Friday, November 09, 2012 7:23 PM
Our environment in the past has allowed a number of users administrative access to their local workstations, who do not need such access. We have begun the task of restricting admin rights to these workstations using GPO.
We applied a GPO with the "BUILTIN\Administrators" and "BUILTIN\Remote Desktop Users" groups populated with NT Workstation Admin, Domain Admins, Administrator, and a few other IT related accounts. All other accounts are members of "Domain Users" and this group is listed as a member of "Standard Users" on the local workstations.
When the standard user logs in, they can't access anything at all. Computer gives "Access Denied." "My Documents" and all network drives are not accessible and they can't launch programs. It appears that removing them from the "Administrators" group has effectively broken security permissions. What would cause this and how can we remedy this situtation?
Sunday, November 11, 2012 12:50 AMHi Brad, it sounds like that you have not set the actual permisions for the user accounts. Are all of the user accounts under the OU?
Mark D. Albin IT Master Services www.itmasterservice.com (775) 229-4254
Monday, November 12, 2012 2:02 PM
The problem PC resides in an OU "Domain>Client Machines>Restricted Admin" and the users are in "Domain>Users"
The GPO to restrict administrative rights is placed in "Domain>Client Machines>Restricted Admin" and is configured as follows:
Computer Configuration>Policies>Windows Settings>Restricted Groups>BUILTIN\Administrators: (Users specified as having admin rights)
I have confirmed that the GPO has been applied by viewing Computer Management on the specified machine and verifying that the users set in the GPO are indeed the only ones listed under "Local Users and Groups\Groups\Administrators."
Every other user account (that should NOT have admin rights) is a member of the Active Directory domain group "Domain Users." I have also verified that the active directory group "Domain Users" is listed on the local workstation under "Local Users and Groups\Groups\Users."
I hope that answers your question. Any suggestions?
Monday, November 12, 2012 5:25 PM
The user receives the following message when trying to open explorer (Computer, Documents, etc):
"windows cannot access the specified device path or file you may not have appropriate permissions" EXPLORER.EXE
The user also cannot open Microsoft Lync.
The issue goes away if I remove the GPO restricting admin rights, and returns if I re-apply the GPO.
Tuesday, November 13, 2012 5:56 AMModerator
I would like suggest you refer to the Knowledge Base Article about Error: Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item:
Hope it helps.
TechNet Community Support
Tuesday, November 13, 2012 2:37 PM
Thanks for that generic response... Obviously the user doesn't have permissions to access the item. I need to know why. What is causing a previously administrative account to not have basic access permissions when they are converted to a standard user?
I know that the profile is not corrupt because, as stated before, if the domain account is given it's admin privileges back, operation returns to normal.
Wednesday, November 14, 2012 8:17 PM
I wanted to provide some further information to this issue in hopes that someone has some insight.
We have a virtual machine that we use to build our Windows 7 images and we have been testing different scenarios using snapshots.
If we restore a user profile (captured from another PC) to our Windows 7 test machine, BEFORE that test machine has ever been syspreped, and restrict admin rights on that user account, everything works perfectly.
However, if we sysprep the machine, re-join it to the domain, restore the user profile and restrict admin rights, the user is no longer able to access anything.
What would sysprep be changing that would cause this behavior?
Thursday, December 06, 2012 10:35 PMBump. Any suggestions?
Tuesday, January 22, 2013 6:51 PMDoes anyone have any insight?
Tuesday, February 05, 2013 10:18 PM
I wanted to update this post with some further troubleshooting information.
We decided that we would follow the microsoft recommended steps to recreate a corrupt profile. Copying folders and files from the corrupt user profile folder to the newly created profile folder yielded some promising results.
I discovered that everything was fine until I copied the file "usrclass.dat" located in "C:\users\user_name\appdata\local\microsoft\windows\"
This file is apparently a registry hive, so I loaded the hive under an administrator account into the registry and checked permissions. The hive had "administrators" listed as having access, but not the specific user account that I was having problems with - which would explain why the user account would function correctly with administrator priveleges and not without. I granted access to the specific user and everything appears to be functioning properly.
Is there a way to give specific access to this hive per user globally? GPO?