Logging in via Terminal Services - Access denied to network resources available when logged in locally.

I have some users that login remotely via a Terminal Server. We have apps and files they need access to. They are all members of the same group (remote users) yet some can access the resources and some can't (same resources for all). All of them can access some apps and files. All have the same mapped drives to the resources. They all can access the resources when logging in locally (not via terminal services). When access is denied there aren't any event errors associated with the failed access. Some of the files reside on the SBS 2003 server and the app that some can access and some can't resides on another server. The error that appears when trying to access the apps or files reads; "Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item." Like I say they are members of the same security group/s.

Anybody come across something like this before?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you using a separate Terminal Server or Terminal Services on an SBS Box?
Jeff DarlingDeveloper AnalystCommented:
Is a VPN involved?
Madison PerkinsConsultantCommented:
a little more info would be helpful.  
whats the app that doesn't work?

If i have this straight... you have 3 servers and multiple workstations.  1TermServer, 1FileServer and 1SBSServer.  
apps work from 1TERM to 1SBS for everyone (multiple people can run the app at the same time).  apps work for some people from 1TERM to 1FILE(multiple people can run the app at the same time but some people can never run the app). apps work from all WORKSTATIONS to 1SBS and 1FILE.  

you have verified that everyone gets the same drive mappings on the terminal server and the workstations.  the people that can run the app don't have additional privledges.  everyone gets the same client drive mappings and drive redirection(terminal services profile).  

you have added the drive letter of the mapped drive to the local Internet Zone settings in internet explorer on the terminal server.

Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

orbikerAuthor Commented:
Yes the Terminal Server is on a separate box. It is published through ISA 2004, which is on it's own box.

No a VPN is not involved.

Thanks for the quick replies.
orbikerAuthor Commented:
SBS 2003 box running Exchange and is the file server in this case.
Terminal Server running on Windows 2003 (separate box from SBS)
ISA Server 2004 (separate box from SBS and TServer) publishing terminal server
MRP program running on Windows 2003 (also on separate box)
So four separate servers. 1 DC  and 3 member servers.

We have 8 sales people that connect to us via RDP to the Terminal Server using an IP address. All sales people are member of same security group/s (remote users) along with some other groups but all the same. Their groups are added to the shares/security of the resources. All have same mapped drives.  Four can access the MRP program and 4 can't. Same result with some files on the SBS box. Some files on the SBS box are available to all.

The only thing I have been able to find that is different is "some" (I don't know how many yet but can't see that it matters) of the users were added to SBS via an RDP session from one of the techs inside the network where the others were added by logging on locally to the SBS box. IOW the tech logged into the SBS box using an RDP session to create the users (some, maybe all, the ones that aren't working) but all were created using the "Add User" wizard.

I have not looked to see the "zones" in IE but will when I get back there.

orbikerAuthor Commented:
I checked the IE zone settings and they are the same on both logins. Here is what I've discovered since Friday. I can't open a link on the desktop that points to an Access db on the network but I can open Access then navigate to the same file and it opens fine. I think the solution to this will also fix the other problem. Any ideas out there?

I think you will find this helpful.  I also ran into this problem with IE advanced security.  Hope this helps.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
orbikerAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.