sglee
asked on
User can't access its own folder via Terminal Server
Hi,
I have Windows 2008 Terminal Server and when the user logs in, I can't even access local C drive. I think it is controlled via Group Policy or some kind but I have not set up this server, so I don't know where to do to change that.
When I right click on Start button, I have a very limited option and can't launch Windows Explorer either.
Thanks.
I have Windows 2008 Terminal Server and when the user logs in, I can't even access local C drive. I think it is controlled via Group Policy or some kind but I have not set up this server, so I don't know where to do to change that.
When I right click on Start button, I have a very limited option and can't launch Windows Explorer either.
Thanks.
Last Comment
ASKER
I logged into TS using Domain Admin account and here is result:
--------------------------
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 1/7/2013 at 2:52:10 PM
RSOP data for DomainCO\Domainadmin on TS1 : Logging Mode
--------------------------
OS Configuration: Member Server
OS Version: 6.0.6002
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\Domainadmin
Connected over a slow link?: No
USER SETTINGS
--------------
CN=DomainAdmin,CN=Users,DC
Last time Group Policy was applied: 1/7/2013 at 2:51:04 PM
Group Policy was applied from: DC1.Domainco.com
Group Policy slow link threshold: 500 kbps
Domain Name: DomainCO
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
MapF
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
TerminalServerLockDown
Filtering: Denied (Security)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
TS Web Access Administrators
BUILTIN\Users
Remote Desktop Users
BUILTIN\Administrators
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
TerminalServer Users
Domain Admins
Group Policy Creator Owners
Schema Admins
Enterprise Admins
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
--------------------------
Resultant Set Of Policies for User
--------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
GPO: MapF
Name: MapF.bat
Parameters:
LastExecuted: 7:51:13 PM
Name: TTSPush.bat
Parameters:
LastExecuted: 7:51:14 PM
Logoff Scripts
--------------
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
N/A
Internet Explorer Connection
--------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
--------------------------
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 1/7/2013 at 2:52:10 PM
RSOP data for DomainCO\Domainadmin on TS1 : Logging Mode
--------------------------
OS Configuration: Member Server
OS Version: 6.0.6002
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\Domainadmin
Connected over a slow link?: No
USER SETTINGS
--------------
CN=DomainAdmin,CN=Users,DC
Last time Group Policy was applied: 1/7/2013 at 2:51:04 PM
Group Policy was applied from: DC1.Domainco.com
Group Policy slow link threshold: 500 kbps
Domain Name: DomainCO
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
MapF
The following GPOs were not applied because they were filtered out
--------------------------
Local Group Policy
Filtering: Not Applied (Empty)
TerminalServerLockDown
Filtering: Denied (Security)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
TS Web Access Administrators
BUILTIN\Users
Remote Desktop Users
BUILTIN\Administrators
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
TerminalServer Users
Domain Admins
Group Policy Creator Owners
Schema Admins
Enterprise Admins
Denied RODC Password Replication Group
High Mandatory Level
The user has the following security privileges
--------------------------
Resultant Set Of Policies for User
--------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
GPO: MapF
Name: MapF.bat
Parameters:
LastExecuted: 7:51:13 PM
Name: TTSPush.bat
Parameters:
LastExecuted: 7:51:14 PM
Logoff Scripts
--------------
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
N/A
Internet Explorer Connection
--------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I found "TerminalServerLockDown" under GP Objects in GP Mgmt.In the Edit screen, where do I go to allow users to access C Drive on the Terminal Server.
Ok its usually in
User Config - Admin Templates - Windows Components - Windows Explorer
There's an option in there called 'Hide these drives in My Computer'
User Config - Admin Templates - Windows Components - Windows Explorer
There's an option in there called 'Hide these drives in My Computer'
ASKER
OK. I found it. After changing it "Not Configured", I logged into TS with an user account and I can open "My Comptuer", but when I click C Drive, it says "This operation has been cancelled due to restrictions ..."I ran gpedit /force on DC and logged in again, but the same error.
ASKER
gpedit /force ---> should have been gpupdate /force
ASKER
What if I remove this policy all together?
What should I keep in mind?
I certainly don't want people to shutdown the Terminal Server, but short of that, I like to have a freedom to install whatever I want for users.
What should I keep in mind?
I certainly don't want people to shutdown the Terminal Server, but short of that, I like to have a freedom to install whatever I want for users.
ASKER
I wanted to backup this GPO "TerminalServerLockDown" before deleting this policy, but it fails on the default foder. C:\GPO\GPO.I changed the folder, tried to backup, but it failed with the same error.
Em no, dont just delete a policy, you'll be in all sorts of trouble...
Ok, check the User Config - Admin templates - System - check in there to see if there are other restrictions...
Thing about the user lockdown settings is there are multiple locations for these type of settings - so in fairness you may need to check the current settings within that GPO to see what all is being blocked...
To view this go into the management console, into Group Policy Objects section, then click on the lockdown policy
On the right hand window the click into the Settings section and you'll be able to see all the restrictions...
Ok, check the User Config - Admin templates - System - check in there to see if there are other restrictions...
Thing about the user lockdown settings is there are multiple locations for these type of settings - so in fairness you may need to check the current settings within that GPO to see what all is being blocked...
To view this go into the management console, into Group Policy Objects section, then click on the lockdown policy
On the right hand window the click into the Settings section and you'll be able to see all the restrictions...
ASKER
Under "User Config - Admin templates - System" - These are the things enabled: (1) Prevent access to the command prompt (2) Prevent Access to registry editing tools (3) /Ctrl-Alt-Del : Remove Lock Computer and Remove Task manager
dont just delete a policy, you'll be in all sorts of trouble... ---> What kind of trouble should I expect? This seems to have been created to control user activity on the Terminal Server.
I manage multiple terminal servers (for PCs < 15) without a group policy and don't have any problem.
dont just delete a policy, you'll be in all sorts of trouble... ---> What kind of trouble should I expect? This seems to have been created to control user activity on the Terminal Server.
I manage multiple terminal servers (for PCs < 15) without a group policy and don't have any problem.
Ok well I'm just advising against it, if you are comfortable with handling it then no problem delete away...
But someone went to the trouble of creating the lockdown policy and unless you are aware of all the settings that it contains then you 'could' have issues
One thing that I know from lockdown policies on TS servers is the 'Prevent user from shutting down server' setting - if you go ahead and just remove this policy then I guarantee without question some one of those users will do it!! Without fail...
So all I'm saying is the best way to handle this is look at all the settings to see which one is causing the problem and remove those settings...
Or if you are ok with having to create from scratch then by all means...
One last question though - why are you giving access to the C drive at all? The way I handle TS machines is I have a mapped drive for the users to connect to so they can store their files/etc...blankly giving access to the C drive is way to dodgy in my book, or is there a specific need for what you are trying to achieve here?
But someone went to the trouble of creating the lockdown policy and unless you are aware of all the settings that it contains then you 'could' have issues
One thing that I know from lockdown policies on TS servers is the 'Prevent user from shutting down server' setting - if you go ahead and just remove this policy then I guarantee without question some one of those users will do it!! Without fail...
So all I'm saying is the best way to handle this is look at all the settings to see which one is causing the problem and remove those settings...
Or if you are ok with having to create from scratch then by all means...
One last question though - why are you giving access to the C drive at all? The way I handle TS machines is I have a mapped drive for the users to connect to so they can store their files/etc...blankly giving access to the C drive is way to dodgy in my book, or is there a specific need for what you are trying to achieve here?
ASKER
why are you giving access to the C drive at all? ---> I wanted to get WORD/EXCEL/OUTLOOK icons on his desktop, but I could not access his C drive (on TS) at all. Therefore I can't get to C:\Program Files\Microsoft Office .... etc.
Beside, since I did not create this network and not familiar with group policies, I could set up certain programs for some users in the past. So I had to change the user type to administrator (which I really did not want to do).
I simply like to have no policy and control users permissions via AD and create new policies as I feel necessary.
I like to remove this policy and create a new policy with one restriction - prevent users from shutting down or restarting TS. Can you tell me how?
Beside, since I did not create this network and not familiar with group policies, I could set up certain programs for some users in the past. So I had to change the user type to administrator (which I really did not want to do).
I simply like to have no policy and control users permissions via AD and create new policies as I feel necessary.
I like to remove this policy and create a new policy with one restriction - prevent users from shutting down or restarting TS. Can you tell me how?
ASKER
Do you know why I can't backup group policy?
Yep, that restriction is in Admin templates - Start Menu and Taskbar - Prevent access to Shutdown/Hibernate commands...
As for why you can't backup that GPO - I've not seen that error before so I've no clue as to why you are getting that...
In terms of the GPO though - as I mentioned you don't actually need to delete/remove it - just unlink it from the current OU its applied to
Click on the GPO - then into Scope(in right hand window)
It will be applied to an OU - go to that OU(again in the management console)
You will see the policy in the right hand window again - right click on it and untick the 'Link Enabled' to disable it from running on that OU anymore
As for why you can't backup that GPO - I've not seen that error before so I've no clue as to why you are getting that...
In terms of the GPO though - as I mentioned you don't actually need to delete/remove it - just unlink it from the current OU its applied to
Click on the GPO - then into Scope(in right hand window)
It will be applied to an OU - go to that OU(again in the management console)
You will see the policy in the right hand window again - right click on it and untick the 'Link Enabled' to disable it from running on that OU anymore
ASKER
Can I just uncheck "Enabled"?
Yes
Or even 'All settings disabled' will do the same
Or even 'All settings disabled' will do the same
ASKER
I chose 'All settings disabled' and I can access C drive. The Problem solved.
Can you show me who to create a new policy so that I can disable only shutdown/restart capabilities from the terminan server users?
Can you show me who to create a new policy so that I can disable only shutdown/restart capabilities from the terminan server users?
Yep ok...
Right click on the TerminalServers OU(above Group Policy Objects in the console) and select Create a GPO here and Link here...
Give it a name
That takes care of the linking...
Then go into the GPO itself and change these settings
Computer Config - Policies - Admin templates - System - Group Policy
In there change 'User Group Policy loopback processing mode' to Enabled
Change the 'Mode' dropdown box to 'Replace'
Then in User Config - Policies - Admin templates - Start menu and Taskbar
In there set 'Remove access to shutdown/Restart etc...' to Enabled
Now run gpupdate /force on the DC and then on the TS
Should get you back to where you want to be...
Right click on the TerminalServers OU(above Group Policy Objects in the console) and select Create a GPO here and Link here...
Give it a name
That takes care of the linking...
Then go into the GPO itself and change these settings
Computer Config - Policies - Admin templates - System - Group Policy
In there change 'User Group Policy loopback processing mode' to Enabled
Change the 'Mode' dropdown box to 'Replace'
Then in User Config - Policies - Admin templates - Start menu and Taskbar
In there set 'Remove access to shutdown/Restart etc...' to Enabled
Now run gpupdate /force on the DC and then on the TS
Should get you back to where you want to be...
ASKER
That worked. Thank you for your help on this issue.
I can see the benefits of utilizing group policies. I manage smaller network (<20 PCs) and most times I won't need them, but I can see how they would handy in some circumstances.
Where can I read up on "Group Policies"?
I can see the benefits of utilizing group policies. I manage smaller network (<20 PCs) and most times I won't need them, but I can see how they would handy in some circumstances.
Where can I read up on "Group Policies"?
Glad to have helped...
There's a ton of resources on the web, 2 i've used over the years are
http://www.gpanswers.com/#re
http://www.gpoguy.com/group-policy-video-training.aspx
Group policy is def a time saver for a lot of stuff...
Best way to learn is to create a seperate OU, put users/computer in there, link the created GPO to that OU and you can test/test/test to your hearts content...
Long as you don't apply any test GPO's to the default OU's(SBSUsers etc) you should be safe..
There's a ton of resources on the web, 2 i've used over the years are
http://www.gpanswers.com/#re
http://www.gpoguy.com/group-policy-video-training.aspx
Group policy is def a time saver for a lot of stuff...
Best way to learn is to create a seperate OU, put users/computer in there, link the created GPO to that OU and you can test/test/test to your hearts content...
Long as you don't apply any test GPO's to the default OU's(SBSUsers etc) you should be safe..
ASKER
Thanks for the links and I appreciate it.
Windows Server 2008
Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Run this command on the terminal server(open command prompt first)
gpresult /v > gp.txt
Post the resulting file(this will create a file called gp.txt in the folder from where you ran the command - in most cases C:\Users\<username>\gp.txt
That file will show the GPO's that are being applied, then you need to login to the DC to change the GPO and allow access etc...
Course this is probably locked down for a reason