Giving TS user access to drives

Discussion in 'OT Technology' started by DigiCrime, Sep 26, 2008.

  1. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
    How do I give a ts user access to two hard drives in the server? I tried to add them via permissions in TS Configuration~> Properties but even so I still can't see the drives.
     
  2. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Are they using Remote Desktop or what?
     
  3. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Are the drives setup with the correct NTFS permissions?
     
  4. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
    remote desktop and ntfs perms im not sure I believe they have just default security like admin/system/user/someone else r/w/full control etc etc
     
  5. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
  6. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Do you have a local policy or GPO set to hide the drive letters? This is common on terminal servers to keep users out of the local drives.
     
  7. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
    Im not sure I didnt set up the server but probably I re-created this at home on vmware and I can see the drives as a ts user so this must be the reason why i cant see them
     
  8. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    They are most likely hidden with a policy. That is usually why. I'm willing to bet a user can see them from a DOS window, for example.

    You can find more info on that policy here: http://support.microsoft.com/kb/231289

    BTW, the reason that policy is so common on terminal servers is security. Without it, users with full desktops can browse around and run exe's they probably shouldn't be. They still (hopefully) only have user access, but it's usually something you don't want happening. So be sure you actually want to remove it. A common work around to allow users to a specific folder on a TS is to use SUBST to create a new drive letter that is rooted in the folder you want them to have access to. For example, "SUBST S: C:\Program Files\MyDumbProgram\Data" will create an S: drive that can only see C:\Program Files\MyDumbProgram\Data and anything below that.

    SUBST is per user as well. You can put commands like that into the usrlogon.cmd file in system32. This runs whenever a TS users logs in.
     
    Last edited: Sep 29, 2008
  9. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
    good info, thanks
     
  10. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
    Ok not it group policy has nothing defined all default settings what else would block it
     
  11. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    If you go in as a user and open my computer you can't see C: for example, right? If not, if you type c:\ into the address bar do you get an error?

    It could also be in the local machine policy (you need to open MMC and add the group policy editor add-in, accepting the default location of local computer) and check it in there.
     
  12. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
    I created a new user and member of Domain Users and nothing else, and I can see the drives just fine. As the other user I get

    "Access to the resource "c:\" has been disallowed.

    I checked the MMC>group policy and Windows Settings>Local Policy looks about the same as the domain controller policy but which one is doing the blocking
     
  13. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Negative permissions override positive permissions. If the other user belongs to another usergroup that is denied access to the C:\ drive, then it doesn't matter if Domain Users are allowed access.
     
  14. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Download the Group Policy Management MMC and from there you can do a query on any computer with any user and identify which policies are being applied and from there what each setting is. It's actually a much better way of managing GP than the old way since you can see which GPs are associated with which OU in a tree format.
     
  15. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Use the GP Management MMC like 5Gen suggested or run GPRESULT /USER UserNameGoesHere /scope user /v from the DOS prompt. If that user account has access to the command prompt, you can also use GPRESULT /scope user /v while logged in (in case you have a w2k level domain, which doesn't support RSOP out of the box).

    That permissions message is being generated as a result of a GPO. It will occur when either the hide drives policy is activated or the Disable Run policy, or both. They are common in a TS environment, but if the user has access to start/run, you know it's not that one.
     

Share This Page