Tuesday 29 May 2012

Corporate Desktop Support using msra and batch files.

Reasoning:
I was getting tired of spending valuable minutes of my time walking around, so decided it was time to set up remote assistance for my office. There are plenty of options already out there like iTALC and TeamViewer but I had a few requirements:
  • Entirely local. The aim was to support machines on the internal network so there's no need to rely on external hardware/software.
  • We don't need most of the features. No asset management, and no 'background spying' on a users desktop and habits. This will do one thing: access computers remotely
  • As simple as possible.
All our hardware is tagged, so it turns out it's pretty easy to offer basic remote support with one Astoundingly-Simple batch file and a few changes to group policy.


The Batch File:

SET /P target="Target Computer/IP:"
msra.exe /offerra %target%


That's all you need at a basic level - type in the computer name and it launches the remote assistance tool.

Here's the slightly-expanded version I'm using:




@echo off
set logfile=%appdata%\assistancelog.log
SET /P target="Target Computer/IP:"


nslookup %target%
wmic /node:"%target%" ComputerSystem Get UserName
echo Offering assistance to %target% at %date% %time% >> "%logfile%"


msra.exe /offerra %target%




This is what it does:
  • Requests the network name of the computer from you. If all your machines are tagged you'll have no problems.
  • Grabs the network address of the computer and the username of whoever is logged in
  • Writes to a log file - nothing fancy, just the computer name and time
  • Launches Windows Remote Assistance pointed at the target computer

The Group Policy Change: 

A quick overview of the change you need to make:

All nice and simple, just changing a few settings and adding the users/security groups you wish to have access.

Additionally, you may wish to add these:
This just punches a couple of holes in the firewall for both Remote Desktop and wmic. While I set mine to allow localsubnet you can easily lock yours to a specific IP range instead. Apply the policy to all the company computers and you're done.


Usage:
Run the batch file as and you get this:

The user gets a popup requesting access to their computer, and when they accept you get remote access. simple, supported, and done entirely using the software baked into windows.



Notes:

  • This doesn't really work for terminal servers. Enable session shadowing on the server to get the same effect.
  • This was tested and used shortly after we finished migrating to Windows 7/2008. It probably wont work out-of-the-box if you've got XP machines mixed in.
  • It is possible to do this in reverse, with a user running a batch file that requests assistance from tech support. It's a bit trickier to set up if you want to minimise user options, but it works.