Answered by:
Configure Offer remote assistance removes all helpers, then re-adds. Misconfiguration? Is there a better way?

-
Hi, my domain is at the 2008R2 functional level, and I have a group policy which configures the "offer remote assistance" setting (Computer Configuration>admin templates>System>Remote Assistance). I have noticed some interesting behavior, and I'd like to know if there's a more efficient way to do this: Whenever this policy gets applied, it seems as if it removes all individuals from the "Offer Remote Assistance" group, then re-adds them. I notice this because when I update the group policies on the clients, I see security log event 4733 (removing the account from the "offer remote assistance group") for each defined helper, then see security log event 4732 (adding the account to the "offer remote assistance group") for each helper.
Is there a better way to accomplish this without adding and removing the accounts from the "offer remote assistance" group every time the policy is refreshed?
I ask because I'm using a SIEM for logging privileged account usage or membership changes, and the hundreds of events per day are a bit noisy.As always, any recommendations are greatly appreciated!
Thanks,
Kevin
Question
Answers
-
> is there a better way to accomplish this without adding and removing the> accounts from the "offer remote assistance" group every time the policy> is refreshed?Either disable background refresh (but be aware that this requirescomputers to reboot to apply new settings), or disable "apply withoutchanges", or ignore these events in your SIEM application.
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Proposed as answer by Frank Shen5Moderator Monday, January 26, 2015 9:09 AM
- Marked as answer by ktgeil Monday, January 26, 2015 3:20 PM
-
> the "apply without changes" setting that Martin mentioned?Check http://gpsearch.azurewebsites.net/#329 - enable this and do notset "apply without changes". But be aware that regardless of what youconfigure, security policies WILL apply every 16 hours or so in thebackground. That's a hard coded value and behavior, and this appliesonly to security settings.
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Marked as answer by Frank Shen5Moderator Tuesday, January 27, 2015 12:57 AM
All replies
-
> is there a better way to accomplish this without adding and removing the> accounts from the "offer remote assistance" group every time the policy> is refreshed?Either disable background refresh (but be aware that this requirescomputers to reboot to apply new settings), or disable "apply withoutchanges", or ignore these events in your SIEM application.
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Proposed as answer by Frank Shen5Moderator Monday, January 26, 2015 9:09 AM
- Marked as answer by ktgeil Monday, January 26, 2015 3:20 PM
-
Hi Kevin,
How is it going? I agree with Martin. If you need further help regarding the question, please don't hesitate to let us know.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Best regards,
Frank Shen
-
-
> the "apply without changes" setting that Martin mentioned?Check http://gpsearch.azurewebsites.net/#329 - enable this and do notset "apply without changes". But be aware that regardless of what youconfigure, security policies WILL apply every 16 hours or so in thebackground. That's a hard coded value and behavior, and this appliesonly to security settings.
Martin
Mal ein GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))- Marked as answer by Frank Shen5Moderator Tuesday, January 27, 2015 12:57 AM
-