Remote Control Disabled

Hopefully this is an easy question, have been searching for the answer to no avail though.

I have installed the client on an XP Pro PC with SP3. When I try to run Remote Tools from SCCM on the PC, I get "Remote Control is disabled". If I log onto the PC and look in Control Panel and open "Remote Control" it is grayed out, I can't change it. It is set to None.

In SCCM  Site Settings > Client Agents > Remote Tools Client Agent it is enabled and "Users cannot change policy or notification settings in the Remote Control Control Panel" is unticked. I tried ticking / unticking. Uninstalled / re-installed the client. Repaired Configmgr Remote Tools Agent in Configuration Manager Properties in Control Panel. It just seems to ignore the SCCM config though.

I am using an administrator account to log into the PC.

I can RDP to the PC, no problem, but Remote Tools just won't connect.

Any ideas?

April 2nd, 2010 4:08pm

I bet is that there is a GPO overridign ConfigMgr. Do a RSOP on the PC.
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2010 4:31pm

Thanks for the reply Garth.

Hmm, I just spent 4 hours going through the options. I have enabled Terminal Service options but still Remote Control is disabled. Apparently our Group Policy is very basic.

I can connect via Remote Assistance with no problem but would like remote tools to work.

Any clue as to what in the GP that would be disabling it? It's all still grayed out.

April 6th, 2010 6:09am

Did a bit of research, but still unable to see what would cause Remote Control to be disabled.

Anyone have any other ideas?

Free Windows Admin Tool Kit Click here and download it now
April 13th, 2010 10:00am

On that same tab, check to make sure that access to XP or later is explicitly set to Full Control.
April 13th, 2010 4:17pm

Yep it is.

Managed to get it all ungrayed (?) out by modifing options in HKEY LOCAL MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control

Now getting, when connecting via remote tools "Insufficient level of access allowed" even though it is set to Full.

Interesting thing is, it kept prompting me for a User ID and password when connecting to Remote Control, saying the logged in user had insufficient access.  I am using the domain ID, logging into the SCCM server. And for it to stop prompting me for that I had to give access to the LOCAL administrator to the WMI Remote control.

How does that work?

In summary:

  • Log into Server 2008 R2 as domain administrator
  • Start SCCM 2007
  • Machine I am connecting to has the domain administrator on the PC as a local administrator (should have administrator rights  anyway right, without adding it to the local administrators group? I am covering all my bases)
  • Added domain administrator ID to the relevant WMI DCOM's
  • Added local administrator to relevant WMI DCOM's
  • No longer prompting for user ID, Domain and password
  • Now saying "Insufficient level of access allowed"
Free Windows Admin Tool Kit Click here and download it now
April 16th, 2010 9:42am

You do have a group in the security tab or at least a user defined for SCCM Remote Control in the SCCM console correct?  By default no one can do that.  Modifying the registry changes some things but you need to ensure you have a group defined or it won't do anything.  I think it is the security tab anyway (can't remember and don't have a console in front of me right now :)).

April 19th, 2010 10:27pm

Thanks Jim, in Remote Tools Client Agent Properties > Security > I have:

Administrator
Domain Admins

Does it need to say <Domain>\Administrator and <Domain>\Domain Admins?

I had that in before (still didn't work) but someone said it wasn't necessary to have the domain.

I assume SCCM uses the account of the currently logged in user of the server, correct?

Is it possible that the Remote Tools Agent isn't reading the permissions from SCCM?

This is from the CCM.log file of a machine I have set all the permissions on manually, WMI etc:

======>Begin Processing request: "NJXOQRGY", machine name: "SPARE"
---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x0)
---> Attempting to connect to administrative share '\\SPARE.ALTC.local\admin$' using account 'altc\administrator'
---> The 'best-shot' account has now succeeded 11 times and failed 0 times.
---> Connected to administrative share on machine SPARE.ALTC.local using account 'altc\administrator'
---> Attempting to make IPC connection to share <\\SPARE.ALTC.local\IPC$>
---> Searching for SMSClientInstall.* under '\\SPARE.ALTC.local\admin$\'
---> System OS version string "5.1.2600" converted to 5.10
---> Service Pack version from machine "SPARE" is 3
---> Mobile client on the target machine has the same version, and 'forced' flag is turned on.
---> Creating \ VerifyingCopying exsistance of destination directory \\SPARE\admin$\system32\ccmsetup.
---> Copying client files to \\SPARE\admin$\system32\ccmsetup.
---> Copying file "C:\Program Files (x86)\Microsoft Configuration Manager\bin\I386\MobileClient.tcf" to "\\SPARE\admin$\system32\ccmsetup\MobileClient.tcf"
---> Updated service "ccmsetup" on machine "SPARE".
---> Started service "ccmsetup" on machine "SPARE".
---> Deleting SMS Client Install Lock File '\\SPARE.ALTC.local\admin$\SMSClientInstall.ALT'
---> Completed request "NJXOQRGY", machine name "SPARE".
Deleted request "NJXOQRGY", machine name "SPARE"
<======End request: "NJXOQRGY", machine name: "SPARE".

And this is a machine I haven't modified at all:

======>Begin Processing request: "GDIEVYBT", machine name: "WKS-004"
---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x0)
---> Attempting to connect to administrative share '\\WKS-004.ALTC.local\admin$' using account 'altc\administrator'
---> The 'best-shot' account has now succeeded 15 times and failed 0 times.
---> Connected to administrative share on machine WKS-004.ALTC.local using account 'altc\administrator'
---> Attempting to make IPC connection to share <\\WKS-004.ALTC.local\IPC$>
---> Searching for SMSClientInstall.* under '\\WKS-004.ALTC.local\admin$\'
---> System OS version string "5.1.2600" converted to 5.10
---> Service Pack version from machine "WKS-004" is 3
CWmi::Connect(): ConnectServer(Namespace) failed. - 0x8004100e
---> Unable to connect to WMI (r) on remote machine "WKS-004", error = 0x8004100e.
---> Creating \ VerifyingCopying exsistance of destination directory \\WKS-004\admin$\system32\ccmsetup.
---> Copying client files to \\WKS-004\admin$\system32\ccmsetup.
---> Copying file "C:\Program Files (x86)\Microsoft Configuration Manager\bin\I386\MobileClient.tcf" to "\\WKS-004\admin$\system32\ccmsetup\MobileClient.tcf"
---> Updated service "ccmsetup" on machine "WKS-004".
---> Started service "ccmsetup" on machine "WKS-004".
---> Deleting SMS Client Install Lock File '\\WKS-004.ALTC.local\admin$\SMSClientInstall.ALT'
---> Completed request "GDIEVYBT", machine name "WKS-004".
Deleted request "GDIEVYBT", machine name "WKS-004"
<======End request: "GDIEVYBT", machine name: "WKS-004".

Free Windows Admin Tool Kit Click here and download it now
April 20th, 2010 4:50am

Did you ever get this resolved?  I am having the same problem, but only on certain machines.  When we first installed SCCM 2007, we had this on all the clients, but ran a VB script to change a registry setting.  That fixed it, but since upgrading to SCCM 2007 SP2, the problem is back and the setting change does not help.

Any one have any ideas?

June 30th, 2010 3:56pm

I'd make sure the domain\group or domain\ID is specified.

The below is specified in help.  I've always used a domain in front of the ID or group that I specify in this area.  Not sure if this helps or not Spoondog.  SCCM Noob, sorry I didn't respond - I just saw your response actually above.  Hopefully you have things working now.

Users and user groups who can initiate Remote Tools sessions. These groups are global, not local. You can add these names to the Permitted viewers table. Specify the information in a domain_name\user_name or domain_name\group_name format, or just type the user or group name. The account name is not verified at this point, so ensure that it is typed correctly.

Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 8:24pm

Hi

Same problem, after an upgrade from SMS 2003 to SCCM SP1, SP2, R2

idem after a SMS client upgrade or a fresh install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control]

"Enabled"=dword:00000000

 

1) Modifying the key manually to 1 works

2) Value set to 0 again after a push/repair

3) PolicySpy says: boolean  Enabled = True under CCM_RemoteToolsConfig

4) Disabling/re-enabling 'Enable Remote Tools on clients' (Remote tools client Agent Properties) modify the Policy... but never change the Registry key

5) Full reset of SMS policy doesn't change anything

6) Modifying the value to 1 manually always work....

 

It seems that our clients receive the right SMS Policy, but it is never used... and never applied to the registry...

 

Any idea why ?? as we have to upgrade 20'000 SMS Clients...

I can imagine that a script or a domain policy would do the job, but I'd like to understand this weird behavior...

 

Thanks

July 2nd, 2010 1:41pm

Thanks for the response Jim.  The domain groups and rights are set correctly.  It does appear that I had to manually go into the registry and flip the DWORD value back to one.  For some reason it keeps flipping back to 0 and disabling remote control.  I guess I will need to search out why it keeps reverting back.

Thanks again!

Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2010 3:30pm

idem.. upgrading SMS clients to SP1 works... as soon as we update them to SP2, the Reg key is modified to 0...

Any repair will revert it back to 0...

July 2nd, 2010 3:52pm

Hmm - I'd say this is definitely a bug if there is a trend in different environments.  There really isn't much to enabling remote control - a check box and some settings in that component and the security tab.  The fact that it is reversing the DWORD value sounds like they are fixing something that got deprecated and didn't realize.  Too many developers in the kitchen maybe but no clue.  I'd say open a call with Microsoft.  If it is a bug they shouldn't burn your call.  Definitely something that should be looked at.
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2010 5:55pm

Thanks Jim, I'm going to open a MS call... and I will let you know...
July 5th, 2010 9:06am

Doutaz Michel,

Did you open a call?  What's the verdict?

Same problem on our end:  Upgrade to SP2, "Enabled = 0", manually modify it to = 1, run a repair and it gets set back to 0. 

SP1 clients are fine.  We upgrade them and they are set to 0, disabling remote control.

About to call Microsoft, but hoped you already did and I can get the answer here faster.

Thanks,

-Nick-

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2010 3:51pm

Hello everybody,

is a solution for this issue out there ? Were having the same problem in our enviroment, after upgrading from SMS 2003 :-(

Thanks

-Marc-

August 5th, 2010 9:39am

Marc,

We're currently working with Microsoft, but they aren't getting very far.  Right now, we're in the config manager support queue, but may be working with DCOM team soon.

What we've found so far is that, for some reason the DCOM permissions on the general COMPUTER object in dcomcnfg seems to be corrupt.

Go to Start > Run > Dcomcnfg

Click on Component Services > Computers

Right-click on "My Computer" and then Properties.

COM Security Tab and click Edit Limits under the Launch and Activation Permissions.

First question: Do you see an access control list?  Some of our systems are showing a blank dialog... all gray box, no ACL.

Second question: If you see the ACL, do you see any SIDS listed instead of the group names?

 

Also, if you can download the DCOMPERM.exe tool or grab it from your Microsoft Account Rep (or you can download it here: http://www.myitforum.com/articles/34/view.asp?id=9323), what we're finding is that if we run the following command, we have many duplicate entries for the My Computer COM object.

dcomperm.exe -ml list

I recently rebuilt a system and did not join it to the domain.  I ran that command after several reboots and we came up with a clean list.

I added it to our domain, and with each reboot, the list is adding duplicate entries.

My hunch is that there's a bad GPO in place. Thinking it may have to do with the GPO under Computer Configuration > Windows Settings > Security Settings > Local Policies/Security options > Other > Policy: DCOM:Machine access restrictions in Security Descriptor Definition

We upgraded SCCM SP1 - SP2, but you may be installing SCCM for first time from SMS 2003.  From what we can tell, it seems that the client, when installed resets the settings back to default, then waits for policy to reconfigure them.  Since the permissions are screwed up on that particular ACL, we think that the client just can't configure it.

In addition to the remote control being disabled, so is Remote Assistance for us.  People that are ONLY in the Offer Remote Assistance Helpers local group get a "permission denied" when they try to offer remote assistance.  Administrators have no issue.

To resolve, at least temporarily, you can backup the following key HKLM\Software\Microsoft\OLE\MachineLaunchRestrictions (we'll be deleting this).

Go to Start > Run > Dcomcnfg

Click on Component Services > Computers

Right-click on "My Computer" and then Properties.

COM Security Tab and click Edit Limits under the Launch and Activation Permissions.

Record the security settings you see, if you see them at all.

Delete the registry key you just backed up.

Go back into DCOMCNFG and manually enter the users/groups into the ACL again.

Restart SCCM.

That seems to have resolved the issue, but still, with every reboot, we are seeing entries added to the list.  In 2 instances, there were over 2000 entries.  I rebooted a lab system 60 times yesterday and ended up with 420 entries... but you can only see them using the dcomperm.exe -ml list

Curious to know if you are seeing the same DCOM symptoms.

 

Free Windows Admin Tool Kit Click here and download it now
August 5th, 2010 4:10pm

Good morning,

Do you have any update on this problem? 

We are seeing this on a significant number of machines; we are just finishing up an SMS upgrade to SCCM SP2 R2.  Interesting enough, even on machines where remote tools are still working, when we run a dcomperm -ml list, the result is a repeating list as described above.

Thanks!

Marge

September 2nd, 2010 6:00pm

Marge,

Have you reviewed the steps I listed?

Microsoft has determined this as a bug in the GPO processing for the following GPO:

Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance

They said that, because XP is in extended support, they will not create a hotfix for the issue of the DCOM permissions.... for XP.  The issue was duplicated in Windows 7 and they will get a hotfix for that; however, until a high-priority is raised on the issue, they cannot prioritize it as high for Win7 development.

So the issue was that our installation of SCCM SP2 from SP1 (and assuming any SCCM Client installation) resets the settings for Remote Control.  Because the ACL was maxed out for the DCOM object, it wasn't able to readd the permissions and so that registry settings for the Remote Control could not be modified, causing the issue.  It's not so much an SCCM issue as it is a DCOM/GPO issue where SCCM just exposes it.

Hope that helps.

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2010 9:48pm

Hi Nick,

Yes, I followed your steps and and have similar results.  As a work-around, I am thinking of simply forcing the Enabled entry to 1 with a Group Policy.  What did you do to work around the issue?

Marge

September 8th, 2010 6:28pm

You'll need to get DCOMPERM.exe.

Then there are two batch files... one simply starts a separate process to launch the other (for SCCM advertisement purposes).

Put the DCOMPerm.exe and the following in the same folder at the same level and create an SCCM package out of it.

Batch file number 1:

@echo off
REM call %0\..\SCCMRAFIX.CMD
START CMD /c %0\..\SCCMRAFIX.CMD

@EXIT

Batch File number 2:

@echo off
cls
 
ECHO FIXING REMOTE ASSISTANCE STUFF...
echo.
 
rem stop SCCM exec service - This will enable the Remote Tools to reconfig and enable
echo Stopping SCCM...
rem net stop "SMS Agent Host"
rem sleep 60

:NOTSTOPPED
SLEEP.EXE 10
sc stop ccmexec | find /I "The service has not been started"
if ERRORLEVEL 1 goto NOTSTOPPED
if ERRORLEVEL 0 goto ITSSTOPPED
:ITSSTOPPED
echo done.
echo.
 
rem delete the registry value for Machine COM object
rem HKLM\Software\Microsoft\OLE\MachineLaunchRestriction
echo Deleting the Machine COM Object ACLs...
reg DELETE HKLM\Software\Microsoft\OLE /v MachineLaunchRestriction /f
echo done.
echo.
 
rem add the SCCM Remote Control Group into the ACL list for the Machine COM object
rem this should add in the "Everyone," "Administrators," and "Offer Remote Assistance Helpers" groups with their proper ACLs
echo Adding the SCCM Remote Control Users group to the Machine COM object ACLs...
%0\..\dcomperm -ml set "%computername%\ConfigMgr Remote Control Users" permit level:ll,la
echo done.
echo.
 
rem set the Windows Help and Support COM object ACLs back to their defaults
echo Reverting ACLs on the Windows Help and Support COM object...
%0\..\dcomperm -al {833E4001-AFF7-4AC3-AAC2-9F24C1457BCE} default
rem adding the Offer Remote Assistance Helpers group back, for RA still doesnt work with out it
%0\..\dcomperm -al {833E4001-AFF7-4AC3-AAC2-9F24C1457BCE} set "%computername%\Offer Remote Assistance Helpers" permit level:rl,ra
%0\..\dcomperm -aa {833E4001-AFF7-4AC3-AAC2-9F24C1457BCE} default
echo done.
echo.
 
rem start up the SCCM exec service now that we've cleaned up a bit...
echo Starting SCCM...
net start "SMS Agent Host"
sleep 5
echo done.
echo.
echo.
echo ...done!

Free Windows Admin Tool Kit Click here and download it now
September 8th, 2010 8:17pm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control]
"Enabled"= 0 ,

Change it to "Enabled"= 1

September 4th, 2013 4:16am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics