Avatar of sglee

asked on 

User can't access its own folder via Terminal Server

 I have Windows 2008 Terminal Server and when the user logs in, I can't  even access local C drive. I think it is controlled via Group Policy or some kind but I have not set up this server, so I don't know where to do to change that.
 When I right click on Start button, I have a very limited option and can't launch Windows Explorer either.

Windows Server 2008Active Directory

Avatar of undefined
Last Comment
Avatar of Shane McKeown
Shane McKeown
Flag of Ireland image

Group policy is normally controlled from the domain controller on the domain

Run this command on the terminal server(open command prompt first)

gpresult /v > gp.txt

Post the resulting file(this will create a file called gp.txt in the folder from where you ran the command - in most cases C:\Users\<username>\gp.txt

That file will show the GPO's that are being applied, then you need to login to the DC to change the GPO and allow access etc...

Course this is probably locked down for a reason
Avatar of sglee


I logged into TS using Domain Admin account and here is result:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 1/7/2013 at 2:52:10 PM
RSOP data for DomainCO\Domainadmin on TS1 : Logging Mode

OS Configuration:            Member Server
OS Version:                  6.0.6002
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\Domainadmin
Connected over a slow link?: No

    Last time Group Policy was applied: 1/7/2013 at 2:51:04 PM
    Group Policy was applied from:      DC1.Domainco.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DomainCO
    Domain Type:                        Windows 2000
    Applied Group Policy Objects
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
        Local Group Policy
            Filtering:  Not Applied (Empty)

            Filtering:  Denied (Security)

    The user is a part of the following security groups
        Domain Users
        TS Web Access Administrators
        Remote Desktop Users
        NT AUTHORITY\Authenticated Users
        This Organization
        TerminalServer Users
        Domain Admins
        Group Policy Creator Owners
        Schema Admins
        Enterprise Admins
        Denied RODC Password Replication Group
        High Mandatory Level
    The user has the following security privileges

    Resultant Set Of Policies for User

        Software Installations

        Logon Scripts
            GPO: MapF
                Name:         MapF.bat
                LastExecuted: 7:51:13 PM

                Name:         TTSPush.bat
                LastExecuted: 7:51:14 PM

        Logoff Scripts
        Public Key Policies

        Administrative Templates

        Folder Redirection

        Internet Explorer Browser User Interface

        Internet Explorer Connection

        Internet Explorer URLs

        Internet Explorer Security

        Internet Explorer Programs
Avatar of Shane McKeown
Shane McKeown
Flag of Ireland image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of sglee


User generated imageI found "TerminalServerLockDown" under GP Objects in GP Mgmt.
In the Edit screen, where do I go to allow users to access C Drive on the Terminal Server.
Ok its usually in

User Config - Admin Templates - Windows Components - Windows Explorer

There's an option in there called 'Hide these drives in My Computer'
Avatar of sglee


User generated imageOK. I found it. After changing it "Not Configured", I logged into TS with an user account and I can open "My Comptuer", but when I click C Drive, it says "This operation has been cancelled due to restrictions ..."
I ran gpedit /force on DC and logged in again, but the same error.
Avatar of sglee


gpedit /force  ---> should have been gpupdate /force
Avatar of sglee


What if I remove this policy all together?
What should I keep in mind?
I certainly don't want people to shutdown the Terminal Server, but short of that, I like to have a freedom to install whatever I want for users.
Avatar of sglee


User generated imageI wanted to backup  this GPO "TerminalServerLockDown" before deleting this policy, but it fails on the default foder. C:\GPO\GPO.
I changed the folder, tried to backup, but it failed with the same error.
Em no, dont just delete a policy, you'll be in all sorts of trouble...

Ok, check the User Config - Admin templates - System - check in there to see if there are other restrictions...

Thing about the user lockdown settings is there are multiple locations for these type of settings - so in fairness you may need to check the current settings within that GPO to see what all is being blocked...

To view this go into the management console, into Group Policy Objects section, then click on the lockdown policy
On the right hand window the click into the Settings section and you'll be able to see all the restrictions...
Avatar of sglee


Under "User Config - Admin templates - System" - These are the things enabled: (1) Prevent access to the command prompt  (2) Prevent Access to registry editing tools  (3) /Ctrl-Alt-Del : Remove Lock Computer and Remove Task manager

dont just delete a policy, you'll be in all sorts of trouble...  ---> What kind of trouble should I expect? This seems to have been created to control user activity on the Terminal Server.
I manage multiple terminal servers (for PCs < 15) without a group policy and don't have any problem.
Ok well I'm just advising against it, if you are comfortable with handling it then no problem delete away...

But someone went to the trouble of creating the lockdown policy and unless you are aware of all the settings that it contains then you 'could' have issues

One thing that I know from lockdown policies on TS servers is the 'Prevent user from shutting down server' setting - if you go ahead and just remove this policy then I guarantee without question some one of those users will do it!! Without fail...

So all I'm saying is the best way to handle this is look at all the settings to see which one is causing the problem and remove those settings...

Or if you are ok with having to create from scratch then by all means...

One last question though - why are you giving access to the C drive at all? The way I handle TS machines is I have a mapped drive for the users to connect to so they can store their files/etc...blankly giving access to the C drive is way to dodgy in my book, or is there a specific need for what you are trying to achieve here?
Avatar of sglee


why are you giving access to the C drive at all?  ---> I wanted to get WORD/EXCEL/OUTLOOK icons on his desktop, but I could not access his C drive (on TS) at all. Therefore I can't get to C:\Program Files\Microsoft Office .... etc.

Beside, since I did not create this network and not familiar with group policies, I could set up certain programs for some users in the past. So I had to change the user type to administrator (which I really did not want to do).

I simply like to have no policy and control users permissions via AD and create new policies as I feel necessary.

I like to remove this policy and create a new policy with one restriction - prevent users from shutting down or restarting TS. Can you tell me how?
Avatar of sglee


Do you know why I can't backup group policy?
Yep, that restriction is in Admin templates - Start Menu and Taskbar - Prevent access to Shutdown/Hibernate commands...

As for why you can't backup that GPO - I've not seen that error before so I've no clue as to why you are getting that...

In terms of the GPO though - as I mentioned you don't actually need to delete/remove it - just unlink it from the current OU its applied to
Click on the GPO - then into Scope(in right hand window)
It will be applied to an OU - go to that OU(again in the management console)
You will see the policy in the right hand window again - right click on it and untick the 'Link Enabled' to disable it from running on that OU anymore
Avatar of sglee


User generated imageCan I just uncheck "Enabled"?

Or even 'All settings disabled' will do the same
Avatar of sglee


I chose 'All settings disabled' and I can access C drive. The Problem solved.
Can you show me who to create a new policy so that I can disable only shutdown/restart capabilities from the terminan server users?
Yep ok...

Right click on the TerminalServers OU(above Group Policy Objects in the console) and select Create a GPO here and Link here...

Give it a name
That takes care of the linking...

Then go into the GPO itself and change these settings

Computer Config - Policies - Admin templates - System - Group Policy
In there change 'User Group Policy loopback processing mode' to Enabled
Change the 'Mode' dropdown box to 'Replace'

Then in User Config - Policies - Admin templates - Start menu and Taskbar
In there set 'Remove access to shutdown/Restart etc...' to Enabled

Now run gpupdate /force on the DC and then on the TS
Should get you back to where you want to be...
Avatar of sglee


That worked. Thank you for your help on this issue.
I can see the benefits of utilizing group policies. I manage smaller network (<20 PCs) and most times I won't need them, but I  can see how they would handy  in some circumstances.

Where can I read up on "Group Policies"?
Glad to have helped...

There's a ton of resources on the web, 2 i've used over the years are


Group policy is def a time saver for a lot of stuff...

Best way to learn is to create a seperate OU, put users/computer in there, link the created GPO to that OU and you can test/test/test to your hearts content...

Long as you don't apply any test GPO's to the default OU's(SBSUsers etc) you should be safe..
Avatar of sglee


Thanks for the links and I appreciate it.
Windows Server 2008
Windows Server 2008

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo