Latest posts by Timothy Warner (see all)
- Where did the native NAT switch go in Windows 10 1607? - Fri, Aug 26 2016
- Microsoft Enhanced Security Administrative Environment (ESAE) - Fri, Aug 19 2016
- Use Datadog to monitor Azure Resource Manager - Tue, Aug 9 2016
Access-Denied Assistance is a new role service of the File Server role in Windows Server 2012. The technology is intended to make it easier for both users and administrators to resolve permissions problems with shared file resources. For instance, consider the following all-too-familiar conversation between an end user and his systems admin:
User: Can you please help me? I need to open an important marketing report and it says “access denied.”
Sys Admin: Where is the file?
Sys Admin: How are you trying to access the file?
User: I have no idea. I just go to my H: drive and the file is there.
Sys Admin: What is the name of the file?
User: How do I find that out?
Sys Admin: Sigh…
To make use of Access-Denied Assistance, we must fir connect to each of our Windows Server 2012 file servers and install the File Server and File Server Resource Manager role services of the File and Storage Services role:
We need to install the prerequisites for Access-Denied Assistance.
Because Access-Denied Assistance relies up on e-mail notifications, we also need to configure each relevant file server with a Simple Mail Transfer Protocol (SMTP) server address. Let’s do that quickly with Windows PowerShell:
Set-FSRMSetting -SMTPServer “mailserver.nuggetlab.com” -AdminEmailAddress “firstname.lastname@example.org” -FromEmailAddress “email@example.com”
It’s important to perform as much front-end configuration on your file servers as possible, because a we’ll see in a moment, Group Policy takes over Access Denied settings in each server’s local instance of File Server Resource Manager (FSRM).
Creating the policy ^
You can enable Access-Denied Assistance either on a per-server basis or centrally via Group Policy. To my mind, the latter approach is infinitely preferable from an administration standpoint.
Create a new GPO and make sure to target the GPO at your file servers’ Active Directory computer accounts as well as those of your AD client computers. In the Group Policy Object Editor, we are looking for the following path to configure Access-Denied Assistance:
\Computer Configuration\Policies\Administrative Templates\System\Access-Denied Assistance
I show you the Group Policy path in Figure 2.
We should use Group Policy to configure Access-Denied Assistance.
The Customize message for Access Denied errors policy, shown in the screenshot brlow, enables us to create the actual message box shown to users when they access a shared file to which their user account has no access.
We can create a custom, personalized Access Denied message for our AD users.
What’s cool about this policy is that we can “personalize” the e-mail notifications to give us administrators (and, optionally, file owners) the details they need to resolve the permissions issue quickly and easily.
For instance, we can insert pre-defined macros to swap in the full path to the target file, the administrator e-mail address, and so forth. See this example:
Whoops! It looks like you’re having trouble accessing [Original File Path]. Please click Request Assistance to send [Admin Email] a help request e-mail message. Thanks!
You should find that your users prefer these human-readable, informative error messages to the cryptic, non-descript error dialogs they are accustomed to dealing with.
The Enable access-denied assistance on client for all file types policy should be enabled to force client computers to participate in Access-Denied Assistance. Again, you must make sure to target your GPO scope accordingly to “hit” your domain workstations as well as your Windows Server 2012 file servers.
Testing the configuration ^
This should come as no surprise to you, but Access-Denied Assistance works only with Windows Server 2012 and Windows 8 computers. More specifically, you must enable the Desktop Experience feature on your servers to see Access-Denied Assistance messages on server computers.
When a Windows 8 client computer attempts to open a file to which the user has no access, the custom Access-Denied Assistance message should appear:
The custom Access-Denied Assistance message box.
If the user clicks Request Assistance in the Network Access dialog box, they see a secondary message:
The user is prompted to specify details of their help request.
At the end of this process, the administrator(s) will receive an e-mail message that contains the key information they need in order to resolve the access problem:
- The user’s Active Directory identity
- The full path to the problematic file
- A user-generated explanation of the problem
So that’s it, friends! Access-Denied Assistance presents Windows systems administrators with an easy-to-manage method for more efficiently resolving user access problems on shared file system resources. Of course, the key caveat is that your file servers must run Windows Server 2012 and your client devices must run Windows 8, but other than that, this is a great technology that should save admins extra work and end-users extra headaches.