What a mouthful! And the title really doesn’t do justice to the subject I want to write about.
For the last few hours I’ve been looking into a variety of issues with an old Windows 2003 server that acts as our backup domain controller (BDC).
This tenacious piece of hardware used to act as our primary domain controller and Exchange server until I “retired” it over a year ago.
Not one to put a workhorse out to pasture, I have made use of the stalwart as a point of entry for our users who want to dial in out of hours and run our bespoke applications.
This was all working fine until I set up a piece of software that runs from one of our other file servers.
Users connect to our network using a VPN client and then RDP to the server in question. Here they are given a handful of desktop short cuts to the applications they will need to make use of.
Running short cut prompts the user with an error message:
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.
Frustrating to say the least!
On investigation the user has full access to both the working folder and the executable file.
The file is not blocked by the operating system or the local software firewall.
The user is not a local administrator, this is a domain controller remember.
Finally, and most frustrating of all, Internet Explorer Enhanced Security Configuration is already turned off.
All of the above cover about 90% of the advice that my morning’s browsing has dredged up for my error.
As it turns out, the solution is far simpler than I had thought.
For whatever reason, the server in question is still using Internet Explorer’s security settings to govern how the operating system accesses files across the network.
Some of the sites offering me advice this morning suggested I add my file server to the “Local Intranet” sites in Internet Explorer’s security options. This didn’t work for me.
What did work for me was adding the file server to the “Trusted Zone” in Internet Explorer.
Why does the operating system rely on the security settings of a web browser I don’t even use? I do not know.
If you have the same problem then it is worth giving it a go.
- Open Internet Explorer. Just ignore any of the first time use messages you get, if like me you never use it. Amusingly enough it usually prompts me to tell me that enhanced security configuration is switched off.
- Click on Tools and then Internet Options. (To be fair you could just go straight to Internet Options in the Control Panel and avoid Internet Explorer altogether).
Click on Security and then the green tick for “Trusted Sites”.- Now click the “Sites” button.
Uncheck the “Require server verification (https:) for all sites in this zone”.- Add your file server to the list of websites with a prefix of file://. e.g. file://ArmaitusFileServer or file://10.0.0.633
- Close the “Trusted Sites” dialogue box.
Now click the “Custom level…” button.- Scroll down to find “Launching applications and unsafe files” under the “Miscellaneous” branch. Set it to “Enable”.
- Click OK, say Yes to confirm the change and then click OK again.
Network applications should now run fine.
The only real downside to this solution is that I have to perform these actions for every remote user… tedious to say the least.
Armaitus on... 
Just create GPO logon script and assign the changes when your clients acces via the VPN.
Good advice!