Solved

Terminal Server Shared Folder Access

Posted on 2009-04-06
23
825 Views
Last Modified: 2013-11-21
I have 15 remote users who log onto MS TS 2003 using RDP.  Out of those 15 I would like 4 to be able to share a common folder placed in a directory on the TS + several users in house need access to this folder.  When I create the folder, share it to those users who need access (I have also tried sharing the folder to "everyone).  Then I place the folder to the desktop of each of the 4 RDP users who I want to have access.  When the user connects and tries to access the folder they always get a MS message "restrictions - this operation has been cancelled due to restrictions in effect on this computer".   All help is greatly appreciated.  Lew
0
Comment
Question by:lew_stoner
  • 13
  • 10
23 Comments
 
LVL 21

Expert Comment

by:snusgubben
ID: 24084511
Do the RDP user have file access to the shared folder? (share security only applies to network access to the folder. Since there are four "local users" the file security needs to be in place).

Have you made a shortcut on the desktop to the shared folder for the RDP users?


SG
0
 

Author Comment

by:lew_stoner
ID: 24086157
Hi SG, I have shared the folder to everyone who needs access to the folder including RDP users.  And I have placed a shortcut on the desktop of the RDP users.  When the RDP users try to access the folder they get the message "restrictions - this operation has been cancelled due to restrictions in effect on this computer".  Lew
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24086655
Can the RDP users access the folder if they navigate to it with explorer (not using the short cut)?

SG
0
 

Author Comment

by:lew_stoner
ID: 24086680
I have windows explorer turned off for the RDP users.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24086780
Start > Run > iexplore -e c:

Or with IE 7:

Start > Run > %windir%\ie7\iexplore.exe -e c:

Try to navigate


SG
0
 

Author Comment

by:lew_stoner
ID: 24089216
tried running both of these commands from a command prompt and get the message "restrictions - this operation has been cancelled due to restrictions in effect on this computer".  Some group policy is preventing me from running iexplore.  I am unable to find that group policy.  All help is greatly appreciated.  Getting a little frustrated.  Lew
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24090994
Heres two ways of finding out what GPO that is preventing you:

1. From your domain controller: run RSoP (from the Group Policy Management Consol)
2. From a RDP client session: Start > Run > gpresult /v

SG
0
 

Author Comment

by:lew_stoner
ID: 24091489
Will give this a try on Friday.  Thanks for your input and I will let you know what happened on Friday.  Lew
0
 

Author Comment

by:lew_stoner
ID: 24140858
What follows is a list of enforced policies.  I have played with some of the policies, but ALWAYS get the restrictions message.  I have enabled shared folders but it has no effect.  All help is appreciated.  Lew

Group Policy Management
Links
Location Enforced Link Status Path
Client TS Users Yes Enabled bps.local/Client TS Users

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users

WMI Filtering
WMI Filter Name None
Description Not applicable

Delegation
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
BPS\Domain Admins Edit settings, delete, modify security No
BPS\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

Computer Configuration (Enabled)
No settings defined.
User Configuration (Enabled)
Administrative Templates
Control Panel
Policy Setting
Prohibit access to the Control Panel Enabled

Control Panel/Add or Remove Programs
Policy Setting
Remove Add or Remove Programs Enabled

Control Panel/Printers
Policy Setting
Prevent addition of printers Enabled

Desktop
Policy Setting
Hide Internet Explorer icon on desktop Enabled
Hide My Network Places icon on desktop Enabled
Prohibit user from changing My Documents path Enabled
Remove My Computer icon on the desktop Enabled
Remove My Documents icon on the desktop Enabled
Remove Properties from the My Computer context menu Enabled
Remove Properties from the My Documents context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled

Start Menu and Taskbar
Policy Setting
Add Logoff to the Start Menu Enabled
Force classic Start Menu Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Remove access to the context menus for the taskbar Enabled
Remove common program groups from Start Menu Enabled
Remove Drag-and-drop context menus on the Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Enabled
Remove My Documents icon from Start Menu Enabled
Remove My Network Places icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Run menu from Start Menu Disabled
Remove Search menu from Start Menu Enabled

System
Policy Setting
Prevent access to registry editing tools Enabled
Disable regedit from running silently? Yes
 
Policy Setting
Prevent access to the command prompt Enabled
Disable the command prompt script processing also? No
 

System/Ctrl+Alt+Del Options
Policy Setting
Remove Lock Computer Enabled
Remove Task Manager Enabled

System/Scripts
Policy Setting
Run legacy logon scripts hidden Enabled

Windows Components/Internet Explorer
Policy Setting
Search: Disable Find Files via F3 within the browser Enabled

Windows Components/Internet Explorer/Browser menus
Policy Setting
Disable Context menu Enabled
Hide Favorites menu Enabled

Windows Components/Task Scheduler
Policy Setting
Hide Property Pages Enabled

Windows Components/Windows Explorer
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
 
Policy Setting
Hides the Manage item on the Windows Explorer context menu Enabled
No "Computers Near Me" in My Network Places Enabled
No "Entire Network" in My Network Places Enabled
Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
 
Policy Setting
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove File menu from Windows Explorer Enabled
Remove Hardware tab Enabled
Remove Search button from Windows Explorer Enabled
Remove Security tab Enabled
Remove Windows Explorer's default context menu Enabled
Removes the Folder Options menu item from the Tools menu Enabled
Turn off Windows+X hotkeys Enabled

Windows Components/Windows Explorer/Common Open File Dialog
Policy Setting
Hide the common dialog places bar Enabled

Windows Components/Windows Messenger
Policy Setting
Do not allow Windows Messenger to be run Enabled

Windows Components/Windows Update
Policy Setting
Remove access to use all Windows Update features Enabled
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24141284
hehe.. you got alot of restrictions :)

Using alot of Enforcing/no override on GPOs is not consider to be "best practise" due to it make troubleshooting alot harder.

You got some policies that that only takes time to process and don't have the effect you want like this:

Add Logoff to the Start Menu Enabled
Remove Logoff on the Start Menu Enabled

Please keep in mind that the share is on your TS that users logs on to with RDP. Thus the share permissions will not take place, but the folders NTFS security permissions!

Share permissions is for access from another network host, while a folders NTFS permission are in use while you are on the actual server where the share/folder is. Please verify that your users have the correct NTFS permission to the folder you like to share.

If you want to go further I suggest you losen up things a little for troubleshooting purpos.

*Enable access to cmd so you can test access to the folder and use "net view \\servername" to see if the share is up and running*

Policy Setting
Prevent access to the command prompt Enabled

*Open access to view the disks on the server*

Windows Components/Windows Explorer
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only

Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only


SG

0
 

Author Comment

by:lew_stoner
ID: 24141804
Hi SG, thanks for the info.  I inherited this network from another person who set it up and is long gone.  Sounds like I need to remove redundant policies, then loosen things up a bit and test.  I will give it a try and keep you in the loop.  Thanks for your input.  Lew
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:lew_stoner
ID: 24162044
Hi SG - I am getting closer thanks to your help.  My terminal server users can now open the folder I placed on their desktop.  However, they can not copy or paste.  I tried playing with share permissions at the folder level with no success - Is this a Group Policy thing or???  Any and all direction is greatly appreciated.  It would be OK if ALL domain & TS users could access, copy & paste to this folder.  Thanks, Lew
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24162229
Good to see you are getting closer :)

Like I said earlier the Share permissions is not in play as long as you are logged on the server that hosts the share. You need to play with the (shared) folders security permissions.

To "past", the users needs Write access to the folder, to copy they need atleast "read" permissions.

My tip is to look at the Security tab at the folder and click the "Advanced" key and play with the bits located here.


SG

0
 

Author Comment

by:lew_stoner
ID: 24170782
SG - The folder I want to share is on the Terminal Server.  The TS users can see the folder and can create a folder within the folder, but can not put files in the folder.  I have given full use and rights to the folder for all terminal server users.  That did not help.  So I gave full rights, security, modify, etc to "Everyone" and that still does not allow TS users to put files in this folder.  I do not get any error messages, I just do not have the rights (grayed out paste) to paste or drop anything in this folder.  Any ideas?  Thanks for all your help.  Lew
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24187186
Stop the inherited permissions from the parent folder and see if you can make it work.

By doing this the rights should not be greyed out.


SG
0
 

Author Comment

by:lew_stoner
ID: 24200809
Hi, I double checked and I have stopped inherited permissions, and have full rights turned on for everyone and for TS users.  In remote desktop I have disk sharing turned on.  Any other ideas?  Thanks, Lew
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24203589
Can you copy and paste if you log on to the consol (not with RDP) with a ordinary user that is in the "TS users" group?

Can a user create new files within that folder, but are unable to drag & drop files?


SG
0
 

Author Comment

by:lew_stoner
ID: 24263921
Hi SG - An ordinary domain user can get to the folder, can copy, drag & drop, paste, create, everything.  I will have to test a TS User tomorrow when I can bring my notebook computer to this client.  Thanks for your continued support, will let you know more tomorrow.  Lew
0
 

Author Comment

by:lew_stoner
ID: 24274783
Hi SG - when I log on as a terminal server user, but I am connected to the local switch I go to windows explorer and as soon as I click on windows explorer I get the error "operation cancelled due to restrictions in effect."  Sounds like some type of group policy?  I played with windows explorer group policy for a little while, but had no success.  Lew
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24277269
Yes, that sounds like a policy.

Do you have the Group Policy Management Consol installed? If not you should install it. http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Here you'll be able to run a RSoP and GP modeling. These are essensial tools to use when you create/plan GPO's and troubleshoot GPO's.

Run a RSoP and test modeling with a TS user and the terminalserver.

The RSoP gives you a nice report with policies applied.


SG

0
 

Author Comment

by:lew_stoner
ID: 24417345
Yes I have group policy management counsol.  Have tried playing with group policy and still no success.  I will be going back to the client either late this week or next week.  Any guesses on which group policy needs some attention?  Thanks, Lew
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 24420346
I'm sorry but it's kinda hard for me to say what policy is causing this without looking at the server.
When you create GPO's there are some best practise to follow to make troubleshoot easier.

1. Seperate GPO for Computer settings and User settings
2. Give the GPO's informative names.
3. Prevent Enforce/no override when it's possible.
4. Make documentation of what the GPO is intended to do.

Now you got one hell of a bunch with settings. The easiest way is to use RSoP and remove one settings at time and test to your problem dissapear. Another option is to google every settings and see if you can find anything that way.

SG
0
 

Author Closing Comment

by:lew_stoner
ID: 31567152
Will pursue this again in 6 - 8 weeks when I have more time.  Thanks for your help and direction.  Lew
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now