i feel almost bad for posting this, but while a large number of posts on various forums are close to my problem, they don't seem to be helping me out a bunch.
i am trying to prevent access to the c: drive by the administrators group in a terminal services environment.
my users must all be members of the administrators group to run a certain application. messing with permissions makes the app very unhappy and it is the central enterprise app.
i have put my terminal server/domain controller in an ou and am locking the ou down per microsoft white paper titled "locking down windows server 2003 terminal server sessions".
the gpo settings causing my issue are at UC\AT\WC\Windows Explorer and are the much discussed "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer"
my goal is to give the users access to three apps and a data drive. no problem using software restrictions to allow access only to the three apps.
my problem is that "prevent" keeps windows explorer from opening at all, and "hide" isn't actually hiding the c: drive (though it appears, strangely, at the end of the drive tree/list in my computer).
does someone know offhand what i missed? thank you in advance.