Enable and Configure Access Denied Remediation (ADR) in Windows Server 2012

Error messages in Windows are notorious for being especially unhelpful and uninformative, but Microsoft has set out to address this issue when users try to open a file or folder to which they don’t have sufficient access permissions. Access Denied Remediation (ADR), also known or as Access Denied Assistance, can be enabled on Windows Server 2012 file servers and allows organizations to configure customized access denied messages for Windows 8 users, including the ability to alert an administrator or the resource owner for further assistance. Today I will show you how to enable and configure this feature on Windows Server 2012 for your users.

Help for IT administrators and Users

One of the biggest problems associated with access denied messages is that to resolve the issue IT admins need to know the exact file or folder path, meaning that the administrator either has to search for the resource or walk the user through discovering the file path. Access Denied Remediation not only helps the user get a solution to the problem faster, but it also allows IT admins to respond more quickly.

Install File Server Resource Manager (FSRM)

While File and Print Services is installed on Windows Server by default, to manage advanced features of the role you’ll need to install the File Server Resource Manager (FSRM):

  • Log on to Windows Server 2012 as a local administrator.
  • Right-click the PowerShell icon on the desktop Taskbar and select Run as Administrator from the menu. Click Yes in the UAC prompt.
  • In the PowerShell window, type Add-WindowsFeature FS-Resource-Manager -includeManagementTools and press Enter.
  • Restart the server if prompted.

Note here that the –includeManagementTools parameter is optional. If you choose to omit it, you won’t be able to access the GUI File Server Resource Manager tool.

Configure the SMTP Server in FSRM

FSRM needs an SMTP server address to which it can forward error messages when users request help via email. Optionally, you can set a generic admin email to which all messages can be copied. In the PowerShell window, type:

Set-FSRMSetting -SMTPServer “mail.contoso.com” -AdminEmailAddress “[email protected]” -FromEmailAddress “[email protected]

Replace the value of the –SMTPServer, –AdminEmailAddress and -FromEmailAddress parameters with the relevant information for your organization.

Enable Access Denied Remediation (ADR)

Now we need to enable Access Denied Remediation. In the PowerShell prompt, type:

Set-FSRMAdrSetting -Event AccessDenied –DisplayMessage “Access to [Original File Path] has been denied.” -Enabled -AllowRequests -EmailMessage “Access to resource is denied. You can email [Admin Email] a request for permission to access the file.” -MailToOwner -MailCCAdmin -MailTo [email protected]

The –MailCCAdmin parameter copies the email to the FSRM admin email address that we configured separately in the previous step. The –MailToOwner parameter copies the email to the designated owner of the data resource.

In the command line, I used a couple of macros: [Original File Path] and [Admin Email]. These are essentially predefined variables that allow you to customize the message according to the situation. [Original File Path] displays the file path that the user was trying to access in the message body, and [Admin Email] shows the admin email address configured in FSRM. There are two other macros that you can use: [Original File Path Folder] displays the parent folder of the file path that the user wanted to access, and [Data Owner Email] shows the recipient list configured for the file resource.

Enable Access Denied Remediation for All File Types on Windows 8

Before users will see ADR messages, you need to enable ADR for all file types on Windows 8 using Group Policy. The Access-Denied Assistance Group Policy settings also allow you configure ADR on Windows Server 2012. So if you have multiple file servers, this method may be preferable to using PowerShell or the FSRM management console.

  • Open Group Policy Management (GPMC) from the Tools menu in Server Manager.
  • In the left pane of GPMC, expand your forest and domain.
  • Right-click Group Policy Objects and select New from the menu.
  • Name the new GPO Access Denied Remediation and click OK in the New GPO dialog.
  • Select Group Policy Objects in the left pane of GPMC.
  • In the right pane, right-click the new Access Denied Remediation GPO and select Edit from the menu.

Access Denied Remediation: Create new GPO

  • In the Group Policy Management Editor window, expand Computer Configuration, Policies, Administrative Templates, System and click Access-Denied Assistance.
  • In the right pane, double-click Enable access-denied assistance on client for all file types.

Access Denied Remediation: Configure ADR settings in Group Policy

  • In the pop-up dialog box, click Enabled and then OK.
  • Close the Group Policy Management Editor window.
  • Back in the left pane of GPMC, right-click your domain and select Link an Existing GPO here from the menu.
  • In the Select GPO dialog, select Access Denied Remediation under Group Policy objects and click OK.
  • ADR will now be enabled on all devices in the domain the next time Group Policy refreshes on each device.

Configure Access Denied Remediation on Windows Server 2012 Using Group Policy

The following steps are optional if you decide to configure ADR on Windows Server 2012 using Group Policy. Edit the Group Policy Object created above and add the necessary server-side configuration:

  • In the left pane of GPMC, select Group Policy Objects.
  • Right-click the Access Denied Remediation GPO and select Edit from the menu.
  • In the Group Policy Management Editor window, expand Computer Configuration, Policies, Administrative Templates, System and click Access-Denied Assistance.
  • In the right pane, double-click Customize message for Access Denied errors.
  • In the pop-up dialog click Enabled.
  • Enter the required text and options. Click OK when you’re done.

Configure Access Denied Remediation settings in Group Policy

You can either wait for Group Policy to refresh on your file servers, or run gpupdate from the command line to force a refresh.

Access Denied Remediation Messaging

Now, when a Windows 8 user tries to access a file resource they don’t have permission to access, your customized dialog will appear instead of Microsoft’s generic access denied message.

Access Denied Remediation message

Additionally, if you allow users to request assistance in your ADR configuration, they’ll see the following dialog so that they can send a personalized message.

Access Denied Remediation request assistance dialog