cache (in case domain
controller is not available) 0 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock
workstation Enabled
Interactive logon: Require smart card Not defined
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server agrees)
Enabled
Microsoft network client: Send unencrypted password to third-party SMB
servers Disabled
Microsoft network server: Amount of idle time required before suspending
session 720 minutes
Microsoft network server: Digitally sign communications (always) Disabled
Microsoft network server: Digitally sign communications (if client agrees)
Enabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Network access: Allow anonymous SID/Name translation Not Applicable
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for
network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,Syst em\CurrentControlSet\Control\Server
Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP
Server,Software\Microsoft\Windows
NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Ter minal
Server,System\CurrentControlSet\Control\Terminal
Server\UserConfig,System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts Classic -
local users authenticate as themselves
Network security: Do not store LAN Manager hash value on next password
change Enabled
Network security: Force logoff when logon hours expire Enabled
Network security: LAN Manager authentication level Send NTLMv2 response
only\refuse LM & NTLM
Network security: LDAP client signing requirements Require signing
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients Require message integrity,Require message
confidentiality,Require NTLMv2 session security,Require 128-bit encryption
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers Require message integrity,Require message
confidentiality,Require NTLMv2 session security,Require 128-bit encryption
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders
Disabled
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Disabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing Disabled
System objects: Default owner for objects created by members of the
Administrators group Object creator
System objects: Require case insensitivity for non-Windows subsystems
Enabled
System objects: Strengthen default permissions of internal system objects
(e.g. Symbolic Links) Enabled


Any suggestions would be greatly appreciated - thank for help in advance.

Hello this is my first post.

I feel your pain brother!

I am having the exact same problem with permission denied only there is no
AD or GP involved (except local Policy of enabling RA)
Yours is the first post anywhere I have seen with my same prob.
I am on a Novell network (soon to change to 2003).
The weird thing is, I had it working a couple of months ago when I first set
it up on 2 machines. Now nothing I do helps.
As with you RD works fine and RA through e-mail and file work great. It just
won't work with unsolicited RA.
SOMEONE HELP!!!!!! (please)

It would be much easier to go through IP than to have to explain to users
how to send a request :-)






"Research Services" wrote:

> We are having problems getting "Offer Remote Assistance" to work in our
> Child Domain (part of an Active Directory Forest). In Offer Remote
> Assistance, when we Click the Connect Button from a Windows XP SP2 computer
> with Windows Firewall Enabled, an error box "Permission denied" is displayed
> immediately, as if it never even gets far enough to try to communicate to
> the destination XP SP2 computer (no hard drive activity, no event log
> activity, no dropped traffic by the firewall). Interestingly, when we put
> in a W2K3 box as the destination, we received a different error "Access to
> the requested resource has been disabled by your administrator" and it
> actually does "talk" to the W2K3 box over the network as you can hear the
> disk grind at the moment it attempts to connect. We have not used GPOs to
> Enable Remote Assistance on our W2K3 boxes.
>
> So, the list of what we have done with related Microsoft KB Articles:
>
> http://support.microsoft.com/?kbid=301527
>
> - Through Group Policy, have Enabled both 'Solicited Remote Assistance' and
> 'Offer Remote Assistance' at
> Computer Configuration / Administrative Templates / System / Remote
> Assistance
> - Added a couple of Domain Admin Groups who are also in the Local
> Administrators group on all computers with the <domain>\<group> format to
> the Group Policy above
> - Added/Changed the DCOM Registry Key as such on ALL involved computers:
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
> "EnableDCOM"="Y"
> - Opened all of the items below in the Windows Firewall through Group
> Policy:
> %WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
> %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote
> Assistance
> %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance -
> Windows Messenger and Voice
> 135:TCP:*:Enabled:Remote Assistance Port
> - We have even Enabled to "*" 'Allow remote administration exception',
> 'Allow file and printer sharing exception' and 'Allow Remote Desktop
> exception' in the Firewall as well
>
> http://support.microsoft.com/?kbid=884910
> - Even though all of our computers are Windows XP SP2, since we have left
> this group Policy as 'Not Configured' we don't believe it applies to us.
> (And attempting to modify this as KB stated caused all sorts of other DCOM
> related problems)
>
> http://support.microsoft.com/?kbid=310629
> Simple File Sharing is disabled since all computers are within our Domain
> (Domain Computers), so this article doesn't apply to us. We have verified
> that this checkbox is NOT selected on all of the computers involved.
>
> Right-Click, Properties on 'My Computer', Remote Tab on all involved
> computers has the 'Allow Remote Assistance invitations to be sent from this
> computer' checked.
>
> Resultant Set of Policies (RSoP) verifies that all appropriate Group
> Policies are being applied correctly.
>
> All involved computers are on the same subnet and no other firewalls exist
> other than the Group Policy-enforced Windows Firewall configured as
> mentioned above. In fact removing the Windows Firewall on both the 'Expert'
> and 'Novice' computers generates the same error message 'Permission denied'.
>
> The 'Remote Desktop Help Session Manager' service is set to Automatic and in
> the Running state on the computer that the 'Offer Remote Assistance' is
> being made from and under the security context of a Local AND Domain
> Administrator account - this user is part of one of the groups added to the
> Group Policy above.
>
> 'Offer Remote Assistance' is being initiated from a Shortcut to:
> hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm
>
> Remote Desktop works correctly for all involved computers.
>
> Generating a Remote Assistance request and sending via email works
> perfectly. Only Unsolicited (Offer) Remote Assistance does not work.
>
> We use Group Policy to "lock down" most of the Security Settings under 'User
> Rights Assignments' and 'Security Options'. See list of settings below:
> USER RIGHTS ASSIGNMENTS
> Policy Security Setting
> Access this computer from the network MYDOMAIN\Domain Admins,MYDOMAIN\Domain
> Users
> Act as part of the operating system
> Add workstations to domain
> Adjust memory quotas for a process LOCAL SERVICE,NETWORK
> SERVICE,Administrators
> Allow logon through Terminal Services Administrators,Remote Desktop Users
> Back up files and directories Administrators
> Bypass traverse checking Users
> Change the system time MYDOMAIN\Domain Admins,MYDOMAIN\Domain
> Users,Administrators
> Create a pagefile Administrators
> Create a token object
> Create global objects Administrators,INTERACTIVE,SERVICE
> Create permanent shared objects
> Debug programs Administrators
> Deny access to this computer from the network
> Deny logon as a batch job
> Deny logon as a service
> Deny logon locally
> Deny logon through Terminal Services ASPNET
> Enable computer and user accounts to be trusted for delegation
> Force shutdown from a remote system MYDOMAIN\Domain Admins,Administrators
> Generate security audits LOCAL SERVICE,NETWORK SERVICE
> Impersonate a client after authentication ASPNET,Administrators,SERVICE
> Increase scheduling priority Administrators
> Load and unload device drivers Administrators
> Lock pages in memory
> Log on as a batch job
> Log on as a service NETWORK SERVICE
> Log on locally MYDOMAIN\Domain Admins,MYDOMAIN\Domain Users,Administrators
> Manage auditing and security log Administrators
> Modify firmware environment values Administrators
> Perform volume maintenance tasks Administrators
> Profile single process Administrators
> Profile system performance Administrators
> Remove computer from docking station Administrators,Users
> Replace a process level token LOCAL SERVICE,NETWORK SERVICE
> Restore files and directories Administrators
> Shut down the system Administrators,Users
> Synchronize directory service data
> Take ownership of files or other objects Administrators
>
> SECURITY OPTIONS
> Policy Security Setting
> Accounts: Administrator account status Not Applicable
> Accounts: Guest account status Not Applicable
> Accounts: Limit local account use of blank passwords to console logon only
> Enabled
> Accounts: Rename administrator account Not defined
> Accounts: Rename guest account Not defined
> Audit: Audit the access of global system objects Disabled
> Audit: Audit the use of Backup and Restore privilege Disabled
> Audit: Shut down system immediately if unable to log security audits
> Disabled
> DCOM: Machine Access Restrictions in Security Descriptor Definition Language
> (SDDL) syntax Not defined
> DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
> (SDDL) syntax Not defined
> Devices: Allow undock without having to log on Disabled
> Devices: Allowed to format and eject removable media Administrators
> Devices: Prevent users from installing printer drivers Disabled
> Devices: Restrict CD-ROM access to locally logged-on user only Disabled
> Devices: Restrict floppy access to locally logged-on user only Disabled
> Devices: Unsigned driver installation behavior Warn but allow installation
> Domain controller: Allow server operators to schedule tasks Not defined
> Domain controller: LDAP server signing requirements Not defined
> Domain controller: Refuse machine account password changes Not defined
> Domain member: Digitally encrypt or sign secure channel data (always)
> Enabled
> Domain member: Digitally encrypt secure channel data (when possible) Enabled
> Domain member: Digitally sign secure channel data (when possible) Enabled
> Domain member: Disable machine account password changes Disabled
> Domain member: Maximum machine account password age 7 days
> Domain member: Require strong (Windows 2000 or later) session key Enabled
> Interactive logon: Do not display last user name Enabled
> Interactive logon: Do not require CTRL+ALT+DEL Disabled
> Interactive logon: Message text for users attempting to log on
> Interactive logon: Message title for users attempting to log on Not defined
> Interactive logon: Number of previous logons to cache (in case domain
> controller is not available) 0 logons
> Interactive logon: Prompt user to change password before expiration 14 days
> Interactive logon: Require Domain Controller authentication to unlock
> workstation Enabled
> Interactive logon: Require smart card Not defined
> Interactive logon: Smart card removal behavior Lock Workstation
> Microsoft network client: Digitally sign communications (always) Disabled
> Microsoft network client: Digitally sign communications (if server agrees)
> Enabled
> Microsoft network client: Send unencrypted password to third-party SMB
> servers Disabled
> Microsoft network server: Amount of idle time required before suspending
> session 720 minutes
> Microsoft network server: Digitally sign communications (always) Disabled
> Microsoft network server: Digitally sign communications (if client agrees)
> Enabled
> Microsoft network server: Disconnect clients when logon hours expire Enabled
> Network access: Allow anonymous SID/Name translation Not Applicable
> Network access: Do not allow anonymous enumeration of SAM accounts Enabled
> Network access: Do not allow anonymous enumeration of SAM accounts and
> shares Enabled
> Network access: Do not allow storage of credentials or .NET Passports for
> network authentication Enabled
> Network access: Let Everyone permissions apply to anonymous users Disabled
> Network access: Named Pipes that can be accessed anonymously
> Network access: Remotely accessible registry paths
> System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,Syst em\CurrentControlSet\Control\Server
> Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP
> Server,Software\Microsoft\Windows
> NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Ter minal
> Server,System\CurrentControlSet\Control\Terminal
> Server\UserConfig,System\CurrentControlSet\Control\Terminal
> Server\DefaultUserConfiguration
> Network access: Shares that can be accessed anonymously
> Network access: Sharing and security model for local accounts Classic -
> local users authenticate as themselves
> Network security: Do not store LAN Manager hash value on next password
> change Enabled
> Network security: Force logoff when logon hours expire Enabled
> Network security: LAN Manager authentication level Send NTLMv2 response
> only\refuse LM & NTLM
> Network security: LDAP client signing requirements Require signing
> Network security: Minimum session security for NTLM SSP based (including
> secure RPC) clients Require message integrity,Require message
> confidentiality,Require NTLMv2 session security,Require 128-bit encryption
> Network security: Minimum session security for NTLM SSP based (including
> secure RPC) servers Require message integrity,Require message
> confidentiality,Require NTLMv2 session security,Require 128-bit encryption
> Recovery console: Allow automatic administrative logon Disabled
> Recovery console: Allow floppy copy and access to all drives and all folders
> Disabled
> Shutdown: Allow system to be shut down without having to log on Disabled
> Shutdown: Clear virtual memory pagefile Disabled
> System cryptography: Use FIPS compliant algorithms for encryption, hashing,
> and signing Disabled
> System objects: Default owner for objects created by members of the
> Administrators group Object creator
> System objects: Require case insensitivity for non-Windows subsystems
> Enabled
> System objects: Strengthen default permissions of internal system objects
> (e.g. Symbolic Links) Enabled
>
>
> Any suggestions would be greatly appreciated - thank for help in advance.
>
>
>

Still no solution yet, but with someone's help here, it seems like it might
be related to COM permissions (in particular the settings in the
HKLM\Software\Microsoft\Ole key).
I also noticed that I am unable to run the DCOMCNFG utility and look at
'Component Services' without it crashing constantly and logging errors in
the application event viewer: Event IDs '4689' and '778' from COM+.



"Lrnineveryday" <Lrnineveryday@discussions.microsoft.com> wrote in message
news:F9D800E9-3AE9-4494-8514-06EDA85BA69F@microsoft.com...
> Hello this is my first post.
>
> I feel your pain brother!
>
> I am having the exact same problem with permission denied only there is no
> AD or GP involved (except local Policy of enabling RA)
> Yours is the first post anywhere I have seen with my same prob.
> I am on a Novell network (soon to change to 2003).
> The weird thing is, I had it working a couple of months ago when I first
> set
> it up on 2 machines. Now nothing I do helps.
> As with you RD works fine and RA through e-mail and file work great. It
> just
> won't work with unsolicited RA.
> SOMEONE HELP!!!!!! (please)
>
> It would be much easier to go through IP than to have to explain to users
> how to send a request :-)
>
>
>
>
>
>
> "Research Services" wrote:
>
>> We are having problems getting "Offer Remote Assistance" to work in our
>> Child Domain (part of an Active Directory Forest). In Offer Remote
>> Assistance, when we Click the Connect Button from a Windows XP SP2
>> computer
>> with Windows Firewall Enabled, an error box "Permission denied" is
>> displayed
>> immediately, as if it never even gets far enough to try to communicate to
>> the destination XP SP2 computer (no hard drive activity, no event log
>> activity, no dropped traffic by the firewall). Interestingly, when we
>> put
>> in a W2K3 box as the destination, we received a different error "Access
>> to
>> the requested resource has been disabled by your administrator" and it
>> actually does "talk" to the W2K3 box over the network as you can hear the
>> disk grind at the moment it attempts to connect. We have not used GPOs
>> to
>> Enable Remote Assistance on our W2K3 boxes.
>>
>> So, the list of what we have done with related Microsoft KB Articles:
>>
>> http://support.microsoft.com/?kbid=301527
>>
>> - Through Group Policy, have Enabled both 'Solicited Remote Assistance'
>> and
>> 'Offer Remote Assistance' at
>> Computer Configuration / Administrative Templates / System / Remote
>> Assistance
>> - Added a couple of Domain Admin Groups who are also in the Local
>> Administrators group on all computers with the <domain>\<group> format to
>> the Group Policy above
>> - Added/Changed the DCOM Registry Key as such on ALL involved computers:
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
>> "EnableDCOM"="Y"
>> - Opened all of the items below in the Windows Firewall through Group
>> Policy:
>> %WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
>> %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote
>> Assistance
>> %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote
>> Assistance -
>> Windows Messenger and Voice
>> 135:TCP:*:Enabled:Remote Assistance Port
>> - We have even Enabled to "*" 'Allow remote administration exception',
>> 'Allow file and printer sharing exception' and 'Allow Remote Desktop
>> exception' in the Firewall as well
>>
>> http://support.microsoft.com/?kbid=884910
>> - Even though all of our computers are Windows XP SP2, since we have left
>> this group Policy as 'Not Configured' we don't believe it applies to us.
>> (And attempting to modify this as KB stated caused all sorts of other
>> DCOM
>> related problems)
>>
>> http://support.microsoft.com/?kbid=310629
>> Simple File Sharing is disabled since all computers are within our Domain
>> (Domain Computers), so this article doesn't apply to us. We have
>> verified
>> that this checkbox is NOT selected on all of the computers involved.
>>
>> Right-Click, Properties on 'My Computer', Remote Tab on all involved
>> computers has the 'Allow Remote Assistance invitations to be sent from
>> this
>> computer' checked.
>>
>> Resultant Set of Policies (RSoP) verifies that all appropriate Group
>> Policies are being applied correctly.
>>
>> All involved computers are on the same subnet and no other firewalls
>> exist
>> other than the Group Policy-enforced Windows Firewall configured as
>> mentioned above. In fact removing the Windows Firewall on both the
>> 'Expert'
>> and 'Novice' computers generates the same error message 'Permission
>> denied'.
>>
>> The 'Remote Desktop Help Session Manager' service is set to Automatic and
>> in
>> the Running state on the computer that the 'Offer Remote Assistance' is
>> being made from and under the security context of a Local AND Domain
>> Administrator account - this user is part of one of the groups added to
>> the
>> Group Policy above.
>>
>> 'Offer Remote Assistance' is being initiated from a Shortcut to:
>> hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm
>>
>> Remote Desktop works correctly for all involved computers.
>>
>> Generating a Remote Assistance request and sending via email works
>> perfectly. Only Unsolicited (Offer) Remote Assistance does not work.
>>
>> We use Group Policy to "lock down" most of the Security Settings under
>> 'User
>> Rights Assignments' and 'Security Options'. See list of settings below:
>> USER RIGHTS ASSIGNMENTS
>> Policy Security Setting
>> Access this computer from the network MYDOMAIN\Domain
>> Admins,MYDOMAIN\Domain
>> Users
>> Act as part of the operating system
>> Add workstations to domain
>> Adjust memory quotas for a process LOCAL SERVICE,NETWORK
>> SERVICE,Administrators
>> Allow logon through Terminal Services Administrators,Remote Desktop Users
>> Back up files and directories Administrators
>> Bypass traverse checking Users
>> Change the system time MYDOMAIN\Domain Admins,MYDOMAIN\Domain
>> Users,Administrators
>> Create a pagefile Administrators
>> Create a token object
>> Create global objects Administrators,INTERACTIVE,SERVICE
>> Create permanent shared objects
>> Debug programs Administrators
>> Deny access to this computer from the network
>> Deny logon as a batch job
>> Deny logon as a service
>> Deny logon locally
>> Deny logon through Terminal Services ASPNET
>> Enable computer and user accounts to be trusted for delegation
>> Force shutdown from a remote system MYDOMAIN\Domain Admins,Administrators
>> Generate security audits LOCAL SERVICE,NETWORK SERVICE
>> Impersonate a client after authentication ASPNET,Administrators,SERVICE
>> Increase scheduling priority Administrators
>> Load and unload device drivers Administrators
>> Lock pages in memory
>> Log on as a batch job
>> Log on as a service NETWORK SERVICE
>> Log on locally MYDOMAIN\Domain Admins,MYDOMAIN\Domain
>> Users,Administrators
>> Manage auditing and security log Administrators
>> Modify firmware environment values Administrators
>> Perform volume maintenance tasks Administrators
>> Profile single process Administrators
>> Profile system performance Administrators
>> Remove computer from docking station Administrators,Users
>> Replace a process level token LOCAL SERVICE,NETWORK SERVICE
>> Restore files and directories Administrators
>> Shut down the system Administrators,Users
>> Synchronize directory service data
>> Take ownership of files or other objects Administrators
>>
>> SECURITY OPTIONS
>> Policy Security Setting
>> Accounts: Administrator account status Not Applicable
>> Accounts: Guest account status Not Applicable
>> Accounts: Limit local account use of blank passwords to console logon
>> only
>> Enabled
>> Accounts: Rename administrator account Not defined
>> Accounts: Rename guest account Not defined
>> Audit: Audit the access of global system objects Disabled
>> Audit: Audit the use of Backup and Restore privilege Disabled
>> Audit: Shut down system immediately if unable to log security audits
>> Disabled
>> DCOM: Machine Access Restrictions in Security Descriptor Definition
>> Language
>> (SDDL) syntax Not defined
>> DCOM: Machine Launch Restrictions in Security Descriptor Definition
>> Language
>> (SDDL) syntax Not defined
>> Devices: Allow undock without having to log on Disabled
>> Devices: Allowed to format and eject removable media Administrators
>> Devices: Prevent users from installing printer drivers Disabled
>> Devices: Restrict CD-ROM access to locally logged-on user only Disabled
>> Devices: Restrict floppy access to locally logged-on user only Disabled
>> Devices: Unsigned driver installation behavior Warn but allow
>> installation
>> Domain controller: Allow server operators to schedule tasks Not defined
>> Domain controller: LDAP server signing requirements Not defined
>> Domain controller: Refuse machine account password changes Not defined
>> Domain member: Digitally encrypt or sign secure channel data (always)
>> Enabled
>> Domain member: Digitally encrypt secure channel data (when possible)
>> Enabled
>> Domain member: Digitally sign secure channel data (when possible) Enabled
>> Domain member: Disable machine account password changes Disabled
>> Domain member: Maximum machine account password age 7 days
>> Domain member: Require strong (Windows 2000 or later) session key Enabled
>> Interactive logon: Do not display last user name Enabled
>> Interactive logon: Do not require CTRL+ALT+DEL Disabled
>> Interactive logon: Message text for users attempting to log on
>> Interactive logon: Message title for users attempting to log on Not
>> defined
>> Interactive logon: Number of previous logons to cache (in case domain
>> controller is not available) 0 logons
>> Interactive logon: Prompt user to change password before expiration 14
>> days
>> Interactive logon: Require Domain Controller authentication to unlock
>> workstation Enabled
>> Interactive logon: Require smart card Not defined
>> Interactive logon: Smart card removal behavior Lock Workstation
>> Microsoft network client: Digitally sign communications (always) Disabled
>> Microsoft network client: Digitally sign communications (if server
>> agrees)
>> Enabled
>> Microsoft network client: Send unencrypted password to third-party SMB
>> servers Disabled
>> Microsoft network server: Amount of idle time required before suspending
>> session 720 minutes
>> Microsoft network server: Digitally sign communications (always) Disabled
>> Microsoft network server: Digitally sign communications (if client
>> agrees)
>> Enabled
>> Microsoft network server: Disconnect clients when logon hours expire
>> Enabled
>> Network access: Allow anonymous SID/Name translation Not Applicable
>> Network access: Do not allow anonymous enumeration of SAM accounts
>> Enabled
>> Network access: Do not allow anonymous enumeration of SAM accounts and
>> shares Enabled
>> Network access: Do not allow storage of credentials or .NET Passports for
>> network authentication Enabled
>> Network access: Let Everyone permissions apply to anonymous users
>> Disabled
>> Network access: Named Pipes that can be accessed anonymously
>> Network access: Remotely accessible registry paths
>> System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,Syst em\CurrentControlSet\Control\Server
>> Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP
>> Server,Software\Microsoft\Windows
>> NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Ter minal
>> Server,System\CurrentControlSet\Control\Terminal
>> Server\UserConfig,System\CurrentControlSet\Control\Terminal
>> Server\DefaultUserConfiguration
>> Network access: Shares that can be accessed anonymously
>> Network access: Sharing and security model for local accounts Classic -
>> local users authenticate as themselves
>> Network security: Do not store LAN Manager hash value on next password
>> change Enabled
>> Network security: Force logoff when logon hours expire Enabled
>> Network security: LAN Manager authentication level Send NTLMv2 response
>> only\refuse LM & NTLM
>> Network security: LDAP client signing requirements Require signing
>> Network security: Minimum session security for NTLM SSP based (including
>> secure RPC) clients Require message integrity,Require message
>> confidentiality,Require NTLMv2 session security,Require 128-bit
>> encryption
>> Network security: Minimum session security for NTLM SSP based (including
>> secure RPC) servers Require message integrity,Require message
>> confidentiality,Require NTLMv2 session security,Require 128-bit
>> encryption
>> Recovery console: Allow automatic administrative logon Disabled
>> Recovery console: Allow floppy copy and access to all drives and all
>> folders
>> Disabled
>> Shutdown: Allow system to be shut down without having to log on Disabled
>> Shutdown: Clear virtual memory pagefile Disabled
>> System cryptography: Use FIPS compliant algorithms for encryption,
>> hashing,
>> and signing Disabled
>> System objects: Default owner for objects created by members of the
>> Administrators group Object creator
>> System objects: Require case insensitivity for non-Windows subsystems
>> Enabled
>> System objects: Strengthen default permissions of internal system objects
>> (e.g. Symbolic Links) Enabled
>>
>>
>> Any suggestions would be greatly appreciated - thank for help in advance.
>>
>>
>>

[memojuez]

I know this is an old thread but I didn't see the finally solution.

I was having the same issue and looked in the key of working station and compared it a non working.

On the Novice computer; In the Registry, HKLM\Software\Microsoft\Ole key created String Value called EnableDCOM. Set its value to Y.

This enabled it.

Memo