I am trying to figure out how to allow a group of users to offer unsolicited remote assistance using msra /offerra
to their fellow domain members.
I have created a policy enabling "Offer Remote Assistance" and filling the DOMAIN\RAHelpers
user group into the "Helpers" list. I can see the DOMAIN\RAHelpers
group turning up as a member in the local "Offer Remote Assistance Helpers" group of the targeted domain computers after the policy is applied. Yet, I am unable to set up a remote assistance connection with one of these users unless they are also a member of the local Administrators group of the to-be-assisted machine. The error message is rather unspecific ("Your offer to help could not be sent"), but I suspect a DCOM permission issue since RA seems to use DCOM and local administrators can connect for help just fine.
What minimal permission set would I need to allow for unsolicited remote assistance? I obviously do not want to promote all helpers to local administrators.
It turned out to be as easy as adding the users to the "Distributed COM Users" local group.
The "Enable remote assistance" policy does not change this group's memberships and unsolicited remote assistance seems to depend on DCOM remote activation.
In our case the issue with RA not working was due to a mismatch in encryption.
Domain Controllers were using RC4 and Windows 10 clients are using AES128/256/future.