Difference between revisions of "Active Directory/Documentation/Planning"

From WolfTech
Jump to navigation Jump to search
 
(45 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Tasks=
 
=Tasks=
 +
==Licensing/Activation==
 +
* [http://microsys.unity.ncsu.edu/documentation/Microsoft-Volume-License-Activation/ KMS@NCSU]
 +
 
==Group Policies==
 
==Group Policies==
 
===Block Incompatible GPOs===
 
===Block Incompatible GPOs===
 +
Use WMI filters to block incompatible GPOs.
 +
 +
* ECE-Enable Remote Assistance - Will need separate Vista policy (HelpAssistant user doesn't exist in Vista).
 +
* FW-NCSU-Microsoft-Defender-1.1.1593.0-20061114 - Vista already has Defender.
 +
* FW-NCSU-Microsoft-GPMC-1.0.2-20050217 - Vista already has the GPMC.
 +
* FW-NCSU-Microsoft-UPHClean-1.6d-20060616
 +
* FW-NCSU-Microsoft-Windows XP Support Tools-SP2-20050207
 +
* FW-NCSU-SWE von Schleusen-UltimateZip-2.7.1-20041028 - Not Vista compatible.
 +
* FW-NCSU-WolfTech-Defrag C-1.0-20050408 - Not necessary, Vista has built-in defrag scheduling.
 +
* SW-ECE-NCSU-Wolfcall (Lab)-1.2.1-20050512 - Not Vista compatible.
 +
* SW-NCSU-MathWorks-MATLAB-7.4-20070306 - WinSxS Problem
 +
** Fixed
 +
* SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.0-20040601 - Not Vista compatible.
 +
* SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20050510 - Not Vista compatible.
 +
* SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20060829 - Not Vista compatible.
 +
* SW-NCSU-NCSU-Wolfcall (without autologin)-1.2.1-20050615 - Not Vista compatible.
 +
* SW-NCSU-Symantec-AntiVirus (UNI03NT)-10.0.2.2021-20060530 - Not Vista compatible.
 +
** Published SAV 10.2 for Vista
 +
* SW-ECE-Symantec-AntiVirus (SERPENT)-10.0.2.2021-20060530 - Not Vista compatible.
 +
** Published SAV 10.2 for Vista
 +
* SW-ECE-WolfTech-Support Icons-2.0-20060826 - MSI Install Issues
 +
* SW-COE-National Instruments-LabVIEW-8.20-20061220 - WinSxS Problem
 +
 
===Domain Policy===
 
===Domain Policy===
 +
====Options====
 +
*Create separate domain policies for Vista and Windows 2000/XP/2003.
 +
**Creates more complexity by having completely separate group policy environments for different OS's.
 +
**OS's may have different security levels/inconsistent security policies.
 +
***Reduces predictability.
 +
***Complicates determining security compliance.
 +
***Compatibility issues could vary on different OS's
 +
*Use common domain policy for all OS's and create a separate domain policy for Vista only policies.
 +
**This would prevent any unintended consequences on XP/2003 computers.
 +
**Reduces complexity by having common security policies for all OS's.
 +
**Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
 +
*Use common domain policy for all OS's including Vista only policies.
 +
**Will require testing to make sure Vista only policies don't cause problems on XP/2003 computers.
 +
**Reduces complexity by having common security policies for all OS's.
 +
**Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
 +
*Create pre-Vista, Vista, and common domain policies.
 +
**Will have to split the current Default Domain Policy to pull out pre-Vista group policies.
 +
**May be necessary because firewall rules are different in Vista and XP.  If the new Vista policies work for XP, this may not be necessary.
 +
 +
====Observations====
 +
*Security settings in Vista and Windows XP are very similar.  The only obvious difference is that Vista has new policies to control new features such as privilege elevation and the extended firewall.
 +
 +
====Policies====
 +
* Desktop Policy
 +
** Very similar to XP/2003 Desktop Policy.
 +
** Some new features specific to Vista.
 +
** Firewall management is different.
 +
*** Port/Application rules are fine, but special rules are different, such as remote administration.
 +
*** Not sure yet if the Vista policies would work on XP/2003 machines instead of the old policies.
 +
*** Outgoing firewall rules???
 +
** Todo
 +
* Laptop Policy
 +
** No changes from the existing laptop policy are necessary.
 +
* Domain Policy
 +
** Defines user account password and lockout policies.
 +
** No need for separate policies for XP/2003 and Vista.
 +
** New settings were applied to the Domain-Domain Accounts Policy
 +
* User Policy
 +
** Added some new policies, mostly from IE7, to Default Domain Policy.
 +
** Shouldn't cause problems for computers that don't support new group policies.
 +
 +
====Plan A====
 +
A [http://www.wolftech.ncsu.edu/activedirectory/docs/VistaGPArch.vsd visual diagram] is available.
 +
 +
* Rename Default Domain Policy to Default Domain Policy-XP/2003.
 +
**Done
 +
* Use WMI Filter to make Default Domain Policy-XP/2003 only apply to Windows 2000/XP/2003 Computers.
 +
** Done
 +
* Move user settings and common settings from Default Domain Policy to Default Domain Policy.
 +
**Done
 +
* Create Default Domain Policy-Vista from Vista Security Guide.
 +
**Done
 +
* Use WMI Filter to make Default Domain Policy-Vista only apply to Windows Vista Computers.
 +
** Done
 +
* Rectify Vista user settings with existing user settings.
 +
* Edit/Audit Default Domain Policy-Vista.
 +
* Create Default Domain Policy for settings common to all current and hopefully future Windows OS's.
 +
===Remote Assistance===
 +
*Created ECE-Enable Remote Assistance-Vista to enable unsolicited remote assistance for Vista computers.
 +
 
==Test Software==
 
==Test Software==
 +
===Compatible===
 +
===Incompatible===
 +
===Untested===
 +
 +
==Script Problems==
 +
*Local Admin Password Crawler (LAPCrawl) doesn't appear to work on Vista computers.
 +
**Caused by the firewall blocking it.  Resolved by firewall rules.
 +
 +
==Firewall Rules==
 +
 
==Migration Wizard==
 
==Migration Wizard==
 
==Deployment==
 
==Deployment==
Line 9: Line 105:
 
* Brought up ECE00WDS.
 
* Brought up ECE00WDS.
 
* Created WDS GPO template.
 
* Created WDS GPO template.
 +
* Created [[Active_Directory/Documentation/WDS_Images | image]].
 
* Installed Vista from WDS.
 
* Installed Vista from WDS.
 
Todo:
 
Todo:
Line 16: Line 113:
 
===Create Unattended Image===
 
===Create Unattended Image===
 
*Created Image
 
*Created Image
 +
* Make image actually install unattended.
  
 
Todo:
 
Todo:
* Make image actually install unattended.
+
 
 +
==Resolve Errors==
 +
===Unable to Update Group Policy===
 +
====Details====
 +
When I run <code>gpupdate /force</code>, I get the following error message and the following event is logged:
 +
 
 +
User policy could not be updated successfully. The following errors were
 +
encountered:
 +
The processing of Group Policy failed. Windows could not resolve the computer
 +
name. This could be caused by one of more of the following:
 +
a) Name Resolution failure on the current domain controller.
 +
b) Active Directory Replication Latency (an account created on another domain
 +
controller has not replicated to the current domain controller).
 +
Computer Policy update has completed successfully.
 +
To diagnose the failure, review the event log or invoke gpmc.msc to access infor
 +
mation about Group Policy results.
 +
 
 +
Log Name:      System
 +
Source:        Microsoft-Windows-GroupPolicy
 +
Date:          11/22/2006 10:41:49 AM
 +
Event ID:      1055
 +
Task Category: None
 +
Level:        Error
 +
Keywords:     
 +
User:          WOLFTECH\pgmurphy.admin
 +
Computer:      VPCVista.ece.ncsu.edu
 +
Description:
 +
The processing of Group Policy failed. Windows could not resolve the computer name. This
 +
could be  caused by one of more of the following:
 +
a) Name Resolution failure on the current domain controller.
 +
b) Active Directory Replication Latency (an account created on another domain controller has
 +
not  replicated to the current domain controller).
 +
Event Xml:
 +
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 +
  <System>
 +
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
 +
    <EventID>1055</EventID>
 +
    <Version>0</Version>
 +
    <Level>2</Level>
 +
    <Task>0</Task>
 +
    <Opcode>1</Opcode>
 +
    <Keywords>0x8000000000000000</Keywords>
 +
    <TimeCreated SystemTime="2006-11-22T15:41:49.553Z" />
 +
    <EventRecordID>1285</EventRecordID>
 +
    <Correlation ActivityID="{1AEBF62E-E81B-4BD5-9F36-F1B4AC1812AE}" />
 +
    <Execution ProcessID="1044" ThreadID="2868" />
 +
    <Channel>System</Channel>
 +
    <Computer>VPCVista.ece.ncsu.edu</Computer>
 +
    <Security UserID="S-1-5-21-2670277017-1606584948-3883025002-1338" />
 +
  </System>
 +
  <EventData>
 +
    <Data Name="SupportInfo1">1</Data>
 +
    <Data Name="SupportInfo2">1753</Data>
 +
    <Data Name="ProcessingMode">0</Data>
 +
    <Data Name="ProcessingTimeInMilliseconds">125</Data>
 +
    <Data Name="ErrorCode">1317</Data>
 +
    <Data Name="ErrorDescription">The specified account does not exist. </Data>
 +
  </EventData>
 +
</Event>
 +
 
 +
Group Policy Infrastructure failed due to the error listed below.
 +
The specified account does not exist.
 +
Note: Due to the GP Core failure, none of the other Group Policy components processed
 +
their policy. Consequently, status information for the other components is not available.
 +
 
 +
====Cause====
 +
====Solution====
 +
 
 +
===Unable to Update Group Policy===
 +
====Details====
 +
Log Name:      Application
 +
Source:        SceCli
 +
Date:          11/27/2006 11:50:35 AM
 +
Event ID:      1202
 +
Task Category: None
 +
Level:        Warning
 +
Keywords:      Classic
 +
User:          N/A
 +
Computer:      epona.ece.ncsu.edu
 +
Description:
 +
Security policies were propagated with warning. 0x534 : No mapping between account
 +
names and security IDs was done.
 +
 +
Advanced help for this problem is available on http://support.microsoft.com. Query
 +
for "troubleshooting 1202 events".
 +
 +
Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs)
 +
could not be resolved to a SID.  This error is possibly caused by a mistyped or
 +
deleted user account referenced in either the User Rights or Restricted Groups
 +
branch of a GPO.  To resolve this event, contact an administrator in the domain to
 +
perform the following actions:
 +
 +
1. Identify accounts that could not be resolved to a SID:
 +
 +
From the command prompt, type: FIND /I "Cannot find"
 +
%SYSTEMROOT%\Security\Logs\winlogon.log
 +
 +
The string following "Cannot find" in the FIND output identifies the problem account
 +
names.
 +
 +
Example: Cannot find JohnDough.
 +
 +
In this case, the SID for username "JohnDough" could not be determined. This most
 +
likely occurs because the account was deleted, renamed, or is spelled differently
 +
(e.g. "JohnDoe").
 +
 +
2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source
 +
GPOs that contain the problem accounts:
 +
 +
a. Start -> Run -> RSoP.msc
 +
b. Review the results for Computer Configuration\Windows Settings\Security
 +
Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows
 +
Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged
 +
with a red X.
 +
c. For any User Right or Restricted Group marked with a red X, the corresponding
 +
GPO that contains the problem policy setting is listed under the column entitled
 +
"Source GPO". Note the specific User Rights, Restricted Groups and containing Source
 +
GPOs that are generating errors.
 +
 +
3. Remove unresolved accounts from Group Policy
 +
 +
a. Start -> Run -> MMC.EXE
 +
b. From the File menu select "Add/Remove Snap-in..."
 +
c. From the "Add/Remove Snap-in" dialog box select "Add..."
 +
d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
 +
e. In the "Select Group Policy Object" dialog box click the "Browse" button.
 +
f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab
 +
g. For each source GPO identified in step 2, correct the specific User Rights or
 +
Restricted Groups that were flagged with a red X in step 2. These User Rights or
 +
Restricted Groups can be corrected by removing or correcting any references to the 
 +
problem accounts that were identified in step 1.
 +
 
 +
FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log
 +
 +
---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG
 +
        Cannot find HelpAssistant.
 +
        Cannot find HelpAssistant.
 +
        Cannot find HelpAssistant.
 +
        Cannot find HelpAssistant.
 +
        Cannot find HelpAssistant.
 +
        Cannot find HelpAssistant.
 +
        Cannot find HelpAssistant.
 +
 
 +
====Cause====
 +
Account HelpAssistant is defined in ECE-Enable Remote Assistance GPO but does not appear to exist in Vista.  This causes an error in the Event Log.
 +
====Solution====
 +
Prevent this group policy from applying to Vista computers with a WMI filter and create a new Remote Assistance policy for Vista computers.

Latest revision as of 13:02, 13 April 2007

Tasks

Licensing/Activation

Group Policies

Block Incompatible GPOs

Use WMI filters to block incompatible GPOs.

  • ECE-Enable Remote Assistance - Will need separate Vista policy (HelpAssistant user doesn't exist in Vista).
  • FW-NCSU-Microsoft-Defender-1.1.1593.0-20061114 - Vista already has Defender.
  • FW-NCSU-Microsoft-GPMC-1.0.2-20050217 - Vista already has the GPMC.
  • FW-NCSU-Microsoft-UPHClean-1.6d-20060616
  • FW-NCSU-Microsoft-Windows XP Support Tools-SP2-20050207
  • FW-NCSU-SWE von Schleusen-UltimateZip-2.7.1-20041028 - Not Vista compatible.
  • FW-NCSU-WolfTech-Defrag C-1.0-20050408 - Not necessary, Vista has built-in defrag scheduling.
  • SW-ECE-NCSU-Wolfcall (Lab)-1.2.1-20050512 - Not Vista compatible.
  • SW-NCSU-MathWorks-MATLAB-7.4-20070306 - WinSxS Problem
    • Fixed
  • SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.0-20040601 - Not Vista compatible.
  • SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20050510 - Not Vista compatible.
  • SW-NCSU-NCSU-Wolfcall (with autologin)-1.2.1-20060829 - Not Vista compatible.
  • SW-NCSU-NCSU-Wolfcall (without autologin)-1.2.1-20050615 - Not Vista compatible.
  • SW-NCSU-Symantec-AntiVirus (UNI03NT)-10.0.2.2021-20060530 - Not Vista compatible.
    • Published SAV 10.2 for Vista
  • SW-ECE-Symantec-AntiVirus (SERPENT)-10.0.2.2021-20060530 - Not Vista compatible.
    • Published SAV 10.2 for Vista
  • SW-ECE-WolfTech-Support Icons-2.0-20060826 - MSI Install Issues
  • SW-COE-National Instruments-LabVIEW-8.20-20061220 - WinSxS Problem

Domain Policy

Options

  • Create separate domain policies for Vista and Windows 2000/XP/2003.
    • Creates more complexity by having completely separate group policy environments for different OS's.
    • OS's may have different security levels/inconsistent security policies.
      • Reduces predictability.
      • Complicates determining security compliance.
      • Compatibility issues could vary on different OS's
  • Use common domain policy for all OS's and create a separate domain policy for Vista only policies.
    • This would prevent any unintended consequences on XP/2003 computers.
    • Reduces complexity by having common security policies for all OS's.
    • Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
  • Use common domain policy for all OS's including Vista only policies.
    • Will require testing to make sure Vista only policies don't cause problems on XP/2003 computers.
    • Reduces complexity by having common security policies for all OS's.
    • Would be a good idea to reconsider settings using both updated Windows XP Security Guide and new Windows Vista Security Guide.
  • Create pre-Vista, Vista, and common domain policies.
    • Will have to split the current Default Domain Policy to pull out pre-Vista group policies.
    • May be necessary because firewall rules are different in Vista and XP. If the new Vista policies work for XP, this may not be necessary.

Observations

  • Security settings in Vista and Windows XP are very similar. The only obvious difference is that Vista has new policies to control new features such as privilege elevation and the extended firewall.

Policies

  • Desktop Policy
    • Very similar to XP/2003 Desktop Policy.
    • Some new features specific to Vista.
    • Firewall management is different.
      • Port/Application rules are fine, but special rules are different, such as remote administration.
      • Not sure yet if the Vista policies would work on XP/2003 machines instead of the old policies.
      • Outgoing firewall rules???
    • Todo
  • Laptop Policy
    • No changes from the existing laptop policy are necessary.
  • Domain Policy
    • Defines user account password and lockout policies.
    • No need for separate policies for XP/2003 and Vista.
    • New settings were applied to the Domain-Domain Accounts Policy
  • User Policy
    • Added some new policies, mostly from IE7, to Default Domain Policy.
    • Shouldn't cause problems for computers that don't support new group policies.

Plan A

A visual diagram is available.

  • Rename Default Domain Policy to Default Domain Policy-XP/2003.
    • Done
  • Use WMI Filter to make Default Domain Policy-XP/2003 only apply to Windows 2000/XP/2003 Computers.
    • Done
  • Move user settings and common settings from Default Domain Policy to Default Domain Policy.
    • Done
  • Create Default Domain Policy-Vista from Vista Security Guide.
    • Done
  • Use WMI Filter to make Default Domain Policy-Vista only apply to Windows Vista Computers.
    • Done
  • Rectify Vista user settings with existing user settings.
  • Edit/Audit Default Domain Policy-Vista.
  • Create Default Domain Policy for settings common to all current and hopefully future Windows OS's.

Remote Assistance

  • Created ECE-Enable Remote Assistance-Vista to enable unsolicited remote assistance for Vista computers.

Test Software

Compatible

Incompatible

Untested

Script Problems

  • Local Admin Password Crawler (LAPCrawl) doesn't appear to work on Vista computers.
    • Caused by the firewall blocking it. Resolved by firewall rules.

Firewall Rules

Migration Wizard

Deployment

WDS Server

  • Brought up ECE00WDS.
  • Created WDS GPO template.
  • Created image.
  • Installed Vista from WDS.

Todo:

  • Apply Member Server template.
  • Setup DFS Replication between WDS Servers

Create Unattended Image

  • Created Image
  • Make image actually install unattended.

Todo:

Resolve Errors

Unable to Update Group Policy

Details

When I run gpupdate /force, I get the following error message and the following event is logged:

User policy could not be updated successfully. The following errors were
encountered:
The processing of Group Policy failed. Windows could not resolve the computer
name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain
controller has not replicated to the current domain controller).
Computer Policy update has completed successfully.
To diagnose the failure, review the event log or invoke gpmc.msc to access infor
mation about Group Policy results.
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          11/22/2006 10:41:49 AM
Event ID:      1055
Task Category: None
Level:         Error
Keywords:      
User:          WOLFTECH\pgmurphy.admin
Computer:      VPCVista.ece.ncsu.edu
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This 
could be  caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has
not  replicated to the current domain controller).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
   <EventID>1055</EventID>
   <Version>0</Version>
   <Level>2</Level>
   <Task>0</Task>
   <Opcode>1</Opcode>
   <Keywords>0x8000000000000000</Keywords>
   <TimeCreated SystemTime="2006-11-22T15:41:49.553Z" />
   <EventRecordID>1285</EventRecordID>
   <Correlation ActivityID="{1AEBF62E-E81B-4BD5-9F36-F1B4AC1812AE}" />
   <Execution ProcessID="1044" ThreadID="2868" />
   <Channel>System</Channel>
   <Computer>VPCVista.ece.ncsu.edu</Computer>
   <Security UserID="S-1-5-21-2670277017-1606584948-3883025002-1338" />
 </System>
 <EventData>
   1
   1753
   0
   125
   1317
   The specified account does not exist. 
 </EventData>
</Event>
Group Policy Infrastructure failed due to the error listed below.
The specified account does not exist. 
Note: Due to the GP Core failure, none of the other Group Policy components processed
their policy. Consequently, status information for the other components is not available.

Cause

Solution

Unable to Update Group Policy

Details

Log Name:      Application
Source:        SceCli
Date:          11/27/2006 11:50:35 AM
Event ID:      1202
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      epona.ece.ncsu.edu
Description:
Security policies were propagated with warning. 0x534 : No mapping between account
names and security IDs was done.

Advanced help for this problem is available on http://support.microsoft.com. Query
for "troubleshooting 1202 events". 

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs)
could not be resolved to a SID.  This error is possibly caused by a mistyped or
deleted user account referenced in either the User Rights or Restricted Groups
branch of a GPO.  To resolve this event, contact an administrator in the domain to
perform the following actions: 

1.	Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I "Cannot find" 
%SYSTEMROOT%\Security\Logs\winlogon.log

The string following "Cannot find" in the FIND output identifies the problem account 
names.

Example: Cannot find JohnDough.

In this case, the SID for username "JohnDough" could not be determined. This most
likely occurs because the account was deleted, renamed, or is spelled differently
(e.g. "JohnDoe"). 

2.	Use RSoP to identify the specific User Rights, Restricted Groups, and Source
GPOs that contain the problem accounts:

a.	Start -> Run -> RSoP.msc
b.	Review the results for Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows
Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged
with a red X.
c.	For any User Right or Restricted Group marked with a red X, the corresponding 
GPO that contains the problem policy setting is listed under the column entitled 
"Source GPO". Note the specific User Rights, Restricted Groups and containing Source 
GPOs that are generating errors. 

3.	Remove unresolved accounts from Group Policy

a.	Start -> Run -> MMC.EXE
b.	From the File menu select "Add/Remove Snap-in..."
c.	From the "Add/Remove Snap-in" dialog box select "Add..."
d.	In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add"
e.	In the "Select Group Policy Object" dialog box click the "Browse" button.
f.	On the "Browse for a Group Policy Object" dialog box choose the "All" tab
g.	For each source GPO identified in step 2, correct the specific User Rights or 
Restricted Groups that were flagged with a red X in step 2. These User Rights or 
Restricted Groups can be corrected by removing or correcting any references to the  
problem accounts that were identified in step 1.
FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log

---------- C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG
       Cannot find HelpAssistant.
       Cannot find HelpAssistant.
       Cannot find HelpAssistant.
       Cannot find HelpAssistant.
       Cannot find HelpAssistant.
       Cannot find HelpAssistant.
       Cannot find HelpAssistant.

Cause

Account HelpAssistant is defined in ECE-Enable Remote Assistance GPO but does not appear to exist in Vista. This causes an error in the Event Log.

Solution

Prevent this group policy from applying to Vista computers with a WMI filter and create a new Remote Assistance policy for Vista computers.