Re: GPO problems - Operation has been cancelled due to restrictions

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Vera Noest [MVP] (vera.noest_at_remove-this.hem.utfors.se)
Date: 02/13/05 

Date: Sun, 13 Feb 2005 14:11:27 -0800

If you read the "Explain" tab in the GPO editor, you will see that:

a) this is by design
b) this setting is not sufficient to protect your system. Users
will still be able to gain access to your disk, with various
applications.

I would configure the "Prevent access" GPO setting to only prevent
access to A, B and D (assuming that users don't need to read from
those disks) and use NTFS permissions on both C: and D:
D: is easy (again assuming that users don't need to access the disk
at all): just remove the Everyone or Authenticated Users entry from
the ACL of the root of the disk. Make sure that SYSTEM and
Administrators *do* have full access!

C: is more complicated. You could use a pre-configured security
template. See:
How To Apply Group Policy and Security Templates with Windows
Server 2003
http://www.microsoft.com/technet/security/prodtech/windowsserver200
3/secmod129.mspx

If you want to set permissions "by hand", try this:
Start with the following permissions on %SystemDrive%,
%SystemRoot%, %ProgramFiles% and %SystemRoot%\system32:

System and Administrators - Full Control
Authenticated Users - Read & Execute

Make sure that users have only Read permissions on the following
registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Give write permissions to specific files, directories and registry
keys if it is needed to get specific applications to run.

To find out which files or registry keys must be writeable by the
users to make an application work under Terminal Services, download
FileMon and RegMon from http://www.sysinternals.com/. Run them as
administrator at the console, start a TS session as a normal user
and try to run the application.
 
FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions on
a file-to file or Registry subkey basis.

 --
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
 --- please respond in newsgroup, NOT by private email ---

=?Utf-8?B?TmFnZXNo?= <Nagesh@discussions.microsoft.com> wrote on
13 feb 2005 in microsoft.public.windows.terminal_services:

> I have applied a GPO for our Windows Server 2003 Terminal
> Servers OU to lock them down as per MS doc
> -(http://www.microsoft.com/windowsserver2003/techinfo/overview/lo
> ckdown.mspx). I have enabled both the "Hide Drives" and "Prevent
> Access to Drives" policies for A,B,C,and D drives. Once this is
> implemented however, when a user launches
> MS Excel/PowerPoint and tries to open a file, the following
> error is presented:
>
> "This operation has been cancelled due to restrictions in effect
> on this computer..."
>
> If I click OK and click on my computer, I can continue to work
> fine accessing all network drives and functions correctly. I
> can not access nor see the C: and D: drive, which is what I
> want. My question is, Why does the error message pop up each
> time I launch Excel 2002/PowerPoint 2002/Outlook 2002, but not
> Word 2002.
>
> If I disable the "Prevent access to the drives" policy, it
> starts working again without any error messages. That however is
> not the best solution as users can then access the system drive
> (which I do not want to happen).
>
> Any help will be greately appreciated.

Relevant Pages

  • Re: Administrator has prohibited access to CD/DVD ROM drives
    ... In HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider ... to me is set as you suggest, with my account and administrators groups both ... but I have permissions set. ... "Administrator has prohibited access to CD/DVD ROM drives" problem. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Administrator has prohibited access to CD/DVD ROM drives
    ... In HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider ... to me is set as you suggest, with my account and administrators groups both ... but I have permissions set. ... "Administrator has prohibited access to CD/DVD ROM drives" problem. ...
    (microsoft.public.windowsxp.help_and_support)
  • Security Indentifier: S_1_5_21_..... in XP Pro? What who is it?
    ... >security permissions set...a little way down the road, ... >this first install was on drive C:, I install XP on, say, ... >ownership of my files & set the permissions like normal. ... >right-clicking on each of my hard drives, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Administrator has prohibited access to CD/DVD ROM drives
    ... I no longer get the error message, and the drives do not ... in the registry, so I am not sure what it is. ... all set with permissions for my account and administrators. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: File Associations Question
    ... I got the error message in Regedit. ... How to set or change registry editing permissions in Windows XP: ... Ramesh Srinivasan, Microsoft MVP [Windows Shell/User] ... Windows® Troubleshooting: http://www.winhelponline.com ...
    (microsoft.public.windowsxp.general)