Group Policy Issue - Applying GP to a Windows 2003 Termina..

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

Hello All,

Having a real strange one involving Terminal Server / Citrix.

I am trying to prevent access to ALL DRIVES in My Computer/when opening apps
for everyone who accesses the Server apart from administrator.
I would usually apply this to a group of users in an OU, however the design
of our AD does not permit us to do this - as it would disable their local
drives as well as the TS login.

I have done the following to attempt to acheive the above:

Created New OU
Move the SERVER into the OU in AD
Created a Policy for the OU
Ammended Security so it did not apply to Domain Admins
Edited the GP in User Configuration >> Windows Explorer >> Hide Drives In My
Computer >> Enabled Restrict All Drives

Ran GPUPDATE (and subsequently rebooted) on server concerned.

When logging onto the server the drives STILL appear.
All users are local admins of the server (need to run certain apps that
portray this), but why are'nt the drives hidden as they should be? Am i
doing something wrong?

Any help MUCH appreciated
4 answers Last reply
More about group policy issue applying windows 2003 termina
  1. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

    You've got it *nearly* right. Only thing you have to do is to use
    "loopback processing" of the GPO:

    260370 - How to Apply Group Policy Objects to Terminal Services
    Servers
    http://support.microsoft.com/?kbid=260370

    231287 - Loopback Processing of Group Policy
    http://support.microsoft.com/?kbid=231287

    One more comment: hiding drives is only a cosmetic thing. It does
    *not* give you any extra security whatsoever. It is really easy to
    access all drives from within nearly every application, even with
    this setting enforced.

    The real problem here is that you made your users local
    Administrators! That should never be necessary to get an
    application working. Your users will be able to install
    applications from th e Internet, reboot your server, etc.

    Make them normal users again, and download FileMon and RegMon from
    http://www.sysinternals.com/. Run them as administrator (when no
    user is connected), start a TS session as a normal user and try to
    run the application.

    FileMon and RegMon will show you all "access denied" errors that
    occur, so that you can give your users the necessary permissions on
    a file-to file or Registry subkey basis.

    _________________________________________________________
    Vera Noest
    MCSE, CCEA, Microsoft MVP - Terminal Server
    TS troubleshooting: http://ts.veranoest.net
    ___ please respond in newsgroup, NOT by private email ___

    "Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16 aug
    2005 in microsoft.public.windows.terminal_services:

    > Hello All,
    >
    > Having a real strange one involving Terminal Server / Citrix.
    >
    > I am trying to prevent access to ALL DRIVES in My Computer/when
    > opening apps for everyone who accesses the Server apart from
    > administrator. I would usually apply this to a group of users in
    > an OU, however the design of our AD does not permit us to do
    > this - as it would disable their local drives as well as the TS
    > login.
    >
    > I have done the following to attempt to acheive the above:
    >
    > Created New OU
    > Move the SERVER into the OU in AD
    > Created a Policy for the OU
    > Ammended Security so it did not apply to Domain Admins
    > Edited the GP in User Configuration >> Windows Explorer >> Hide
    > Drives In My Computer >> Enabled Restrict All Drives
    >
    > Ran GPUPDATE (and subsequently rebooted) on server concerned.
    >
    > When logging onto the server the drives STILL appear.
    > All users are local admins of the server (need to run certain
    > apps that portray this), but why are'nt the drives hidden as
    > they should be? Am i doing something wrong?
    >
    > Any help MUCH appreciated
  2. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

    There is another GPO setting called "Prevent access to drives" that lets you
    choose to actually stop access to certain drives. I set mine to prevent
    access to A through D drives.

    Gregg Hill


    "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
    news:Xns96B4D286F29FFveranoesthemutforsse@207.46.248.16...
    > You've got it *nearly* right. Only thing you have to do is to use
    > "loopback processing" of the GPO:
    >
    > 260370 - How to Apply Group Policy Objects to Terminal Services
    > Servers
    > http://support.microsoft.com/?kbid=260370
    >
    > 231287 - Loopback Processing of Group Policy
    > http://support.microsoft.com/?kbid=231287
    >
    > One more comment: hiding drives is only a cosmetic thing. It does
    > *not* give you any extra security whatsoever. It is really easy to
    > access all drives from within nearly every application, even with
    > this setting enforced.
    >
    > The real problem here is that you made your users local
    > Administrators! That should never be necessary to get an
    > application working. Your users will be able to install
    > applications from th e Internet, reboot your server, etc.
    >
    > Make them normal users again, and download FileMon and RegMon from
    > http://www.sysinternals.com/. Run them as administrator (when no
    > user is connected), start a TS session as a normal user and try to
    > run the application.
    >
    > FileMon and RegMon will show you all "access denied" errors that
    > occur, so that you can give your users the necessary permissions on
    > a file-to file or Registry subkey basis.
    >
    > _________________________________________________________
    > Vera Noest
    > MCSE, CCEA, Microsoft MVP - Terminal Server
    > TS troubleshooting: http://ts.veranoest.net
    > ___ please respond in newsgroup, NOT by private email ___
    >
    > "Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16 aug
    > 2005 in microsoft.public.windows.terminal_services:
    >
    >> Hello All,
    >>
    >> Having a real strange one involving Terminal Server / Citrix.
    >>
    >> I am trying to prevent access to ALL DRIVES in My Computer/when
    >> opening apps for everyone who accesses the Server apart from
    >> administrator. I would usually apply this to a group of users in
    >> an OU, however the design of our AD does not permit us to do
    >> this - as it would disable their local drives as well as the TS
    >> login.
    >>
    >> I have done the following to attempt to acheive the above:
    >>
    >> Created New OU
    >> Move the SERVER into the OU in AD
    >> Created a Policy for the OU
    >> Ammended Security so it did not apply to Domain Admins
    >> Edited the GP in User Configuration >> Windows Explorer >> Hide
    >> Drives In My Computer >> Enabled Restrict All Drives
    >>
    >> Ran GPUPDATE (and subsequently rebooted) on server concerned.
    >>
    >> When logging onto the server the drives STILL appear.
    >> All users are local admins of the server (need to run certain
    >> apps that portray this), but why are'nt the drives hidden as
    >> they should be? Am i doing something wrong?
    >>
    >> Any help MUCH appreciated
  3. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

    You mean this one, I assume?
    User Configuration - Administrative Templates - Windows Components
    - Windows Explorer
    "Prevent access to drives from My Computer"

    Have you read the last part of the description:

    "Also, this setting does not prevent users from using programs to
    access local and network drives. And, it does not prevent them from
    using the Disk Management snap-in to view and change drive
    characteristics."

    Same method: security by obscurity. That has never worked. The only
    thing which you achieve with the above settings is that users
    cannot *click* their way into your system files, they have to use
    the keyboard in certain dialog boxes.
    Only thing which protects your drives is NTFS permissions on the
    file system.
    To make things worse, the original poster had made all users
    Administrators, which means that nothing can stop them.

    _________________________________________________________
    Vera Noest
    MCSE, CCEA, Microsoft MVP - Terminal Server
    TS troubleshooting: http://ts.veranoest.net
    ___ please respond in newsgroup, NOT by private email ___

    "Gregg Hill" <bogus@nowhere.com> wrote on 18 aug 2005 in
    microsoft.public.windows.terminal_services:

    > There is another GPO setting called "Prevent access to drives"
    > that lets you choose to actually stop access to certain drives.
    > I set mine to prevent access to A through D drives.
    >
    > Gregg Hill
    >
    >
    >
    > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
    > in message
    > news:Xns96B4D286F29FFveranoesthemutforsse@207.46.248.16...
    >> You've got it *nearly* right. Only thing you have to do is to
    >> use "loopback processing" of the GPO:
    >>
    >> 260370 - How to Apply Group Policy Objects to Terminal Services
    >> Servers
    >> http://support.microsoft.com/?kbid=260370
    >>
    >> 231287 - Loopback Processing of Group Policy
    >> http://support.microsoft.com/?kbid=231287
    >>
    >> One more comment: hiding drives is only a cosmetic thing. It
    >> does *not* give you any extra security whatsoever. It is really
    >> easy to access all drives from within nearly every application,
    >> even with this setting enforced.
    >>
    >> The real problem here is that you made your users local
    >> Administrators! That should never be necessary to get an
    >> application working. Your users will be able to install
    >> applications from th e Internet, reboot your server, etc.
    >>
    >> Make them normal users again, and download FileMon and RegMon
    >> from http://www.sysinternals.com/. Run them as administrator
    >> (when no user is connected), start a TS session as a normal
    >> user and try to run the application.
    >>
    >> FileMon and RegMon will show you all "access denied" errors
    >> that occur, so that you can give your users the necessary
    >> permissions on a file-to file or Registry subkey basis.
    >>
    >> _________________________________________________________
    >> Vera Noest
    >> MCSE, CCEA, Microsoft MVP - Terminal Server
    >> TS troubleshooting: http://ts.veranoest.net
    >> ___ please respond in newsgroup, NOT by private email ___
    >>
    >> "Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16
    >> aug 2005 in microsoft.public.windows.terminal_services:
    >>
    >>> Hello All,
    >>>
    >>> Having a real strange one involving Terminal Server / Citrix.
    >>>
    >>> I am trying to prevent access to ALL DRIVES in My
    >>> Computer/when opening apps for everyone who accesses the
    >>> Server apart from administrator. I would usually apply this to
    >>> a group of users in an OU, however the design of our AD does
    >>> not permit us to do this - as it would disable their local
    >>> drives as well as the TS login.
    >>>
    >>> I have done the following to attempt to acheive the above:
    >>>
    >>> Created New OU
    >>> Move the SERVER into the OU in AD
    >>> Created a Policy for the OU
    >>> Ammended Security so it did not apply to Domain Admins
    >>> Edited the GP in User Configuration >> Windows Explorer >>
    >>> Hide Drives In My Computer >> Enabled Restrict All Drives
    >>>
    >>> Ran GPUPDATE (and subsequently rebooted) on server concerned.
    >>>
    >>> When logging onto the server the drives STILL appear.
    >>> All users are local admins of the server (need to run certain
    >>> apps that portray this), but why are'nt the drives hidden as
    >>> they should be? Am i doing something wrong?
    >>>
    >>> Any help MUCH appreciated
  4. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy,microsoft.public.windows.terminal_services (More info?)

    No, I had not read the caveat, and yes, all users as admins is just plain
    NUTS!

    Gregg Hill


    "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
    news:Xns96B6D3CC5AA31veranoesthemutforsse@207.46.248.16...
    > You mean this one, I assume?
    > User Configuration - Administrative Templates - Windows Components
    > - Windows Explorer
    > "Prevent access to drives from My Computer"
    >
    > Have you read the last part of the description:
    >
    > "Also, this setting does not prevent users from using programs to
    > access local and network drives. And, it does not prevent them from
    > using the Disk Management snap-in to view and change drive
    > characteristics."
    >
    > Same method: security by obscurity. That has never worked. The only
    > thing which you achieve with the above settings is that users
    > cannot *click* their way into your system files, they have to use
    > the keyboard in certain dialog boxes.
    > Only thing which protects your drives is NTFS permissions on the
    > file system.
    > To make things worse, the original poster had made all users
    > Administrators, which means that nothing can stop them.
    >
    > _________________________________________________________
    > Vera Noest
    > MCSE, CCEA, Microsoft MVP - Terminal Server
    > TS troubleshooting: http://ts.veranoest.net
    > ___ please respond in newsgroup, NOT by private email ___
    >
    > "Gregg Hill" <bogus@nowhere.com> wrote on 18 aug 2005 in
    > microsoft.public.windows.terminal_services:
    >
    >> There is another GPO setting called "Prevent access to drives"
    >> that lets you choose to actually stop access to certain drives.
    >> I set mine to prevent access to A through D drives.
    >>
    >> Gregg Hill
    >>
    >>
    >>
    >> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
    >> in message
    >> news:Xns96B4D286F29FFveranoesthemutforsse@207.46.248.16...
    >>> You've got it *nearly* right. Only thing you have to do is to
    >>> use "loopback processing" of the GPO:
    >>>
    >>> 260370 - How to Apply Group Policy Objects to Terminal Services
    >>> Servers
    >>> http://support.microsoft.com/?kbid=260370
    >>>
    >>> 231287 - Loopback Processing of Group Policy
    >>> http://support.microsoft.com/?kbid=231287
    >>>
    >>> One more comment: hiding drives is only a cosmetic thing. It
    >>> does *not* give you any extra security whatsoever. It is really
    >>> easy to access all drives from within nearly every application,
    >>> even with this setting enforced.
    >>>
    >>> The real problem here is that you made your users local
    >>> Administrators! That should never be necessary to get an
    >>> application working. Your users will be able to install
    >>> applications from th e Internet, reboot your server, etc.
    >>>
    >>> Make them normal users again, and download FileMon and RegMon
    >>> from http://www.sysinternals.com/. Run them as administrator
    >>> (when no user is connected), start a TS session as a normal
    >>> user and try to run the application.
    >>>
    >>> FileMon and RegMon will show you all "access denied" errors
    >>> that occur, so that you can give your users the necessary
    >>> permissions on a file-to file or Registry subkey basis.
    >>>
    >>> _________________________________________________________
    >>> Vera Noest
    >>> MCSE, CCEA, Microsoft MVP - Terminal Server
    >>> TS troubleshooting: http://ts.veranoest.net
    >>> ___ please respond in newsgroup, NOT by private email ___
    >>>
    >>> "Fawke101" <guyNO.hockingSPAM@utilizePLEASE.co.uk> wrote on 16
    >>> aug 2005 in microsoft.public.windows.terminal_services:
    >>>
    >>>> Hello All,
    >>>>
    >>>> Having a real strange one involving Terminal Server / Citrix.
    >>>>
    >>>> I am trying to prevent access to ALL DRIVES in My
    >>>> Computer/when opening apps for everyone who accesses the
    >>>> Server apart from administrator. I would usually apply this to
    >>>> a group of users in an OU, however the design of our AD does
    >>>> not permit us to do this - as it would disable their local
    >>>> drives as well as the TS login.
    >>>>
    >>>> I have done the following to attempt to acheive the above:
    >>>>
    >>>> Created New OU
    >>>> Move the SERVER into the OU in AD
    >>>> Created a Policy for the OU
    >>>> Ammended Security so it did not apply to Domain Admins
    >>>> Edited the GP in User Configuration >> Windows Explorer >>
    >>>> Hide Drives In My Computer >> Enabled Restrict All Drives
    >>>>
    >>>> Ran GPUPDATE (and subsequently rebooted) on server concerned.
    >>>>
    >>>> When logging onto the server the drives STILL appear.
    >>>> All users are local admins of the server (need to run certain
    >>>> apps that portray this), but why are'nt the drives hidden as
    >>>> they should be? Am i doing something wrong?
    >>>>
    >>>> Any help MUCH appreciated
Ask a new question

Read More

Policy Windows Server 2003 Microsoft Windows