Group Policy Issue - Applying GP to a Windows 2003 Terminal Server

  • Thread starter Thread starter Fawke101
  • Start date Start date
F

Fawke101

Hello All,

Having a real strange one involving Terminal Server / Citrix.

I am trying to prevent access to ALL DRIVES in My Computer/when opening apps
for everyone who accesses the Server apart from administrator.
I would usually apply this to a group of users in an OU, however the design
of our AD does not permit us to do this - as it would disable their local
drives as well as the TS login.

I have done the following to attempt to acheive the above:

Created New OU
Move the SERVER into the OU in AD
Created a Policy for the OU
Ammended Security so it did not apply to Domain Admins
Edited the GP in User Configuration >> Windows Explorer >> Hide Drives In My
Computer >> Enabled Restrict All Drives

Ran GPUPDATE (and subsequently rebooted) on server concerned.

When logging onto the server the drives STILL appear.
All users are local admins of the server (need to run certain apps that
portray this), but why are'nt the drives hidden as they should be? Am i
doing something wrong?

Any help MUCH appreciated
 
You've got it *nearly* right. Only thing you have to do is to use
"loopback processing" of the GPO:

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

One more comment: hiding drives is only a cosmetic thing. It does
*not* give you any extra security whatsoever. It is really easy to
access all drives from within nearly every application, even with
this setting enforced.

The real problem here is that you made your users local
Administrators! That should never be necessary to get an
application working. Your users will be able to install
applications from th e Internet, reboot your server, etc.

Make them normal users again, and download FileMon and RegMon from
http://www.sysinternals.com/. Run them as administrator (when no
user is connected), start a TS session as a normal user and try to
run the application.

FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions on
a file-to file or Registry subkey basis.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
There is another GPO setting called "Prevent access to drives" that lets you
choose to actually stop access to certain drives. I set mine to prevent
access to A through D drives.

Gregg Hill
 
You mean this one, I assume?
User Configuration - Administrative Templates - Windows Components
- Windows Explorer
"Prevent access to drives from My Computer"

Have you read the last part of the description:

"Also, this setting does not prevent users from using programs to
access local and network drives. And, it does not prevent them from
using the Disk Management snap-in to view and change drive
characteristics."

Same method: security by obscurity. That has never worked. The only
thing which you achieve with the above settings is that users
cannot *click* their way into your system files, they have to use
the keyboard in certain dialog boxes.
Only thing which protects your drives is NTFS permissions on the
file system.
To make things worse, the original poster had made all users
Administrators, which means that nothing can stop them.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
No, I had not read the caveat, and yes, all users as admins is just plain
NUTS!

Gregg Hill
 
Back
Top