Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

User can't access its own folder via Terminal Server

Posted on 2013-01-07
22
Medium Priority
?
737 Views
Last Modified: 2013-01-09
Hi,
 
 I have Windows 2008 Terminal Server and when the user logs in, I can't  even access local C drive. I think it is controlled via Group Policy or some kind but I have not set up this server, so I don't know where to do to change that.
 When I right click on Start button, I have a very limited option and can't launch Windows Explorer either.

Thanks.
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 9
22 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38752132
Group policy is normally controlled from the domain controller on the domain

Run this command on the terminal server(open command prompt first)

gpresult /v > gp.txt

Post the resulting file(this will create a file called gp.txt in the folder from where you ran the command - in most cases C:\Users\<username>\gp.txt

That file will show the GPO's that are being applied, then you need to login to the DC to change the GPO and allow access etc...

Course this is probably locked down for a reason
0
 

Author Comment

by:sglee
ID: 38752302
I logged into TS using Domain Admin account and here is result:
-------------------------------------------------------------------
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 1/7/2013 at 2:52:10 PM
RSOP data for DomainCO\Domainadmin on TS1 : Logging Mode
---------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.0.6002
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\Domainadmin
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=DomainAdmin,CN=Users,DC=Domainco,DC=com
    Last time Group Policy was applied: 1/7/2013 at 2:51:04 PM
    Group Policy was applied from:      DC1.Domainco.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DomainCO
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        MapF

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        TerminalServerLockDown
            Filtering:  Denied (Security)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        TS Web Access Administrators
        BUILTIN\Users
        Remote Desktop Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        TerminalServer Users
        Domain Admins
        Group Policy Creator Owners
        Schema Admins
        Enterprise Admins
        Denied RODC Password Replication Group
        High Mandatory Level
       
    The user has the following security privileges
    ----------------------------------------------


    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            GPO: MapF
                Name:         MapF.bat
                Parameters:  
                LastExecuted: 7:51:13 PM

                Name:         TTSPush.bat
                Parameters:  
                LastExecuted: 7:51:14 PM

        Logoff Scripts
        --------------
        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 1020 total points
ID: 38752330
A domain admin account is no good here - is the C drive locked to the domain admin?

Anyways from the output it appears there is a GPO called - TerminalServerLockDown

That's the GPO you need to change to allow access to the C and other items you are missing

Log into the DC and into Group Policy Management and find that GPO and go from there...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:sglee
ID: 38759207
TerminalServerLockDown GPOI found "TerminalServerLockDown" under GP Objects in GP Mgmt.
In the Edit screen, where do I go to allow users to access C Drive on the Terminal Server.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38759323
Ok its usually in

User Config - Admin Templates - Windows Components - Windows Explorer

There's an option in there called 'Hide these drives in My Computer'
0
 

Author Comment

by:sglee
ID: 38759411
Hide DrivesOK. I found it. After changing it "Not Configured", I logged into TS with an user account and I can open "My Comptuer", but when I click C Drive, it says "This operation has been cancelled due to restrictions ..."
I ran gpedit /force on DC and logged in again, but the same error.
0
 

Author Comment

by:sglee
ID: 38759428
gpedit /force  ---> should have been gpupdate /force
0
 

Author Comment

by:sglee
ID: 38759451
What if I remove this policy all together?
What should I keep in mind?
I certainly don't want people to shutdown the Terminal Server, but short of that, I like to have a freedom to install whatever I want for users.
0
 

Author Comment

by:sglee
ID: 38759486
GOP Backup ErrorI wanted to backup  this GPO "TerminalServerLockDown" before deleting this policy, but it fails on the default foder. C:\GPO\GPO.
I changed the folder, tried to backup, but it failed with the same error.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38759490
Em no, dont just delete a policy, you'll be in all sorts of trouble...

Ok, check the User Config - Admin templates - System - check in there to see if there are other restrictions...

Thing about the user lockdown settings is there are multiple locations for these type of settings - so in fairness you may need to check the current settings within that GPO to see what all is being blocked...

To view this go into the management console, into Group Policy Objects section, then click on the lockdown policy
On the right hand window the click into the Settings section and you'll be able to see all the restrictions...
0
 

Author Comment

by:sglee
ID: 38759543
Under "User Config - Admin templates - System" - These are the things enabled: (1) Prevent access to the command prompt  (2) Prevent Access to registry editing tools  (3) /Ctrl-Alt-Del : Remove Lock Computer and Remove Task manager

dont just delete a policy, you'll be in all sorts of trouble...  ---> What kind of trouble should I expect? This seems to have been created to control user activity on the Terminal Server.
I manage multiple terminal servers (for PCs < 15) without a group policy and don't have any problem.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38759582
Ok well I'm just advising against it, if you are comfortable with handling it then no problem delete away...

But someone went to the trouble of creating the lockdown policy and unless you are aware of all the settings that it contains then you 'could' have issues

One thing that I know from lockdown policies on TS servers is the 'Prevent user from shutting down server' setting - if you go ahead and just remove this policy then I guarantee without question some one of those users will do it!! Without fail...

So all I'm saying is the best way to handle this is look at all the settings to see which one is causing the problem and remove those settings...

Or if you are ok with having to create from scratch then by all means...

One last question though - why are you giving access to the C drive at all? The way I handle TS machines is I have a mapped drive for the users to connect to so they can store their files/etc...blankly giving access to the C drive is way to dodgy in my book, or is there a specific need for what you are trying to achieve here?
0
 

Author Comment

by:sglee
ID: 38759656
why are you giving access to the C drive at all?  ---> I wanted to get WORD/EXCEL/OUTLOOK icons on his desktop, but I could not access his C drive (on TS) at all. Therefore I can't get to C:\Program Files\Microsoft Office .... etc.

Beside, since I did not create this network and not familiar with group policies, I could set up certain programs for some users in the past. So I had to change the user type to administrator (which I really did not want to do).

I simply like to have no policy and control users permissions via AD and create new policies as I feel necessary.

I like to remove this policy and create a new policy with one restriction - prevent users from shutting down or restarting TS. Can you tell me how?
0
 

Author Comment

by:sglee
ID: 38759662
Do you know why I can't backup group policy?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38759753
Yep, that restriction is in Admin templates - Start Menu and Taskbar - Prevent access to Shutdown/Hibernate commands...

As for why you can't backup that GPO - I've not seen that error before so I've no clue as to why you are getting that...

In terms of the GPO though - as I mentioned you don't actually need to delete/remove it - just unlink it from the current OU its applied to
Click on the GPO - then into Scope(in right hand window)
It will be applied to an OU - go to that OU(again in the management console)
You will see the policy in the right hand window again - right click on it and untick the 'Link Enabled' to disable it from running on that OU anymore
0
 

Author Comment

by:sglee
ID: 38760009
GP MgmtCan I just uncheck "Enabled"?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38760073
Yes

Or even 'All settings disabled' will do the same
0
 

Author Comment

by:sglee
ID: 38760115
I chose 'All settings disabled' and I can access C drive. The Problem solved.
Can you show me who to create a new policy so that I can disable only shutdown/restart capabilities from the terminan server users?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38760383
Yep ok...

Right click on the TerminalServers OU(above Group Policy Objects in the console) and select Create a GPO here and Link here...

Give it a name
That takes care of the linking...

Then go into the GPO itself and change these settings

Computer Config - Policies - Admin templates - System - Group Policy
In there change 'User Group Policy loopback processing mode' to Enabled
Change the 'Mode' dropdown box to 'Replace'

Then in User Config - Policies - Admin templates - Start menu and Taskbar
In there set 'Remove access to shutdown/Restart etc...' to Enabled

Now run gpupdate /force on the DC and then on the TS
Should get you back to where you want to be...
0
 

Author Comment

by:sglee
ID: 38760723
That worked. Thank you for your help on this issue.
I can see the benefits of utilizing group policies. I manage smaller network (<20 PCs) and most times I won't need them, but I  can see how they would handy  in some circumstances.

Where can I read up on "Group Policies"?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38760746
Glad to have helped...

There's a ton of resources on the web, 2 i've used over the years are

http://www.gpanswers.com/#re
http://www.gpoguy.com/group-policy-video-training.aspx

Group policy is def a time saver for a lot of stuff...

Best way to learn is to create a seperate OU, put users/computer in there, link the created GPO to that OU and you can test/test/test to your hearts content...

Long as you don't apply any test GPO's to the default OU's(SBSUsers etc) you should be safe..
0
 

Author Comment

by:sglee
ID: 38760764
Thanks for the links and I appreciate it.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question