Terminal Server Policy Issue - Hide Drives Not Working

Hi All,

I have a 2008R2 server joined to a SBS11 domain. We had joined it recently after decomissioning a 2003 domain controller.

We lock the terminal server down using a set of policies we normally use however one policy is not applying to the server as this is "Hide these specified drives in my computer" we chose restrict C, we also tried the prevent access to drives from my computer policy and this worked ok?

The policy is in its own OU, and we have enabled the loop back policy setting within the GPO itself. We have applied authenticated users and the computer account itself to security filtering.

When we run GPO results against a user for the termianl server , the policy itself gets applied, the hide drive settings are enabled and are the winning GPO yet the policy does not apply for the user or any user for that matter. Other policy's are getting applied ok for example disable access to control panel.

Scratching my head with this one, bit strange and annoying.

Appreciate your help

Steven
sd450rAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CoralonCommented:
What mode is your loopback in?  Also, as long as you are using Authenticated Users (the default), you don't need to add the computer account (it is already an authenticated user).

Run a GPResults against a user on the system, and take a look at what is applied, and what the final settings actually are.  (Use the /h option to generate an HTML file).

It's possible that another policy is killing your setting, or that particular gp provider is having an error.  (If it is an error, it should show up in the eventlog.

Coralon
0
PeteJThomasCommented:
You could also use the Resultant Set Of Policy (logging) from ADUC to help troubleshoot?

Right-click the Terminal Server object in AD, go to All Tasks > Resultant Set Of Policy (Logging).

Go through the wizard, selecting any relevant test user from the selection list, and ensuring you leave the 'Gather extended error information' tick box ticked (or tick it if it's not).

Once the results are generated, click around and look for any error (X) or warning (!) symbols in the RSoP console to indicate that there are errors trying to apply some policy settings.

Just to clarify my understanding, can you confirm that you have the following 2 settings enabled and set to 'Restrict C drive only' in a policy that is linked to the OU containing your TS computer object, with loopback enabled?

Restrict and Hide drive letter
And if my understanding was correct, you're saying that the 'Prevent access...' setting is working fine but that the drive itself is just still visible?

Many thanks,

Pete
0
SteveCommented:
get gpo results from the TS as a user, not from the GPO management console. this way you get details on what is actually applying, not what 'should' apply.

gpresult /h c:\folder\result.html

check in here to confirm the loopback is applied, the correct GPO is applied and that the setting you have entered is not overridden by other GPOs.

are the users local admins on the TS or admins on the domain? can they actually access the C drive or just see it in my computer?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.