• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 877
  • Last Modified:

Terminal Server Shared Folder Access

I have 15 remote users who log onto MS TS 2003 using RDP.  Out of those 15 I would like 4 to be able to share a common folder placed in a directory on the TS + several users in house need access to this folder.  When I create the folder, share it to those users who need access (I have also tried sharing the folder to "everyone).  Then I place the folder to the desktop of each of the 4 RDP users who I want to have access.  When the user connects and tries to access the folder they always get a MS message "restrictions - this operation has been cancelled due to restrictions in effect on this computer".   All help is greatly appreciated.  Lew
0
lew_stoner
Asked:
lew_stoner
  • 13
  • 10
1 Solution
 
snusgubbenCommented:
Do the RDP user have file access to the shared folder? (share security only applies to network access to the folder. Since there are four "local users" the file security needs to be in place).

Have you made a shortcut on the desktop to the shared folder for the RDP users?


SG
0
 
lew_stonerAuthor Commented:
Hi SG, I have shared the folder to everyone who needs access to the folder including RDP users.  And I have placed a shortcut on the desktop of the RDP users.  When the RDP users try to access the folder they get the message "restrictions - this operation has been cancelled due to restrictions in effect on this computer".  Lew
0
 
snusgubbenCommented:
Can the RDP users access the folder if they navigate to it with explorer (not using the short cut)?

SG
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
lew_stonerAuthor Commented:
I have windows explorer turned off for the RDP users.
0
 
snusgubbenCommented:
Start > Run > iexplore -e c:

Or with IE 7:

Start > Run > %windir%\ie7\iexplore.exe -e c:

Try to navigate


SG
0
 
lew_stonerAuthor Commented:
tried running both of these commands from a command prompt and get the message "restrictions - this operation has been cancelled due to restrictions in effect on this computer".  Some group policy is preventing me from running iexplore.  I am unable to find that group policy.  All help is greatly appreciated.  Getting a little frustrated.  Lew
0
 
snusgubbenCommented:
Heres two ways of finding out what GPO that is preventing you:

1. From your domain controller: run RSoP (from the Group Policy Management Consol)
2. From a RDP client session: Start > Run > gpresult /v

SG
0
 
lew_stonerAuthor Commented:
Will give this a try on Friday.  Thanks for your input and I will let you know what happened on Friday.  Lew
0
 
lew_stonerAuthor Commented:
What follows is a list of enforced policies.  I have played with some of the policies, but ALWAYS get the restrictions message.  I have enabled shared folders but it has no effect.  All help is appreciated.  Lew

Group Policy Management
Links
Location Enforced Link Status Path
Client TS Users Yes Enabled bps.local/Client TS Users

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users

WMI Filtering
WMI Filter Name None
Description Not applicable

Delegation
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
BPS\Domain Admins Edit settings, delete, modify security No
BPS\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

Computer Configuration (Enabled)
No settings defined.
User Configuration (Enabled)
Administrative Templates
Control Panel
Policy Setting
Prohibit access to the Control Panel Enabled

Control Panel/Add or Remove Programs
Policy Setting
Remove Add or Remove Programs Enabled

Control Panel/Printers
Policy Setting
Prevent addition of printers Enabled

Desktop
Policy Setting
Hide Internet Explorer icon on desktop Enabled
Hide My Network Places icon on desktop Enabled
Prohibit user from changing My Documents path Enabled
Remove My Computer icon on the desktop Enabled
Remove My Documents icon on the desktop Enabled
Remove Properties from the My Computer context menu Enabled
Remove Properties from the My Documents context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled

Start Menu and Taskbar
Policy Setting
Add Logoff to the Start Menu Enabled
Force classic Start Menu Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Remove access to the context menus for the taskbar Enabled
Remove common program groups from Start Menu Enabled
Remove Drag-and-drop context menus on the Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Enabled
Remove My Documents icon from Start Menu Enabled
Remove My Network Places icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Run menu from Start Menu Disabled
Remove Search menu from Start Menu Enabled

System
Policy Setting
Prevent access to registry editing tools Enabled
Disable regedit from running silently? Yes
 
Policy Setting
Prevent access to the command prompt Enabled
Disable the command prompt script processing also? No
 

System/Ctrl+Alt+Del Options
Policy Setting
Remove Lock Computer Enabled
Remove Task Manager Enabled

System/Scripts
Policy Setting
Run legacy logon scripts hidden Enabled

Windows Components/Internet Explorer
Policy Setting
Search: Disable Find Files via F3 within the browser Enabled

Windows Components/Internet Explorer/Browser menus
Policy Setting
Disable Context menu Enabled
Hide Favorites menu Enabled

Windows Components/Task Scheduler
Policy Setting
Hide Property Pages Enabled

Windows Components/Windows Explorer
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
 
Policy Setting
Hides the Manage item on the Windows Explorer context menu Enabled
No "Computers Near Me" in My Network Places Enabled
No "Entire Network" in My Network Places Enabled
Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
 
Policy Setting
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove File menu from Windows Explorer Enabled
Remove Hardware tab Enabled
Remove Search button from Windows Explorer Enabled
Remove Security tab Enabled
Remove Windows Explorer's default context menu Enabled
Removes the Folder Options menu item from the Tools menu Enabled
Turn off Windows+X hotkeys Enabled

Windows Components/Windows Explorer/Common Open File Dialog
Policy Setting
Hide the common dialog places bar Enabled

Windows Components/Windows Messenger
Policy Setting
Do not allow Windows Messenger to be run Enabled

Windows Components/Windows Update
Policy Setting
Remove access to use all Windows Update features Enabled
0
 
snusgubbenCommented:
hehe.. you got alot of restrictions :)

Using alot of Enforcing/no override on GPOs is not consider to be "best practise" due to it make troubleshooting alot harder.

You got some policies that that only takes time to process and don't have the effect you want like this:

Add Logoff to the Start Menu Enabled
Remove Logoff on the Start Menu Enabled

Please keep in mind that the share is on your TS that users logs on to with RDP. Thus the share permissions will not take place, but the folders NTFS security permissions!

Share permissions is for access from another network host, while a folders NTFS permission are in use while you are on the actual server where the share/folder is. Please verify that your users have the correct NTFS permission to the folder you like to share.

If you want to go further I suggest you losen up things a little for troubleshooting purpos.

*Enable access to cmd so you can test access to the folder and use "net view \\servername" to see if the share is up and running*

Policy Setting
Prevent access to the command prompt Enabled

*Open access to view the disks on the server*

Windows Components/Windows Explorer
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only

Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only


SG

0
 
lew_stonerAuthor Commented:
Hi SG, thanks for the info.  I inherited this network from another person who set it up and is long gone.  Sounds like I need to remove redundant policies, then loosen things up a bit and test.  I will give it a try and keep you in the loop.  Thanks for your input.  Lew
0
 
lew_stonerAuthor Commented:
Hi SG - I am getting closer thanks to your help.  My terminal server users can now open the folder I placed on their desktop.  However, they can not copy or paste.  I tried playing with share permissions at the folder level with no success - Is this a Group Policy thing or???  Any and all direction is greatly appreciated.  It would be OK if ALL domain & TS users could access, copy & paste to this folder.  Thanks, Lew
0
 
snusgubbenCommented:
Good to see you are getting closer :)

Like I said earlier the Share permissions is not in play as long as you are logged on the server that hosts the share. You need to play with the (shared) folders security permissions.

To "past", the users needs Write access to the folder, to copy they need atleast "read" permissions.

My tip is to look at the Security tab at the folder and click the "Advanced" key and play with the bits located here.


SG

0
 
lew_stonerAuthor Commented:
SG - The folder I want to share is on the Terminal Server.  The TS users can see the folder and can create a folder within the folder, but can not put files in the folder.  I have given full use and rights to the folder for all terminal server users.  That did not help.  So I gave full rights, security, modify, etc to "Everyone" and that still does not allow TS users to put files in this folder.  I do not get any error messages, I just do not have the rights (grayed out paste) to paste or drop anything in this folder.  Any ideas?  Thanks for all your help.  Lew
0
 
snusgubbenCommented:
Stop the inherited permissions from the parent folder and see if you can make it work.

By doing this the rights should not be greyed out.


SG
0
 
lew_stonerAuthor Commented:
Hi, I double checked and I have stopped inherited permissions, and have full rights turned on for everyone and for TS users.  In remote desktop I have disk sharing turned on.  Any other ideas?  Thanks, Lew
0
 
snusgubbenCommented:
Can you copy and paste if you log on to the consol (not with RDP) with a ordinary user that is in the "TS users" group?

Can a user create new files within that folder, but are unable to drag & drop files?


SG
0
 
lew_stonerAuthor Commented:
Hi SG - An ordinary domain user can get to the folder, can copy, drag & drop, paste, create, everything.  I will have to test a TS User tomorrow when I can bring my notebook computer to this client.  Thanks for your continued support, will let you know more tomorrow.  Lew
0
 
lew_stonerAuthor Commented:
Hi SG - when I log on as a terminal server user, but I am connected to the local switch I go to windows explorer and as soon as I click on windows explorer I get the error "operation cancelled due to restrictions in effect."  Sounds like some type of group policy?  I played with windows explorer group policy for a little while, but had no success.  Lew
0
 
snusgubbenCommented:
Yes, that sounds like a policy.

Do you have the Group Policy Management Consol installed? If not you should install it. http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Here you'll be able to run a RSoP and GP modeling. These are essensial tools to use when you create/plan GPO's and troubleshoot GPO's.

Run a RSoP and test modeling with a TS user and the terminalserver.

The RSoP gives you a nice report with policies applied.


SG

0
 
lew_stonerAuthor Commented:
Yes I have group policy management counsol.  Have tried playing with group policy and still no success.  I will be going back to the client either late this week or next week.  Any guesses on which group policy needs some attention?  Thanks, Lew
0
 
snusgubbenCommented:
I'm sorry but it's kinda hard for me to say what policy is causing this without looking at the server.
When you create GPO's there are some best practise to follow to make troubleshoot easier.

1. Seperate GPO for Computer settings and User settings
2. Give the GPO's informative names.
3. Prevent Enforce/no override when it's possible.
4. Make documentation of what the GPO is intended to do.

Now you got one hell of a bunch with settings. The easiest way is to use RSoP and remove one settings at time and test to your problem dissapear. Another option is to google every settings and see if you can find anything that way.

SG
0
 
lew_stonerAuthor Commented:
Will pursue this again in 6 - 8 weeks when I have more time.  Thanks for your help and direction.  Lew
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now