Solved

Office 2003 on Terminal Server - Administrators can open apps.  Users receive error.

Posted on 2007-11-15
9
3,737 Views
Last Modified: 2013-11-21
I did a clean install of W2K3 R2 Standard using the latest hardware drivers.  I added the Terminal Server role thru "Manage Your Server".  I installed Office 2003 Pro (Retail) according to MS KB #828955.  Up to this point, no updates have been installed and nothing has been activated.  

When logged on (locally or remotely) as an administrator, I can use the Office apps without issue.  When logged on (locally or remotely) as a User, I receive the following error:  "This feature is not available.  For more information, contact your system administrator."  If I remove the Terminal Server role, Users can run the Office apps.  If I re-enable the Terminal Server role, Users are denied citing the same error.

I downloaded and installed all OS and Office updates with no change.  I performed the above procedure again, using a different hard disk, with no change.

I've read several articles on NTFS / Registry permissions relating to Terminal Services.  I've changed "Permission Compatibilty" in TS Config to "Relaxed Security" with no change.  I've gone as far as giving the "Everyone" group "Full Control" of all registry keys and the C drive with no change.  

Here's the kicker:  If I do a clean install of W2K3, install Office 2003 normally (outside of Add/Remove Programs... just put the disk in and go), and add the Terminal Server role last...  All seems to work perfectly!

My concern is that the procedure that "works" is different from that outlined by Microsoft and I'm concerned that issues will arise later.  Am I missing something???

Any insight is greatly appreciated.
0
Comment
Question by:ottodoc
9 Comments
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
Comment Utility
First of all, on Terminal Services you must always install the applications using Control Panel | Add/Remote Programs AND AFTER terminal services was installed properly and is up and running. Simple as that.
The main reason behind such behavior is the fact you are trying to run applications that are not multi-user by nature, on a multi-user environment (TS).
When you use Add/Remove Programs with the TS already installed, it tracks during the installation which files/registry keys each user will need to have to run the application properly and once the install is done and a user logs in the TS creates such files/keys for that particular user, uniquely. That is why applications work for users on TS.
So resuming, this is what you need to do:
1. Install TS.
2. Install applications using Add/Remove Programs.
3. Most applications will work just fine after that. If they do not work for users but do work for administrators you have a permissions problem. In such case use REGMON/FILEMON (Sysinternals.com, now Microsoft) to monitor which files/keys are getting denied and then simply give access to the users to such files/directories/registry keys.

Another important setting is the TS security. If you run TSCC.MSC on the TS you can see if it is set to 'Relaxed Security' or 'Full Security'. Relaxed Security is meant for older applications where access to registry and files need to be a little 'looser' than usual. It is recommended you use Full Security and find the keys/files you need to open up the security using tools like the ones mentioned above.

Hope this helps.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Comment

by:ottodoc
Comment Utility
Hi Claudio,

Thank you for the quick response.  I believe I have followed Microsoft's instructions to the letter.  That's what's so confusing about this matter.

First, I performed a clean install of W2K3.  Then, I enabled Terminal Services using "Manage Your Server".  Then, I installed a retail version of Office 2003 Professional using the method outlined in Microsoft's KB article # 828955 (thru Add/Remove Programs).  Microsoft states that this version will function in a TS environment and stipulates the need for proper licensing.

Just to get the flippin thing to work, I gave the "Everyone" group "Full Control" on HKey_Classes_Root, HKey_Current_User, HKey_Local_Machine, HKey_Users, and HKey_Current_Config.  Inheritance should cause "Full Control" to propogate to all related sub-keys.  I also gave the "Everyone" group "Full Control" on the C drive, as well as "relaxing" the compatibility permissions in TSCC.MSC.  These steps should eliminate any permission related issues, or am I missing something?

The thing I find most intriguing is that, as long as TS is enabled, "Users" can't run Office apps, even when signed in locally.   Why would TS affect a local user?

Again, thank you for the quick response and I sincerely appreciate any insight.

Take care.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
Comment Utility
There is something that you may be missing but I cannot see exactly where it is. As this is a new install, would you be able to start from scratch with a 2003 SP1 CD? And when adding TS, go through Add/Remove Programs | Windows Components | Terminal Server. I prefer not to use the Wizard.
From what you posted you indeed did everything possible except using FILEMON/REGMON to see what is going on with permissions.
But given the fact it is a new server I am certain you would spend less time reinstalling from scratch than trying to troubleshoot such issue. Plus even if REGMON/FILEMON show something, this should work out of the box (as this is TS and Office 2003) and I would not trust such server after 'fixing' the issues. There is something wrong at a deeper level here.
Try to get, as I said, an original 2003 SP1 media and start over.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 
LVL 1

Expert Comment

by:sveashwar
Comment Utility
have u tried installing ms office using transform file available from ork i think with that it should work
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 31

Expert Comment

by:Cláudio Rodrigues
Comment Utility
The transform file was needed only on Office 2000. This is not needed for Office 2003 and above.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Closing Comment

by:ottodoc
Comment Utility
Problem solved !!!  

About 3:00am last night, I sat straight up in bed having realized that when I gave the "Everyone" group "Full Control" in the root of the C drive (for testing purposes only), I did not take the next step by checking "Replace permission entries on all child objects..." in advanced settings.  After doing so, Office worked normally!  So the issues WAS related to NTFS permissions.

Working from a clean install of W2K3 and Office, I did what Claudio suggested and ran Filemon (available at http://www.microsoft.com/technet/sysinternals/default.mspx) and found numerous Office related files existing in various locations with the status "Access Denied".  I pulled the Filemon log file into an Access database (after changing the .log extenstion to .txt), filtered the records, and reviewed the entries there.  I changed the permissions on folder: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA to match those of my desktop system and that did the trick!  I did not need to change permissions on any other folders/files, registry keys, and "Permission Compatibilty" in TSCC can remain at "Full Security".

My take-away from this is that any application, not just Office, can be similarly affected when running in a Terminal Server environment and editing NTFS and/or Registry permissions may be necessary for use by those other than administrators.  There's an excellent explanation as to why posted by Curt Spanburgh at http://x220.minasi.com/forum/topic.asp?TOPIC_ID=11871.

Thanks for all the help!
0
 

Author Comment

by:ottodoc
Comment Utility
Problem solved !!!  

About 3:00am last night, I sat straight up in bed having realized that when I gave the "Everyone" group "Full Control" in the root of the C drive (for testing purposes only), I did not take the next step by checking "Replace permission entries on all child objects..." in advanced settings.  After doing so, Office worked normally!  So the issues WAS related to NTFS permissions.

Working from a clean install of W2K3 and Office, I did what Claudio suggested and ran Filemon (available at http://www.microsoft.com/technet/sysinternals/default.mspx) and found numerous Office related files existing in various locations with the status "Access Denied".  I pulled the Filemon log file into an Access database (after changing the .log extenstion to .txt), filtered the records, and reviewed the entries there.  I changed the permissions on folder: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA to match those of my desktop system and that did the trick!  I did not need to change permissions on any other folders/files, registry keys, and "Permission Compatibilty" in TSCC can remain at "Full Security".

My take-away from this is that any application, not just Office, can be similarly affected when running in a Terminal Server environment and editing NTFS and/or Registry permissions may be necessary for use by those other than administrators.  There's an excellent explanation as to why posted by Curt Spanburgh at http://x220.minasi.com/forum/topic.asp?TOPIC_ID=11871.

Thanks for all the help!
0
 
LVL 4

Expert Comment

by:dempsedm
Comment Utility
I had the same problem, and this solution worked for me as well.  Thanks ottodoc!
0
 

Expert Comment

by:mtn_lion
Comment Utility
Ottodoc, a thousand thank-you's for coming back and posting your solution!  How much time and pain did you just save me!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

No matter the version of Windows you are using, you may have some problems with Windows Search running too slow or possibly not running at all. Before jumping into how you can solve this issue, just know there are many other viable alternative deskt…
Outlook Free & Paid Tools
This video walks the viewer through the process of creating envelopes and labels, with multiple names and addresses. Navigate to the “Start Mail Merge” button in the Mailings tab: Follow the step-by-step process until asked to find the address doc…
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now