Background
We have taken over a Windows Domain from a previous support company. The company had implemented a proprietary desktop lockdown system (i.e. not Group Policy), to achieve certain goals such as
- preventing access to registry
- preventing access to command line
- redirecting UserShellFolders (user Desktop, user Start Menu etc.) to a shared network location
As part of their lockdown system, all users logging on to PCs were added to the local machine (builtin) Administrators group, which we consider to be poor practice, especially for preventing the propagation of viruses and general security of the network.
I have removed their lockdown system, and replicated many of the configurations made by this proprietary system using Group Policy. Including removing local administrator rights from Domain Users. (This was done using Group Policy Restricted Groups.)
The problem
Since doing this, the following happens.
Whilst users are able to access their mapped drives...
- if a user enters the UNC path to such a mapped drive in Windows Explorer, they get an error message
- Likewise, icons on their redirected desktops that point to network locations don't work. When double-clicking on an icon, nothing happens
Here's the error when entering a UNC path into Explorer:
Sure enough, if I make the user a member of the local Administrators group, there's no error.
As part of my testing I enabled the Group Policy (User) setting: "Remove Run menu from Start Menu", as from previous experience I know this also prevents browsing UNC paths. (Yes, this does seem a strange side-effect of this setting, but it's documented in GPO.) Doing the above gives me a subtly different error when I enter the UNC path:
I've also noticed that both of these errors happen even if you enter a network path that doesn't exist.
Because of the above point, and because the local machine (Builtin) Administrators group is completely unrelated to the domain SIDs applied to the shares in question, I conclude that it's not related to NTFS permissions or share permissions on the server share itself.
Given it seems to be a local machine policy issue, I've checked the local security policy and there are no related items set there. Likewise I've run a resultant set of policy to ensure that there are no other domain GPOs applying that I was unaware of.
Could it be UAC related?
EDIT: I checked this SE post about unhiding the network icon. No luck:
0 Answers