# Permision or Security problems



## renfri (Dec 5, 2008)

We have a 2003 Windows Server Small Business & a 2003 Windows Server Terminal Server. We use terminal services with some Group Policies. We are trying to run a new program that is webbased using the internet with a TN3270 Emulator and >Net Framework 2.0. It will run the program with administrator logged on but will not run under the actual user. THe user is setup with admin rights & the files that are being used shows that user has permissions to run. I have checked everything & can't find it. I am thinking that there must be a .Net Group Policy or something along that line stopping it but I can't find it. Any help would be greatly appreciated!!!!


----------



## aasimenator (Dec 21, 2008)

Check NTFS Permission for the program you want to run, The Users should have Read/write/Modify permission on the folder the application is installed. Also if your using terminal server to login the users to use that application then the user must have access to login on to the terminal server. you can find this option under Active Directory Users & computers


----------



## renfri (Dec 5, 2008)

I checked under Active Directory Users & it showed that user as members of Administrators, Domain Users, Office Folder Users, & Performance Monitor Users. The Administrators did not have full control so I changed that. I changed ownership from Domain Users to Administrators. THe Primary group is setup as Domain Users & I can't change that to Administrators. I know this is the least security wins so I don't know if I need to delete some of these & what it would affect. I just wetn in & checked the changes I made yesterday & they are back to the original setup. I am making the changes under Administrator Signon & it will not stay. I think I have other issues also.


----------



## aasimenator (Dec 21, 2008)

Check what administrator user is a member of. Domain Admins, Enterprise Admin & Administrators.

Open Group policy Object & check what are the policies in place that reflect terminal service / application from running under normal user.

P.S. Are u signing using domain / local administrator. Please make sure your using your domain account & not local administrators account


----------



## renfri (Dec 5, 2008)

Administrator is a member of Built-in accts of Administrators & Backup Operators. Also the User accts of Domain Admins, Domain Users, Enterprise Admins, Group Policy Creator Owners, Schema Admins, & Mobile Users-MyBusiness/Security Groups.
Domain Admins is a member of Built-in Administrators, Users are Offer Remote Assistant Helpers & Usage Report Users-My Business/Security Groups.
Enterprise Admin is a member of Built-in Administrators.
The GPO that I think applies to this is the Server Lockdown. That is where it as that the one that has Prevent IIS Registration enabled. If I go into it to change it shows that it is not setup & I can't change it. The users that the GPO is attached is Authenticated Users, Domain Admins, Enterprise Admins, & System. This is also the GPO that refers to Terminal services. I am sure that I am logged on the Domain account. If I am signed in as Administrator & changed administrator to have full control under Security tab of a user through Active Directory, the change will not take. Also if I delete some files on the hard drive signed in as Administrator it appears that it deletes them but then they appear & administrator is denied access. I think our system is really screwed up. Any ideas on that one? We are getting a new network & I will start from scratch so hopefully it corrects itself but I would like to figure out what is going on!


----------

