Solved

Hide C Drive from Admins in Terminal Services

Posted on 2006-06-26
8
645 Views
Last Modified: 2008-01-09
i feel almost bad for posting this, but while a large number of posts on various forums are close to my problem, they don't seem to be helping me out a bunch.
i am trying to prevent access to the c: drive by the administrators group in a terminal services environment.
my users must all be members of the administrators group to run a certain application. messing with permissions makes the app very unhappy and it is the central enterprise app.
i have put my terminal server/domain controller in an ou and am locking the ou down per microsoft white paper titled "locking down windows server 2003 terminal server sessions".
the gpo settings causing my issue are at UC\AT\WC\Windows Explorer and are the much discussed "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
my goal is to give the users access to three apps and a data drive. no problem using software restrictions to allow access only to the three apps.
my problem is that "prevent" keeps windows explorer from opening at all, and "hide" isn't actually hiding the c: drive (though it appears, strangely, at the end of the drive tree/list in my computer).
does someone know offhand what i missed? thank you in advance.
0
Comment
Question by:politicalfusion
8 Comments
 
LVL 9

Expert Comment

by:dooleydog
ID: 16984379
if you want to hide anything from administrators, you will need to use NTFS permissions.

Do not use hte deny unless absoluty necessary, just remove the everyone or hte authenticated users groups, and only add the appropriate user or users.

Good Luck,

0
 
LVL 1

Author Comment

by:politicalfusion
ID: 16984538
i put the users (who are in the built-in administrators account) into a separate security group. i then denied that group the list folder contents permission. the enterprise app didn't work anymore.
the administrators group must have full control of the c drive for the enterprise app to work, apparently, and the users must be members of that group. even attempting to put them in a separate security group and trying to assign that group all the administrators rights and permissions didn't work. they must be administrators and administrators must have full control (so far - would love to be contradicted). so my next thought has been to remove the c drive from all browse lists and make it de facto inaccessable. thank you for the input and opportunity to comment farther
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 16988000
Just try to find out which permissions are missing where; get FileMon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) and RegMon (http://www.sysinternals.com/ntw2k/source/regmon.shtml) from Sysinternals.
Log on to the TS console as administrator, start FileMon and RegMon; set the filter on both to log only the application.
Start the application as a regular user without additional rights, check for errors. Adjust NTFS or registry permissions until you can run the software as user.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 8

Expert Comment

by:bilbus
ID: 16988950
wow this is not good, giving users admin access to a terminal server is BAD. Have you talked to your program's tech support? perhaps giving them full access to some system files will fix it? If the user is a local admin of the terminal server then any countermesures you put in can easly be overcome. File permisions can be changed even if you put deny on.
0
 
LVL 1

Author Comment

by:politicalfusion
ID: 16989260
hello and thank you. i will try the filemon and regmon day after tomorrow. i have no experience with those programs, thank you for the tip and i will follow it as far as possible (hopefully til it works).
as an interesting note, and you can call me on the loopholes and work-arounds, the users have to be members of the administrators group, but not the administrator. therefore, i've established a significant number of gpo lockdowns, applied them to the administrator's group, and denied my administrator account the apply gpo setting. also, they cannot log on locally or except through terminal services.
the gpo's start with 'disble the desktop and everything on it', kill run, shutdown, the command prompt, task manager, the control panel, restrict software to the three identified apps, disable right clicking, associated key commands, etc. reference the aforementioned white paper. it seems to be awfully tight and i'm getting a measure of comfort.
0
 
LVL 8

Expert Comment

by:bilbus
ID: 17207900
if they are a member of the administrators's group they can turn off anything you turn on.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now