Poor man’s enterprise remote support solution


There are tons of  remote support tools for AD environments, but most of them are commercial, and some of them are user initiated (like Lync 2010+ desktop sharing feature), today we will implement an agentless (sort of), free and pretty effective solution, the end result is a box that you enter the destined Username in (the person you’re trying to help), et voila, you have control over his screen ! (gentlemen, after his permission, of course)

Chapter I :

The base application that we will use is “Windows Remote Assistance” which ships for free with most Windows 7 flavors, the rest is scripting gimmicks.

Out of the box, Windows remote assistance will work if the requester sent an invitation file to the helper, but in our case, we want to initiate the process by offering our help before we even hear the nagging.

To do so, we need to create and link a GPO to our computers OU that enables just that :

Computer Configuration > Policies > Administrative Templates > System > Remote Assistance

Enable the “Offer Remote Assistance” option and select who can offer remote support, typically you will add your Help Desk group

Enabling WRS in a GPO

After you gpupdate the end-user’s machine, try it:

Open “Windows Remote Assistance” from your helper workstation, then click on “Help someone who has invited you”, then click “Advanced connection option for help desk”, now you can enter the name or IP address of the remote computer and start helping !

Windows Remote Assistance

Now we need to automate this process!

Chapter II :

We need a way to map a logged-in user to his machine, there’s several ways to do this (like parsing the DC’s events logs), but we will use a logon script that will write the computer name in the “State” field of the corresponding user :

Option Explicit
Dim objSysInfo, objUser, objNetwork, strComputer, strState

Set objSysInfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName)

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

strState = "Logged on to " & strComputer & " at " & Date & " " & Time

objUser.Put "st", strState

Why i chose the “State” field ? because you can add it as a column in the “Active Directory Users and Computers” console, so you can see it in front of the employee’s name, but
you can choose another attribute, like “Description” or “PO Box”, or if you are ripped/testosterone filled, you can extend the schema with your own attribute.

Note: Make sure you delegate “Write state/providence” permission on your Users OU to “SELF”, so the script can update the user’s State attribute on logon

(For a list of all AD attributes, check : http://msdn.microsoft.com/en-us/library/windows/desktop/ms675090%28v=vs.85%29.aspx )

Chapter III :

Time for some magic ! We’ll create a script that will do the following once you enter the destined username:

1-Will fetch the “State” attribute of the user

2-Will extract the machine name from it

3-will open a new Windows Remote Assistance window (using the Windows Remote assistance command line options : msra.exe /offerRA computername)

[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')

$username=[Microsoft.VisualBasic.Interaction]::InputBox("Enter The Remote User's Username", "Username", "")


$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = '(&(objectCategory=person)(samaccountname='+$username+'))'
$Searcher.SearchRoot = 'LDAP://OU=users,DC=company,DC=com'
$path = $Searcher.FindAll() | select –ExpandProperty Path
$user = [ADSI]$path
$computername=$state.Substring(($state.IndexOf(" to ")+4),($state.IndexOf(" at ")-($state.IndexOf(" to ")+4)))
msra.exe /offerRA $computername

There are several ways to fetch info from AD, but i went with interfacing with ADSI instead of using the simpler Get-ADuser for a simple reason: Help Desk users typically does not have the ActiveDirectory module installed, and Implicit Remoting will add an extra couple of seconds to the process ( Lag is annoying, annoying i say ! )

Finished Script

Now you can convert your PS script to EXE and distribute it to your Help Desk employees !

2 thoughts on “Poor man’s enterprise remote support solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s