Solved

Office 2003 on Terminal Server - Administrators can open apps.  Users receive error.

Posted on 2007-11-15
9
3,801 Views
Last Modified: 2013-11-21
I did a clean install of W2K3 R2 Standard using the latest hardware drivers.  I added the Terminal Server role thru "Manage Your Server".  I installed Office 2003 Pro (Retail) according to MS KB #828955.  Up to this point, no updates have been installed and nothing has been activated.  

When logged on (locally or remotely) as an administrator, I can use the Office apps without issue.  When logged on (locally or remotely) as a User, I receive the following error:  "This feature is not available.  For more information, contact your system administrator."  If I remove the Terminal Server role, Users can run the Office apps.  If I re-enable the Terminal Server role, Users are denied citing the same error.

I downloaded and installed all OS and Office updates with no change.  I performed the above procedure again, using a different hard disk, with no change.

I've read several articles on NTFS / Registry permissions relating to Terminal Services.  I've changed "Permission Compatibilty" in TS Config to "Relaxed Security" with no change.  I've gone as far as giving the "Everyone" group "Full Control" of all registry keys and the C drive with no change.  

Here's the kicker:  If I do a clean install of W2K3, install Office 2003 normally (outside of Add/Remove Programs... just put the disk in and go), and add the Terminal Server role last...  All seems to work perfectly!

My concern is that the procedure that "works" is different from that outlined by Microsoft and I'm concerned that issues will arise later.  Am I missing something???

Any insight is greatly appreciated.
0
Comment
Question by:ottodoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
ID: 20292914
First of all, on Terminal Services you must always install the applications using Control Panel | Add/Remote Programs AND AFTER terminal services was installed properly and is up and running. Simple as that.
The main reason behind such behavior is the fact you are trying to run applications that are not multi-user by nature, on a multi-user environment (TS).
When you use Add/Remove Programs with the TS already installed, it tracks during the installation which files/registry keys each user will need to have to run the application properly and once the install is done and a user logs in the TS creates such files/keys for that particular user, uniquely. That is why applications work for users on TS.
So resuming, this is what you need to do:
1. Install TS.
2. Install applications using Add/Remove Programs.
3. Most applications will work just fine after that. If they do not work for users but do work for administrators you have a permissions problem. In such case use REGMON/FILEMON (Sysinternals.com, now Microsoft) to monitor which files/keys are getting denied and then simply give access to the users to such files/directories/registry keys.

Another important setting is the TS security. If you run TSCC.MSC on the TS you can see if it is set to 'Relaxed Security' or 'Full Security'. Relaxed Security is meant for older applications where access to registry and files need to be a little 'looser' than usual. It is recommended you use Full Security and find the keys/files you need to open up the security using tools like the ones mentioned above.

Hope this helps.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Comment

by:ottodoc
ID: 20294185
Hi Claudio,

Thank you for the quick response.  I believe I have followed Microsoft's instructions to the letter.  That's what's so confusing about this matter.

First, I performed a clean install of W2K3.  Then, I enabled Terminal Services using "Manage Your Server".  Then, I installed a retail version of Office 2003 Professional using the method outlined in Microsoft's KB article # 828955 (thru Add/Remove Programs).  Microsoft states that this version will function in a TS environment and stipulates the need for proper licensing.

Just to get the flippin thing to work, I gave the "Everyone" group "Full Control" on HKey_Classes_Root, HKey_Current_User, HKey_Local_Machine, HKey_Users, and HKey_Current_Config.  Inheritance should cause "Full Control" to propogate to all related sub-keys.  I also gave the "Everyone" group "Full Control" on the C drive, as well as "relaxing" the compatibility permissions in TSCC.MSC.  These steps should eliminate any permission related issues, or am I missing something?

The thing I find most intriguing is that, as long as TS is enabled, "Users" can't run Office apps, even when signed in locally.   Why would TS affect a local user?

Again, thank you for the quick response and I sincerely appreciate any insight.

Take care.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20295359
There is something that you may be missing but I cannot see exactly where it is. As this is a new install, would you be able to start from scratch with a 2003 SP1 CD? And when adding TS, go through Add/Remove Programs | Windows Components | Terminal Server. I prefer not to use the Wizard.
From what you posted you indeed did everything possible except using FILEMON/REGMON to see what is going on with permissions.
But given the fact it is a new server I am certain you would spend less time reinstalling from scratch than trying to troubleshoot such issue. Plus even if REGMON/FILEMON show something, this should work out of the box (as this is TS and Office 2003) and I would not trust such server after 'fixing' the issues. There is something wrong at a deeper level here.
Try to get, as I said, an original 2003 SP1 media and start over.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 1

Expert Comment

by:sveashwar
ID: 20296526
have u tried installing ms office using transform file available from ork i think with that it should work
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20298761
The transform file was needed only on Office 2000. This is not needed for Office 2003 and above.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Closing Comment

by:ottodoc
ID: 31409588
Problem solved !!!  

About 3:00am last night, I sat straight up in bed having realized that when I gave the "Everyone" group "Full Control" in the root of the C drive (for testing purposes only), I did not take the next step by checking "Replace permission entries on all child objects..." in advanced settings.  After doing so, Office worked normally!  So the issues WAS related to NTFS permissions.

Working from a clean install of W2K3 and Office, I did what Claudio suggested and ran Filemon (available at http://www.microsoft.com/technet/sysinternals/default.mspx) and found numerous Office related files existing in various locations with the status "Access Denied".  I pulled the Filemon log file into an Access database (after changing the .log extenstion to .txt), filtered the records, and reviewed the entries there.  I changed the permissions on folder: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA to match those of my desktop system and that did the trick!  I did not need to change permissions on any other folders/files, registry keys, and "Permission Compatibilty" in TSCC can remain at "Full Security".

My take-away from this is that any application, not just Office, can be similarly affected when running in a Terminal Server environment and editing NTFS and/or Registry permissions may be necessary for use by those other than administrators.  There's an excellent explanation as to why posted by Curt Spanburgh at http://x220.minasi.com/forum/topic.asp?TOPIC_ID=11871.

Thanks for all the help!
0
 

Author Comment

by:ottodoc
ID: 20299658
Problem solved !!!  

About 3:00am last night, I sat straight up in bed having realized that when I gave the "Everyone" group "Full Control" in the root of the C drive (for testing purposes only), I did not take the next step by checking "Replace permission entries on all child objects..." in advanced settings.  After doing so, Office worked normally!  So the issues WAS related to NTFS permissions.

Working from a clean install of W2K3 and Office, I did what Claudio suggested and ran Filemon (available at http://www.microsoft.com/technet/sysinternals/default.mspx) and found numerous Office related files existing in various locations with the status "Access Denied".  I pulled the Filemon log file into an Access database (after changing the .log extenstion to .txt), filtered the records, and reviewed the entries there.  I changed the permissions on folder: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA to match those of my desktop system and that did the trick!  I did not need to change permissions on any other folders/files, registry keys, and "Permission Compatibilty" in TSCC can remain at "Full Security".

My take-away from this is that any application, not just Office, can be similarly affected when running in a Terminal Server environment and editing NTFS and/or Registry permissions may be necessary for use by those other than administrators.  There's an excellent explanation as to why posted by Curt Spanburgh at http://x220.minasi.com/forum/topic.asp?TOPIC_ID=11871.

Thanks for all the help!
0
 
LVL 4

Expert Comment

by:dempsedm
ID: 20367395
I had the same problem, and this solution worked for me as well.  Thanks ottodoc!
0
 

Expert Comment

by:mtn_lion
ID: 20871013
Ottodoc, a thousand thank-you's for coming back and posting your solution!  How much time and pain did you just save me!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to use a set of graphical playing cards to create a Draw Poker game in Excel or VB6.
After seeing numerous questions for Dynamic Data Validation I notice that most have used Visual Basic to solve the problem. This suggestion is purely formula based and can be used in multiple rows.
This video walks the viewer through the process of creating Hyperlinks for the web and other documents. Select the "Insert" tab: Click "Hyperlink":  Type "http://" followed by a web address to reference a website or navigate to a document to ref…
This video shows where to find templates, what they are used for, and how to create and save a custom template using Microsoft Word.

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question