?
Solved

Hide C Drive from Admins in Terminal Services

Posted on 2006-06-26
8
Medium Priority
?
653 Views
Last Modified: 2008-01-09
i feel almost bad for posting this, but while a large number of posts on various forums are close to my problem, they don't seem to be helping me out a bunch.
i am trying to prevent access to the c: drive by the administrators group in a terminal services environment.
my users must all be members of the administrators group to run a certain application. messing with permissions makes the app very unhappy and it is the central enterprise app.
i have put my terminal server/domain controller in an ou and am locking the ou down per microsoft white paper titled "locking down windows server 2003 terminal server sessions".
the gpo settings causing my issue are at UC\AT\WC\Windows Explorer and are the much discussed "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
my goal is to give the users access to three apps and a data drive. no problem using software restrictions to allow access only to the three apps.
my problem is that "prevent" keeps windows explorer from opening at all, and "hide" isn't actually hiding the c: drive (though it appears, strangely, at the end of the drive tree/list in my computer).
does someone know offhand what i missed? thank you in advance.
0
Comment
Question by:politicalfusion
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 9

Expert Comment

by:dooleydog
ID: 16984379
if you want to hide anything from administrators, you will need to use NTFS permissions.

Do not use hte deny unless absoluty necessary, just remove the everyone or hte authenticated users groups, and only add the appropriate user or users.

Good Luck,

0
 
LVL 1

Author Comment

by:politicalfusion
ID: 16984538
i put the users (who are in the built-in administrators account) into a separate security group. i then denied that group the list folder contents permission. the enterprise app didn't work anymore.
the administrators group must have full control of the c drive for the enterprise app to work, apparently, and the users must be members of that group. even attempting to put them in a separate security group and trying to assign that group all the administrators rights and permissions didn't work. they must be administrators and administrators must have full control (so far - would love to be contradicted). so my next thought has been to remove the c drive from all browse lists and make it de facto inaccessable. thank you for the input and opportunity to comment farther
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 16988000
Just try to find out which permissions are missing where; get FileMon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) and RegMon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) from Sysinternals.
Log on to the TS console as administrator, start FileMon and RegMon; set the filter on both to log only the application.
Start the application as a regular user without additional rights, check for errors. Adjust NTFS or registry permissions until you can run the software as user.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 8

Expert Comment

by:bilbus
ID: 16988950
wow this is not good, giving users admin access to a terminal server is BAD. Have you talked to your program's tech support? perhaps giving them full access to some system files will fix it? If the user is a local admin of the terminal server then any countermesures you put in can easly be overcome. File permisions can be changed even if you put deny on.
0
 
LVL 1

Author Comment

by:politicalfusion
ID: 16989260
hello and thank you. i will try the filemon and regmon day after tomorrow. i have no experience with those programs, thank you for the tip and i will follow it as far as possible (hopefully til it works).
as an interesting note, and you can call me on the loopholes and work-arounds, the users have to be members of the administrators group, but not the administrator. therefore, i've established a significant number of gpo lockdowns, applied them to the administrator's group, and denied my administrator account the apply gpo setting. also, they cannot log on locally or except through terminal services.
the gpo's start with 'disble the desktop and everything on it', kill run, shutdown, the command prompt, task manager, the control panel, restrict software to the three identified apps, disable right clicking, associated key commands, etc. reference the aforementioned white paper. it seems to be awfully tight and i'm getting a measure of comfort.
0
 
LVL 8

Expert Comment

by:bilbus
ID: 17207900
if they are a member of the administrators's group they can turn off anything you turn on.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question