Sign in
 

none
Configure Offer remote assistance removes all helpers, then re-adds. Misconfiguration? Is there a better way?

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, my domain is at the 2008R2 functional level, and I have a group policy which configures the "offer remote assistance" setting (Computer Configuration>admin templates>System>Remote Assistance).  I have noticed some interesting behavior, and I'd like to know if there's a more efficient way to do this:   Whenever this policy gets applied, it seems as if it removes all individuals from the "Offer Remote Assistance" group, then re-adds them.  I notice this because when I update the group policies on the clients, I see security log event 4733 (removing the account from the "offer remote assistance group") for each defined helper, then see security log event 4732 (adding the account to the "offer remote assistance group") for each helper.

    Is there a better way to accomplish this without adding and removing the accounts from the "offer remote assistance" group every time the policy is refreshed?

    I ask because I'm using a SIEM for logging privileged account usage or membership changes, and the hundreds of events per day are a bit noisy.

    As always, any recommendations are greatly appreciated!


    Thanks,


    Kevin

    Wednesday, January 21, 2015 4:54 PM
    |

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    > is there a better way to accomplish this without adding and removing the
    > accounts from the "offer remote assistance" group every time the policy
    > is refreshed?
     
    Either disable background refresh (but be aware that this requires
    computers to reboot to apply new settings), or disable "apply without
    changes", or ignore these events in your SIEM application.
     
    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Frank Shen5Moderator Monday, January 26, 2015 9:09 AM
    • Marked as answer by ktgeil Monday, January 26, 2015 3:20 PM
    Thursday, January 22, 2015 1:38 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Kevin,

    How is it going? I agree with Martin. If you need further help regarding the question, please don't hesitate to let us know.

    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Best regards,

    Frank Shen

    Monday, January 26, 2015 9:09 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Sure.  I had hoped that there was a better way...  Can you elaborate to the "apply without changes" setting that Martin mentioned?  It's eluding my google-fu.

    Thanks!

    Kevin

    Monday, January 26, 2015 3:20 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    > the "apply without changes" setting that Martin mentioned?
     
    Check http://gpsearch.azurewebsites.net/#329 - enable this and do not
    set "apply without changes". But be aware that regardless of what you
    configure, security policies WILL apply every 16 hours or so in the
    background. That's a hard coded value and behavior, and this applies
    only to security settings.
     
    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 26, 2015 4:17 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks again Martin, I suppose that filtering in the SIEM is the best way to go in that case.  

    Good luck!

    Kevin

    Monday, January 26, 2015 4:44 PM
    |