When you access a file share in Windows and the conditions for access are not met, you are normally presented with a generic access denied message. It is actually possible to customize the error message to provide more meaningful and understandable output that aids with dynamic access control, rather than the simple "contact your network administrator," which will invariably result in a call to the service desk. However, there are a couple of limitations to this functionality.

First, it can only be activated on Windows-based file servers. File shares that are not fronted by the Windows operating system will not be able to use this method. You can, however, front access to network- or cloud-based storage through a Windows file server instance and use this method.

Default access denied error message

Default access denied error message

Second, you can only configure the customized access denied message on a device-by-device basis. This means that each file server can only have a single customized error message displayed. While you could set up separate departmental file shares on different file servers and then customize the messages on a share-by-share basis, this seems like a very inefficient method. It would be good if this functionality could be extended so that different shares could have different access messages.

Enabling the functionality ^

To customize this, you first need to ensure that File Server Resource Manager is installed on the file server instance. You do this by opening Server Manager and installing File Server Resource Manager from within the File Server role.

Add the File Server Resource Manager feature

Add the File Server Resource Manager feature

Add supporting features

Add supporting features

Once this is installed, you can now customize your error message in one of two ways on the file server end, both of which are detailed below. However, the configuration that is required on the client end must be done via Group Policy.

Customize via Group Policy Objects ^

In an Active Directory domain, the easiest way is to use GPOs to enable the functionality. The GPOs need to be applied in two places—on the file server and on the clients that will access the file server.

Navigate to the following settings in GPMC: Computer Configuration > Policies > Administrative Templates > System > Access-Denied Assistance

Set the policies described below.

Customize message for Access Denied errors

Customize message for access denied errors

Customize message for access denied errors

This has a number of settings that should be self-explanatory. The first field, Display the following message to users who are denied access, allows you to customize the error message that you will display. There are a set of variables you can add to the text fields that may help you to form the most appropriate message. The available variables are:

  • [Original File Path] The original file path accessed by the user.
  • [Original File Path Folder] The parent folder of the original file path accessed by the user.
  • [Admin Email] The administrator email recipient list.
  • [Data Owner Email] The data owner's email recipient list.

The Enable users to request assistance check box enables the email functionality to help with dynamic access control.

The second field, Add the following text to the end of the email, allows you to put a suffix onto the emails that are sent regarding the access request.

For both the first and second text fields, a blank line on its own is not accepted as input. If you insert a carriage return and no other text, you will see the following error when trying to click OK.

Group Policy error No text was entered for this field. Make sure that you enter text

Group Policy error No text was entered for this field. Make sure that you enter text

Fortunately, a simple way to enable spaced formatting is to use a single space as the line input instead.

The next section deals with email settings. You can configure a Folder Owner and File Server Administrator email recipient. You can also specify additional recipients as well.

Finally, you can choose whether to include either device (device information) and/or user claims (user information) in the email. There's also the option to log the emails in the event logs, which is useful for troubleshooting.

Link the configured GPO to the OUs where the file server and the clients that access the file server exist.

Enable access-denied assistance on the client for all file types

This second GPO setting simply needs to be set to Enabled. This setting is specifically for the client end and must be set directly via GPO or in the image. The clients must be at least Windows 8 or Server 2012 for this functionality to work.

Enable access denied assitance on client for all file types

Enable access denied assitance on client for all file types

Customize via File Server Resource Manager ^

The first set of GPO settings can, if you wish, be configured directly on the file server itself via File Server Resource Manager. Once installed, File Server Resource Manager can be run by opening Server Manager and choosing File Server Resource Manager from the Tools menu.

File Server Resource Manager in Server Manager

File Server Resource Manager in Server Manager

Once it launches, right-click File Server Resource Manager and choose Configure Options, as shown below.

Configuring options in File Server Resource Manager

Configuring options in File Server Resource Manager

On the Access-Denied Assistance tab, you can configure much the same set of options as specified in the GPO section.

FSRM options

FSRM options

Click the Configure email requests button to access the additional options mentioned in the GPO section.

Accessed-Denied Assistance Configure email request

Accessed Denied Assistance Configure email request

Email configuration ^

One aspect that can only be configured directly from File Server Resource Manager is the email configuration. This should be done in addition to the GPO settings. The configuration is done on the Email Notifications tab.

Configuring FSRM email notifications

Configuring FSRM email notifications

Note that the email settings currently require an open relay. There is no way to provide authentication settings within the FSRM console. In an ideal world, it would be better to allow an authenticated connection, but for now, if you can't use an open relay, there are a few options:

  • Configure a server in your domain with IIS, and make it an open relay. It can then forward the mail with an authenticated account to some other service.
  • Install a program like hmail and use it as the open relay to an authenticated account.
  • Configure an account in your own email system (if you have one) to not require authentication.

Once this is configured, you can click the Send Test Email button to verify that everything is working correctly for dynamic access control.

Testing ^

Once the server and client are configured in this way, you can try setting up a file share and denying your test user access so you can see what the custom error message looks like.

Custom error message for access denied

Custom error message for access denied

Hopefully, you can configure this custom error message so that your users can contact the folder owner and/or file server administrator to provide access without them having to generate helpdesk calls.

avataravatar
1 Comment
  1. Surender Kumar 2 months ago

    It seems like a small thing but could be very useful trick. Thank you for sharing.

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account