Sign in with
Sign up | Sign in
Your question

Group Policy Issue - Applying GP to a Windows 2003 Termina..

Last response: in Windows 2000/NT
Share
Anonymous
August 16, 2005 9:13:00 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

Hello All,

Having a real strange one involving Terminal Server / Citrix.

I am trying to prevent access to ALL DRIVES in My Computer/when opening apps
for everyone who accesses the Server apart from administrator.
I would usually apply this to a group of users in an OU, however the design
of our AD does not permit us to do this - as it would disable their local
drives as well as the TS login.

I have done the following to attempt to acheive the above:

Created New OU
Move the SERVER into the OU in AD
Created a Policy for the OU
Ammended Security so it did not apply to Domain Admins
Edited the GP in User Configuration >> Windows Explorer >> Hide Drives In My
Computer >> Enabled Restrict All Drives

Ran GPUPDATE (and subsequently rebooted) on server concerned.

When logging onto the server the drives STILL appear.
All users are local admins of the server (need to run certain apps that
portray this), but why are'nt the drives hidden as they should be? Am i
doing something wrong?

Any help MUCH appreciated
Anonymous
August 16, 2005 9:13:01 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

You've got it *nearly* right. Only thing you have to do is to use
"loopback processing" of the GPO:

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

One more comment: hiding drives is only a cosmetic thing. It does
*not* give you any extra security whatsoever. It is really easy to
access all drives from within nearly every application, even with
this setting enforced.

The real problem here is that you made your users local
Administrators! That should never be necessary to get an
application working. Your users will be able to install
applications from th e Internet, reboot your server, etc.

Make them normal users again, and download FileMon and RegMon from
http://www.sysinternals.com/. Run them as administrator (when no
user is connected), start a TS session as a normal user and try to
run the application.

FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions on
a file-to file or Registry subkey basis.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16 aug
2005 in microsoft.public.windows.terminal_services:

> Hello All,
>
> Having a real strange one involving Terminal Server / Citrix.
>
> I am trying to prevent access to ALL DRIVES in My Computer/when
> opening apps for everyone who accesses the Server apart from
> administrator. I would usually apply this to a group of users in
> an OU, however the design of our AD does not permit us to do
> this - as it would disable their local drives as well as the TS
> login.
>
> I have done the following to attempt to acheive the above:
>
> Created New OU
> Move the SERVER into the OU in AD
> Created a Policy for the OU
> Ammended Security so it did not apply to Domain Admins
> Edited the GP in User Configuration >> Windows Explorer >> Hide
> Drives In My Computer >> Enabled Restrict All Drives
>
> Ran GPUPDATE (and subsequently rebooted) on server concerned.
>
> When logging onto the server the drives STILL appear.
> All users are local admins of the server (need to run certain
> apps that portray this), but why are'nt the drives hidden as
> they should be? Am i doing something wrong?
>
> Any help MUCH appreciated
Anonymous
August 18, 2005 2:32:29 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

There is another GPO setting called "Prevent access to drives" that lets you
choose to actually stop access to certain drives. I set mine to prevent
access to A through D drives.

Gregg Hill



"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns96B4D286F29FFveranoesthemutforsse@207.46.248.16...
> You've got it *nearly* right. Only thing you have to do is to use
> "loopback processing" of the GPO:
>
> 260370 - How to Apply Group Policy Objects to Terminal Services
> Servers
> http://support.microsoft.com/?kbid=260370
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> One more comment: hiding drives is only a cosmetic thing. It does
> *not* give you any extra security whatsoever. It is really easy to
> access all drives from within nearly every application, even with
> this setting enforced.
>
> The real problem here is that you made your users local
> Administrators! That should never be necessary to get an
> application working. Your users will be able to install
> applications from th e Internet, reboot your server, etc.
>
> Make them normal users again, and download FileMon and RegMon from
> http://www.sysinternals.com/. Run them as administrator (when no
> user is connected), start a TS session as a normal user and try to
> run the application.
>
> FileMon and RegMon will show you all "access denied" errors that
> occur, so that you can give your users the necessary permissions on
> a file-to file or Registry subkey basis.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16 aug
> 2005 in microsoft.public.windows.terminal_services:
>
>> Hello All,
>>
>> Having a real strange one involving Terminal Server / Citrix.
>>
>> I am trying to prevent access to ALL DRIVES in My Computer/when
>> opening apps for everyone who accesses the Server apart from
>> administrator. I would usually apply this to a group of users in
>> an OU, however the design of our AD does not permit us to do
>> this - as it would disable their local drives as well as the TS
>> login.
>>
>> I have done the following to attempt to acheive the above:
>>
>> Created New OU
>> Move the SERVER into the OU in AD
>> Created a Policy for the OU
>> Ammended Security so it did not apply to Domain Admins
>> Edited the GP in User Configuration >> Windows Explorer >> Hide
>> Drives In My Computer >> Enabled Restrict All Drives
>>
>> Ran GPUPDATE (and subsequently rebooted) on server concerned.
>>
>> When logging onto the server the drives STILL appear.
>> All users are local admins of the server (need to run certain
>> apps that portray this), but why are'nt the drives hidden as
>> they should be? Am i doing something wrong?
>>
>> Any help MUCH appreciated
Related resources
Anonymous
August 18, 2005 3:49:14 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

You mean this one, I assume?
User Configuration - Administrative Templates - Windows Components
- Windows Explorer
"Prevent access to drives from My Computer"

Have you read the last part of the description:

"Also, this setting does not prevent users from using programs to
access local and network drives. And, it does not prevent them from
using the Disk Management snap-in to view and change drive
characteristics."

Same method: security by obscurity. That has never worked. The only
thing which you achieve with the above settings is that users
cannot *click* their way into your system files, they have to use
the keyboard in certain dialog boxes.
Only thing which protects your drives is NTFS permissions on the
file system.
To make things worse, the original poster had made all users
Administrators, which means that nothing can stop them.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Gregg Hill" <bogus@nowhere.com> wrote on 18 aug 2005 in
microsoft.public.windows.terminal_services:

> There is another GPO setting called "Prevent access to drives"
> that lets you choose to actually stop access to certain drives.
> I set mine to prevent access to A through D drives.
>
> Gregg Hill
>
>
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns96B4D286F29FFveranoesthemutforsse@207.46.248.16...
>> You've got it *nearly* right. Only thing you have to do is to
>> use "loopback processing" of the GPO:
>>
>> 260370 - How to Apply Group Policy Objects to Terminal Services
>> Servers
>> http://support.microsoft.com/?kbid=260370
>>
>> 231287 - Loopback Processing of Group Policy
>> http://support.microsoft.com/?kbid=231287
>>
>> One more comment: hiding drives is only a cosmetic thing. It
>> does *not* give you any extra security whatsoever. It is really
>> easy to access all drives from within nearly every application,
>> even with this setting enforced.
>>
>> The real problem here is that you made your users local
>> Administrators! That should never be necessary to get an
>> application working. Your users will be able to install
>> applications from th e Internet, reboot your server, etc.
>>
>> Make them normal users again, and download FileMon and RegMon
>> from http://www.sysinternals.com/. Run them as administrator
>> (when no user is connected), start a TS session as a normal
>> user and try to run the application.
>>
>> FileMon and RegMon will show you all "access denied" errors
>> that occur, so that you can give your users the necessary
>> permissions on a file-to file or Registry subkey basis.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16
>> aug 2005 in microsoft.public.windows.terminal_services:
>>
>>> Hello All,
>>>
>>> Having a real strange one involving Terminal Server / Citrix.
>>>
>>> I am trying to prevent access to ALL DRIVES in My
>>> Computer/when opening apps for everyone who accesses the
>>> Server apart from administrator. I would usually apply this to
>>> a group of users in an OU, however the design of our AD does
>>> not permit us to do this - as it would disable their local
>>> drives as well as the TS login.
>>>
>>> I have done the following to attempt to acheive the above:
>>>
>>> Created New OU
>>> Move the SERVER into the OU in AD
>>> Created a Policy for the OU
>>> Ammended Security so it did not apply to Domain Admins
>>> Edited the GP in User Configuration >> Windows Explorer >>
>>> Hide Drives In My Computer >> Enabled Restrict All Drives
>>>
>>> Ran GPUPDATE (and subsequently rebooted) on server concerned.
>>>
>>> When logging onto the server the drives STILL appear.
>>> All users are local admins of the server (need to run certain
>>> apps that portray this), but why are'nt the drives hidden as
>>> they should be? Am i doing something wrong?
>>>
>>> Any help MUCH appreciated
Anonymous
August 20, 2005 12:03:01 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

No, I had not read the caveat, and yes, all users as admins is just plain
NUTS!

Gregg Hill



"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns96B6D3CC5AA31veranoesthemutforsse@207.46.248.16...
> You mean this one, I assume?
> User Configuration - Administrative Templates - Windows Components
> - Windows Explorer
> "Prevent access to drives from My Computer"
>
> Have you read the last part of the description:
>
> "Also, this setting does not prevent users from using programs to
> access local and network drives. And, it does not prevent them from
> using the Disk Management snap-in to view and change drive
> characteristics."
>
> Same method: security by obscurity. That has never worked. The only
> thing which you achieve with the above settings is that users
> cannot *click* their way into your system files, they have to use
> the keyboard in certain dialog boxes.
> Only thing which protects your drives is NTFS permissions on the
> file system.
> To make things worse, the original poster had made all users
> Administrators, which means that nothing can stop them.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 18 aug 2005 in
> microsoft.public.windows.terminal_services:
>
>> There is another GPO setting called "Prevent access to drives"
>> that lets you choose to actually stop access to certain drives.
>> I set mine to prevent access to A through D drives.
>>
>> Gregg Hill
>>
>>
>>
>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns96B4D286F29FFveranoesthemutforsse@207.46.248.16...
>>> You've got it *nearly* right. Only thing you have to do is to
>>> use "loopback processing" of the GPO:
>>>
>>> 260370 - How to Apply Group Policy Objects to Terminal Services
>>> Servers
>>> http://support.microsoft.com/?kbid=260370
>>>
>>> 231287 - Loopback Processing of Group Policy
>>> http://support.microsoft.com/?kbid=231287
>>>
>>> One more comment: hiding drives is only a cosmetic thing. It
>>> does *not* give you any extra security whatsoever. It is really
>>> easy to access all drives from within nearly every application,
>>> even with this setting enforced.
>>>
>>> The real problem here is that you made your users local
>>> Administrators! That should never be necessary to get an
>>> application working. Your users will be able to install
>>> applications from th e Internet, reboot your server, etc.
>>>
>>> Make them normal users again, and download FileMon and RegMon
>>> from http://www.sysinternals.com/. Run them as administrator
>>> (when no user is connected), start a TS session as a normal
>>> user and try to run the application.
>>>
>>> FileMon and RegMon will show you all "access denied" errors
>>> that occur, so that you can give your users the necessary
>>> permissions on a file-to file or Registry subkey basis.
>>>
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>> ___ please respond in newsgroup, NOT by private email ___
>>>
>>> "Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16
>>> aug 2005 in microsoft.public.windows.terminal_services:
>>>
>>>> Hello All,
>>>>
>>>> Having a real strange one involving Terminal Server / Citrix.
>>>>
>>>> I am trying to prevent access to ALL DRIVES in My
>>>> Computer/when opening apps for everyone who accesses the
>>>> Server apart from administrator. I would usually apply this to
>>>> a group of users in an OU, however the design of our AD does
>>>> not permit us to do this - as it would disable their local
>>>> drives as well as the TS login.
>>>>
>>>> I have done the following to attempt to acheive the above:
>>>>
>>>> Created New OU
>>>> Move the SERVER into the OU in AD
>>>> Created a Policy for the OU
>>>> Ammended Security so it did not apply to Domain Admins
>>>> Edited the GP in User Configuration >> Windows Explorer >>
>>>> Hide Drives In My Computer >> Enabled Restrict All Drives
>>>>
>>>> Ran GPUPDATE (and subsequently rebooted) on server concerned.
>>>>
>>>> When logging onto the server the drives STILL appear.
>>>> All users are local admins of the server (need to run certain
>>>> apps that portray this), but why are'nt the drives hidden as
>>>> they should be? Am i doing something wrong?
>>>>
>>>> Any help MUCH appreciated
!