• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1884
  • Last Modified:

Terminal Server Policy Issue - Hide Drives Not Working

Hi All,

I have a 2008R2 server joined to a SBS11 domain. We had joined it recently after decomissioning a 2003 domain controller.

We lock the terminal server down using a set of policies we normally use however one policy is not applying to the server as this is "Hide these specified drives in my computer" we chose restrict C, we also tried the prevent access to drives from my computer policy and this worked ok?

The policy is in its own OU, and we have enabled the loop back policy setting within the GPO itself. We have applied authenticated users and the computer account itself to security filtering.

When we run GPO results against a user for the termianl server , the policy itself gets applied, the hide drive settings are enabled and are the winning GPO yet the policy does not apply for the user or any user for that matter. Other policy's are getting applied ok for example disable access to control panel.

Scratching my head with this one, bit strange and annoying.

Appreciate your help

3 Solutions
What mode is your loopback in?  Also, as long as you are using Authenticated Users (the default), you don't need to add the computer account (it is already an authenticated user).

Run a GPResults against a user on the system, and take a look at what is applied, and what the final settings actually are.  (Use the /h option to generate an HTML file).

It's possible that another policy is killing your setting, or that particular gp provider is having an error.  (If it is an error, it should show up in the eventlog.

You could also use the Resultant Set Of Policy (logging) from ADUC to help troubleshoot?

Right-click the Terminal Server object in AD, go to All Tasks > Resultant Set Of Policy (Logging).

Go through the wizard, selecting any relevant test user from the selection list, and ensuring you leave the 'Gather extended error information' tick box ticked (or tick it if it's not).

Once the results are generated, click around and look for any error (X) or warning (!) symbols in the RSoP console to indicate that there are errors trying to apply some policy settings.

Just to clarify my understanding, can you confirm that you have the following 2 settings enabled and set to 'Restrict C drive only' in a policy that is linked to the OU containing your TS computer object, with loopback enabled?

Restrict and Hide drive letter
And if my understanding was correct, you're saying that the 'Prevent access...' setting is working fine but that the drive itself is just still visible?

Many thanks,

get gpo results from the TS as a user, not from the GPO management console. this way you get details on what is actually applying, not what 'should' apply.

gpresult /h c:\folder\result.html

check in here to confirm the loopback is applied, the correct GPO is applied and that the setting you have entered is not overridden by other GPOs.

are the users local admins on the TS or admins on the domain? can they actually access the C drive or just see it in my computer?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now