Error messages in Windows are notorious for being especially unhelpful and uninformative, but Microsoft has set out to address this issue when users try to open a file or folder to which they don’t have sufficient access permissions. Access Denied Remediation (ADR), also known or as Access Denied Assistance, can be enabled on Windows Server 2012 file servers and allows organizations to configure customized access denied messages for Windows 8 users, including the ability to alert an administrator or the resource owner for further assistance. Today I will show you how to enable and configure this feature on Windows Server 2012 for your users.
One of the biggest problems associated with access denied messages is that to resolve the issue IT admins need to know the exact file or folder path, meaning that the administrator either has to search for the resource or walk the user through discovering the file path. Access Denied Remediation not only helps the user get a solution to the problem faster, but it also allows IT admins to respond more quickly.
While File and Print Services is installed on Windows Server by default, to manage advanced features of the role you’ll need to install the File Server Resource Manager (FSRM):
Note here that the –includeManagementTools parameter is optional. If you choose to omit it, you won’t be able to access the GUI File Server Resource Manager tool.
FSRM needs an SMTP server address to which it can forward error messages when users request help via email. Optionally, you can set a generic admin email to which all messages can be copied. In the PowerShell window, type:
Replace the value of the –SMTPServer, –AdminEmailAddress and -FromEmailAddress parameters with the relevant information for your organization.
Now we need to enable Access Denied Remediation. In the PowerShell prompt, type:
Set-FSRMAdrSetting -Event AccessDenied –DisplayMessage “Access to [Original File Path] has been denied.” -Enabled -AllowRequests -EmailMessage “Access to resource is denied. You can email [Admin Email] a request for permission to access the file.” -MailToOwner -MailCCAdmin -MailTo [email protected]
The –MailCCAdmin parameter copies the email to the FSRM admin email address that we configured separately in the previous step. The –MailToOwner parameter copies the email to the designated owner of the data resource.
In the command line, I used a couple of macros: [Original File Path] and [Admin Email]. These are essentially predefined variables that allow you to customize the message according to the situation. [Original File Path] displays the file path that the user was trying to access in the message body, and [Admin Email] shows the admin email address configured in FSRM. There are two other macros that you can use: [Original File Path Folder] displays the parent folder of the file path that the user wanted to access, and [Data Owner Email] shows the recipient list configured for the file resource.
Before users will see ADR messages, you need to enable ADR for all file types on Windows 8 using Group Policy. The Access-Denied Assistance Group Policy settings also allow you configure ADR on Windows Server 2012. So if you have multiple file servers, this method may be preferable to using PowerShell or the FSRM management console.
The following steps are optional if you decide to configure ADR on Windows Server 2012 using Group Policy. Edit the Group Policy Object created above and add the necessary server-side configuration:
You can either wait for Group Policy to refresh on your file servers, or run gpupdate from the command line to force a refresh.
Now, when a Windows 8 user tries to access a file resource they don’t have permission to access, your customized dialog will appear instead of Microsoft’s generic access denied message.
Additionally, if you allow users to request assistance in your ADR configuration, they’ll see the following dialog so that they can send a personalized message.