- Can’t uninstall app: Delete or change Windows apps that have been flagged as non-removable - Thu, Mar 16 2023
- FSLogix VHDX compaction: Resize virtual disks - Thu, Dec 1 2022
- Sysinternals Process Monitor: Real-time file system, registry, and process monitoring - Fri, Oct 28 2022
First, it can only be activated on Windows-based file servers. File shares that are not fronted by the Windows operating system will not be able to use this method. You can, however, front access to network- or cloud-based storage through a Windows file server instance and use this method.
Default access denied error message
Second, you can only configure the customized access denied message on a device-by-device basis. This means that each file server can only have a single customized error message displayed. While you could set up separate departmental file shares on different file servers and then customize the messages on a share-by-share basis, this seems like a very inefficient method. It would be good if this functionality could be extended so that different shares could have different access messages.
Enabling the functionality
To customize this, you first need to ensure that File Server Resource Manager is installed on the file server instance. You do this by opening Server Manager and installing File Server Resource Manager from within the File Server role.
Add the File Server Resource Manager feature
Add supporting features
Once this is installed, you can now customize your error message in one of two ways on the file server end, both of which are detailed below. However, the configuration that is required on the client end must be done via Group Policy.
Customize via Group Policy Objects
In an Active Directory domain, the easiest way is to use GPOs to enable the functionality. The GPOs need to be applied in two places—on the file server and on the clients that will access the file server.
Navigate to the following settings in GPMC: Computer Configuration > Policies > Administrative Templates > System > Access-Denied Assistance
Set the policies described below.
Customize message for Access Denied errors
Customize message for access denied errors
This has a number of settings that should be self-explanatory. The first field, Display the following message to users who are denied access, allows you to customize the error message that you will display. There are a set of variables you can add to the text fields that may help you to form the most appropriate message. The available variables are:
- [Original File Path] The original file path accessed by the user.
- [Original File Path Folder] The parent folder of the original file path accessed by the user.
- [Admin Email] The administrator email recipient list.
- [Data Owner Email] The data owner's email recipient list.
The Enable users to request assistance check box enables the email functionality to help with dynamic access control.
The second field, Add the following text to the end of the email, allows you to put a suffix onto the emails that are sent regarding the access request.
For both the first and second text fields, a blank line on its own is not accepted as input. If you insert a carriage return and no other text, you will see the following error when trying to click OK.
Group Policy error No text was entered for this field. Make sure that you enter text
Fortunately, a simple way to enable spaced formatting is to use a single space as the line input instead.
The next section deals with email settings. You can configure a Folder Owner and File Server Administrator email recipient. You can also specify additional recipients as well.
Finally, you can choose whether to include either device (device information) and/or user claims (user information) in the email. There's also the option to log the emails in the event logs, which is useful for troubleshooting.
Link the configured GPO to the OUs where the file server and the clients that access the file server exist.
Enable access-denied assistance on the client for all file types
This second GPO setting simply needs to be set to Enabled. This setting is specifically for the client end and must be set directly via GPO or in the image. The clients must be at least Windows 8 or Server 2012 for this functionality to work.
Enable access denied assitance on client for all file types
Customize via File Server Resource Manager
The first set of GPO settings can, if you wish, be configured directly on the file server itself via File Server Resource Manager. Once installed, File Server Resource Manager can be run by opening Server Manager and choosing File Server Resource Manager from the Tools menu.
File Server Resource Manager in Server Manager
Once it launches, right-click File Server Resource Manager and choose Configure Options, as shown below.
Configuring options in File Server Resource Manager
On the Access-Denied Assistance tab, you can configure much the same set of options as specified in the GPO section.
FSRM options
Click the Configure email requests button to access the additional options mentioned in the GPO section.
Accessed Denied Assistance Configure email request
Email configuration
One aspect that can only be configured directly from File Server Resource Manager is the email configuration. This should be done in addition to the GPO settings. The configuration is done on the Email Notifications tab.
Configuring FSRM email notifications
Note that the email settings currently require an open relay. There is no way to provide authentication settings within the FSRM console. In an ideal world, it would be better to allow an authenticated connection, but for now, if you can't use an open relay, there are a few options:
- Configure a server in your domain with IIS, and make it an open relay. It can then forward the mail with an authenticated account to some other service.
- Install a program like hmail and use it as the open relay to an authenticated account.
- Configure an account in your own email system (if you have one) to not require authentication.
Once this is configured, you can click the Send Test Email button to verify that everything is working correctly for dynamic access control.
Testing
Once the server and client are configured in this way, you can try setting up a file share and denying your test user access so you can see what the custom error message looks like.
Custom error message for access denied
Hopefully, you can configure this custom error message so that your users can contact the folder owner and/or file server administrator to provide access without them having to generate helpdesk calls.
It seems like a small thing but could be very useful trick. Thank you for sharing.