Solved

User can't access its own folder via Terminal Server

Posted on 2013-01-07
22
698 Views
Last Modified: 2013-01-09
Hi,
 
 I have Windows 2008 Terminal Server and when the user logs in, I can't  even access local C drive. I think it is controlled via Group Policy or some kind but I have not set up this server, so I don't know where to do to change that.
 When I right click on Start button, I have a very limited option and can't launch Windows Explorer either.

Thanks.
0
Comment
Question by:sglee
  • 13
  • 9
22 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 38752132
Group policy is normally controlled from the domain controller on the domain

Run this command on the terminal server(open command prompt first)

gpresult /v > gp.txt

Post the resulting file(this will create a file called gp.txt in the folder from where you ran the command - in most cases C:\Users\<username>\gp.txt

That file will show the GPO's that are being applied, then you need to login to the DC to change the GPO and allow access etc...

Course this is probably locked down for a reason
0
 

Author Comment

by:sglee
ID: 38752302
I logged into TS using Domain Admin account and here is result:
-------------------------------------------------------------------
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 1/7/2013 at 2:52:10 PM
RSOP data for DomainCO\Domainadmin on TS1 : Logging Mode
---------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.0.6002
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\Domainadmin
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=DomainAdmin,CN=Users,DC=Domainco,DC=com
    Last time Group Policy was applied: 1/7/2013 at 2:51:04 PM
    Group Policy was applied from:      DC1.Domainco.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DomainCO
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        MapF

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        TerminalServerLockDown
            Filtering:  Denied (Security)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        TS Web Access Administrators
        BUILTIN\Users
        Remote Desktop Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        TerminalServer Users
        Domain Admins
        Group Policy Creator Owners
        Schema Admins
        Enterprise Admins
        Denied RODC Password Replication Group
        High Mandatory Level
       
    The user has the following security privileges
    ----------------------------------------------


    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            GPO: MapF
                Name:         MapF.bat
                Parameters:  
                LastExecuted: 7:51:13 PM

                Name:         TTSPush.bat
                Parameters:  
                LastExecuted: 7:51:14 PM

        Logoff Scripts
        --------------
        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 255 total points
ID: 38752330
A domain admin account is no good here - is the C drive locked to the domain admin?

Anyways from the output it appears there is a GPO called - TerminalServerLockDown

That's the GPO you need to change to allow access to the C and other items you are missing

Log into the DC and into Group Policy Management and find that GPO and go from there...
0
 

Author Comment

by:sglee
ID: 38759207
TerminalServerLockDown GPOI found "TerminalServerLockDown" under GP Objects in GP Mgmt.
In the Edit screen, where do I go to allow users to access C Drive on the Terminal Server.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38759323
Ok its usually in

User Config - Admin Templates - Windows Components - Windows Explorer

There's an option in there called 'Hide these drives in My Computer'
0
 

Author Comment

by:sglee
ID: 38759411
Hide DrivesOK. I found it. After changing it "Not Configured", I logged into TS with an user account and I can open "My Comptuer", but when I click C Drive, it says "This operation has been cancelled due to restrictions ..."
I ran gpedit /force on DC and logged in again, but the same error.
0
 

Author Comment

by:sglee
ID: 38759428
gpedit /force  ---> should have been gpupdate /force
0
 

Author Comment

by:sglee
ID: 38759451
What if I remove this policy all together?
What should I keep in mind?
I certainly don't want people to shutdown the Terminal Server, but short of that, I like to have a freedom to install whatever I want for users.
0
 

Author Comment

by:sglee
ID: 38759486
GOP Backup ErrorI wanted to backup  this GPO "TerminalServerLockDown" before deleting this policy, but it fails on the default foder. C:\GPO\GPO.
I changed the folder, tried to backup, but it failed with the same error.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38759490
Em no, dont just delete a policy, you'll be in all sorts of trouble...

Ok, check the User Config - Admin templates - System - check in there to see if there are other restrictions...

Thing about the user lockdown settings is there are multiple locations for these type of settings - so in fairness you may need to check the current settings within that GPO to see what all is being blocked...

To view this go into the management console, into Group Policy Objects section, then click on the lockdown policy
On the right hand window the click into the Settings section and you'll be able to see all the restrictions...
0
 

Author Comment

by:sglee
ID: 38759543
Under "User Config - Admin templates - System" - These are the things enabled: (1) Prevent access to the command prompt  (2) Prevent Access to registry editing tools  (3) /Ctrl-Alt-Del : Remove Lock Computer and Remove Task manager

dont just delete a policy, you'll be in all sorts of trouble...  ---> What kind of trouble should I expect? This seems to have been created to control user activity on the Terminal Server.
I manage multiple terminal servers (for PCs < 15) without a group policy and don't have any problem.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 24

Expert Comment

by:smckeown777
ID: 38759582
Ok well I'm just advising against it, if you are comfortable with handling it then no problem delete away...

But someone went to the trouble of creating the lockdown policy and unless you are aware of all the settings that it contains then you 'could' have issues

One thing that I know from lockdown policies on TS servers is the 'Prevent user from shutting down server' setting - if you go ahead and just remove this policy then I guarantee without question some one of those users will do it!! Without fail...

So all I'm saying is the best way to handle this is look at all the settings to see which one is causing the problem and remove those settings...

Or if you are ok with having to create from scratch then by all means...

One last question though - why are you giving access to the C drive at all? The way I handle TS machines is I have a mapped drive for the users to connect to so they can store their files/etc...blankly giving access to the C drive is way to dodgy in my book, or is there a specific need for what you are trying to achieve here?
0
 

Author Comment

by:sglee
ID: 38759656
why are you giving access to the C drive at all?  ---> I wanted to get WORD/EXCEL/OUTLOOK icons on his desktop, but I could not access his C drive (on TS) at all. Therefore I can't get to C:\Program Files\Microsoft Office .... etc.

Beside, since I did not create this network and not familiar with group policies, I could set up certain programs for some users in the past. So I had to change the user type to administrator (which I really did not want to do).

I simply like to have no policy and control users permissions via AD and create new policies as I feel necessary.

I like to remove this policy and create a new policy with one restriction - prevent users from shutting down or restarting TS. Can you tell me how?
0
 

Author Comment

by:sglee
ID: 38759662
Do you know why I can't backup group policy?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38759753
Yep, that restriction is in Admin templates - Start Menu and Taskbar - Prevent access to Shutdown/Hibernate commands...

As for why you can't backup that GPO - I've not seen that error before so I've no clue as to why you are getting that...

In terms of the GPO though - as I mentioned you don't actually need to delete/remove it - just unlink it from the current OU its applied to
Click on the GPO - then into Scope(in right hand window)
It will be applied to an OU - go to that OU(again in the management console)
You will see the policy in the right hand window again - right click on it and untick the 'Link Enabled' to disable it from running on that OU anymore
0
 

Author Comment

by:sglee
ID: 38760009
GP MgmtCan I just uncheck "Enabled"?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38760073
Yes

Or even 'All settings disabled' will do the same
0
 

Author Comment

by:sglee
ID: 38760115
I chose 'All settings disabled' and I can access C drive. The Problem solved.
Can you show me who to create a new policy so that I can disable only shutdown/restart capabilities from the terminan server users?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38760383
Yep ok...

Right click on the TerminalServers OU(above Group Policy Objects in the console) and select Create a GPO here and Link here...

Give it a name
That takes care of the linking...

Then go into the GPO itself and change these settings

Computer Config - Policies - Admin templates - System - Group Policy
In there change 'User Group Policy loopback processing mode' to Enabled
Change the 'Mode' dropdown box to 'Replace'

Then in User Config - Policies - Admin templates - Start menu and Taskbar
In there set 'Remove access to shutdown/Restart etc...' to Enabled

Now run gpupdate /force on the DC and then on the TS
Should get you back to where you want to be...
0
 

Author Comment

by:sglee
ID: 38760723
That worked. Thank you for your help on this issue.
I can see the benefits of utilizing group policies. I manage smaller network (<20 PCs) and most times I won't need them, but I  can see how they would handy  in some circumstances.

Where can I read up on "Group Policies"?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38760746
Glad to have helped...

There's a ton of resources on the web, 2 i've used over the years are

http://www.gpanswers.com/#re
http://www.gpoguy.com/group-policy-video-training.aspx

Group policy is def a time saver for a lot of stuff...

Best way to learn is to create a seperate OU, put users/computer in there, link the created GPO to that OU and you can test/test/test to your hearts content...

Long as you don't apply any test GPO's to the default OU's(SBSUsers etc) you should be safe..
0
 

Author Comment

by:sglee
ID: 38760764
Thanks for the links and I appreciate it.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now