Like many IT departments, remote assistance using Goto Assist or another similar product is a cornerstone of our support infrastructure. Goto Assist in particular is extremely versatile as it works through most firewalls and can be launched by sending the client an email containing a link or by having them go to a customized web page and typing in a code. Even with the various built-in options for initiating a remote assistance session with Goto Assist, I still find situations where it's more desirable to remotely launch a session without any user intervention at all. Assuming the client computer is a member of our domain and we can actively contact that computer over the network, you can accomplish this task using the PsExec command included with PsTools. If you haven't gotten familiar with the PsTools suite, I highly recommend you check them out. They are invaluable for managing remote workstations in a windows domain.
PsExec allows you to remotely execute a command on a domain member workstation. To launch the Goto Assist session, we're going to remotely launch internet explorer and tell it to open the URL associated with our Goto Assist session. Here's an example:
psexec \\ClientComputerName -u DOMAIN\User -i "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com
Replace ClientComputerName with the name of the workstation you wish to connect to. If you're authenticating with a domain account, use the DOMAIN\User format for the -u switch. You can use a local account that exists on the client computer simply by using that name with the -u switch. This example launches Google's web site, but you can replace that URL with the link to your Goto Assist session. The -i switch forces the application to launch in interactive mode so the user can see the window.
There are a few security issues to keep in mind. You will want to ensure the user account you use to launch Internet Explorer has only the minimum permissions required since the IE process will run with all the permissions that user possesses. If, for example, we ran this command and input an account that had local administrative rights on the client computer, anything the client did with that IE window after we launched it would also have full administrative rights. We have a local user account on all our workstations I use to launch Goto Assist since it needs no special administrative permissions. We could also purposely launch IE using a local administrative account for the purposes of allowing the user to install a new ActiveX control. Just be sure to define your security policies for this procedure ahead of time and stick to them.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment