Hide C Drive from Admins in Terminal Services

i feel almost bad for posting this, but while a large number of posts on various forums are close to my problem, they don't seem to be helping me out a bunch.
i am trying to prevent access to the c: drive by the administrators group in a terminal services environment.
my users must all be members of the administrators group to run a certain application. messing with permissions makes the app very unhappy and it is the central enterprise app.
i have put my terminal server/domain controller in an ou and am locking the ou down per microsoft white paper titled "locking down windows server 2003 terminal server sessions".
the gpo settings causing my issue are at UC\AT\WC\Windows Explorer and are the much discussed "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
my goal is to give the users access to three apps and a data drive. no problem using software restrictions to allow access only to the three apps.
my problem is that "prevent" keeps windows explorer from opening at all, and "hide" isn't actually hiding the c: drive (though it appears, strangely, at the end of the drive tree/list in my computer).
does someone know offhand what i missed? thank you in advance.
LVL 1
politicalfusionAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
Just try to find out which permissions are missing where; get FileMon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) and RegMon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) from Sysinternals.
Log on to the TS console as administrator, start FileMon and RegMon; set the filter on both to log only the application.
Start the application as a regular user without additional rights, check for errors. Adjust NTFS or registry permissions until you can run the software as user.
0
 
dooleydogCommented:
if you want to hide anything from administrators, you will need to use NTFS permissions.

Do not use hte deny unless absoluty necessary, just remove the everyone or hte authenticated users groups, and only add the appropriate user or users.

Good Luck,

0
 
politicalfusionAuthor Commented:
i put the users (who are in the built-in administrators account) into a separate security group. i then denied that group the list folder contents permission. the enterprise app didn't work anymore.
the administrators group must have full control of the c drive for the enterprise app to work, apparently, and the users must be members of that group. even attempting to put them in a separate security group and trying to assign that group all the administrators rights and permissions didn't work. they must be administrators and administrators must have full control (so far - would love to be contradicted). so my next thought has been to remove the c drive from all browse lists and make it de facto inaccessable. thank you for the input and opportunity to comment farther
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
bilbusCommented:
wow this is not good, giving users admin access to a terminal server is BAD. Have you talked to your program's tech support? perhaps giving them full access to some system files will fix it? If the user is a local admin of the terminal server then any countermesures you put in can easly be overcome. File permisions can be changed even if you put deny on.
0
 
politicalfusionAuthor Commented:
hello and thank you. i will try the filemon and regmon day after tomorrow. i have no experience with those programs, thank you for the tip and i will follow it as far as possible (hopefully til it works).
as an interesting note, and you can call me on the loopholes and work-arounds, the users have to be members of the administrators group, but not the administrator. therefore, i've established a significant number of gpo lockdowns, applied them to the administrator's group, and denied my administrator account the apply gpo setting. also, they cannot log on locally or except through terminal services.
the gpo's start with 'disble the desktop and everything on it', kill run, shutdown, the command prompt, task manager, the control panel, restrict software to the three identified apps, disable right clicking, associated key commands, etc. reference the aforementioned white paper. it seems to be awfully tight and i'm getting a measure of comfort.
0
 
bilbusCommented:
if they are a member of the administrators's group they can turn off anything you turn on.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.