MICROSOFT 70-412: OBJECTIVE 2.2.3 – Perform access-denied remediation

If a user doesn’t have access to a network resource, a file server has not historically given the most user-friendly response: an Access Denied message and an OK button. OK? No, this is not okay for the user and we can do better.

One of the improvements in Server 2012 is Access-Denied Assistance. When a user tries to access a resource that they don’t have access to, they can receive a custom message that can explain WHY they don’t have access as well as who to contact for further help…. or even a Request Assistance button to save the user from typing out an email.

This can be configured individually using File Server Resource Manager or centrally using Group Policy.

Setting Access-Denied Assistance with File Server Resource Manager

  1. Open up File Server Resource Manager, right-click on local (or connect to another server first) and select Configure Options.
  2. On the dialog that opens, select the Access-Denied Assistance tab on top:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Perform access-denied remediation
  3. Check the box next to Enable access-denied assistance
  4. If desired, you can configure email requests by selecting the button toward the top:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Perform access-denied remediation
  5. Notice the item Generate an event log entry for each email sent. This is checked by default, and we can use it to look for (and remediate) access issues.

Setting up Access-Denied Assistance using Group Policy

  1. Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.
  2. Right-click the appropriate Group Policy, and then click Edit.
  3. Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.
  4. Right-click Customize message for Access Denied errors, and then click Edit.
  5. Select the Enabled option.
  6. Configure the following options:
    1. In the Display the following message to users who are denied access box, type a message that users will see when they are denied access to a file or folder.

      You can add variables customized text:

      • [Original File Path] The original file path that was accessed by the user.
      • [Original File Path Folder] The parent folder of the original file path that was accessed by the user.
      • [Admin Email] The administrator email recipient list.
      • [Data Owner Email] The data owner email recipient list.
    2. Select the Enable users to request assistance check box.
Advertisements

One comment

Comments are closed.