Terminal Server and Egnyte Storage Sync

Issue

Microsoft moved from a user based session model to a machine based session model with Windows Server 2012 R2 and above. This model causes Storage Sync version 10.3 and above to mix up user permissions when accessing ELC Shares. The permissions that are applied to all mapped drives on the Terminal Service Server will reflect that of the last user to log in regardless of cloud assigned permissions. 

Solution

Users logging into Windows can be connected to a "different" server for each user that opens a session via a DNS name alias. This can be achieved through DNS and a simple logon script. This process will create a wildcard DNS A record for the Storage Sync device and with a system variables such as %USERNAME% to force Windows into launching isolated connections for each user. This process allows the Terminal Server to establish a separate connection for each user connecting to Storage Sync.  

Once the DNS wildcard prefix has been added, users that log into the server can be automatically provisioned to the mapped share with a logon script through a group policy or AD logon scripts.

Requirements

  • Powershell Version 4.0
    • Open the powershell command prompt.
      > powershell -version 4.0
    • If the command returns:
      Cannot start Windows PowerShell version 4.0 because it is not installed.

      The version of PowerShell will need an update.

Note: Run this test on every Terminal Service Server.

 

Configure DNS

1.  Open your DNS Manager and expand your Domain's Forward Lookup Zones.

Screen_Shot_2017-05-12_at_6.36.15_PM.png

2.  Right click and select New Host (A or AAAA)...

Screen_Shot_2017-05-12_at_6.36.26_PM.png

3.  This record will use the hostname and IP address of the ELC device to create a wildcard subdomain of the ELC device:

  • Name (uses parent domain name if blank): *.<ELC Host name>
  • IP address: <ELC appliance IP> 

Screen_Shot_2017-05-12_at_6.37.01_PM.png

  • Test this new record with nslookup to verify it works:

Screen_Shot_2017-05-12_at_7.12.47_PM.png

 

Configuring the GPO and Logon Scripts

Refer to the following examples as a potential way of mapping user shares. Since each environment is not alike, these steps may not be applicable as described.   

  1. Open your Group Policy Manager and click Create a GPO in this domain, and Link it here...

    Screen_Shot_2017-05-12_at_7.18.23_PM.png

  2. After this GPO is named and created right click the GPO and select Edit.
  3. Navigate to:
    • Computer Configuration > Policies > Administrative Templates > System > Group Policy

      Screen_Shot_2017-05-12_at_6.34.27_PM.png

  4. Locate and double click Configure Logon Script Delay.
  5. Mark the policy as Enabled and set the Minute value to 0

    Screen_Shot_2017-05-12_at_6.34.03_PM.png

  6. Click OK.
  7. Navigate to:
    • User Configuration > Policies > Windows Settings > Scripts (logon/logoff).

      Screen_Shot_2017-05-12_at_6.34.47_PM.png

  8. Double click Logon to edit this policy value.
  9. On the Scripts tab click Show Files.
  10. This will open an explorer window in which we will create a new txt file named "logon" which will be used as our logon script.
  11. Edit the logon.txt file and paste the following code inside:

    @ECHO OFF

    powershell -command "New-PSDrive -Name <Drive Letter> -PSProvider FileSystem -Root \\%USERNAME%.<ELC Host Name>.<Domain>\ELC -Scope "Global" -Persist; $(New-Object -ComObject shell.application).NameSpace( '<Drive Letter>:\' ).self.name='<Drive Name>'"

    • Note: Make sure to edit the parts in bold before saving the script.

  12. Once the code has been saved to the logon.txt file you will need to rename it to logon.bat.
  13. In Explorer, navigate one folder up. This folder should be named Scripts and contain two directories:
    • Logoff or Logon

  14. Right click the Logon folder and select Properties.
  15. Click on the Security tab to edit the folder permissions followed by the Add button.
  16. We will add and set permissions for the Domain Users group:
    • Add the group:

      Screen_Shot_2017-05-12_at_6.43.20_PM.png

    • Set the permissions to:
      • Read & Execute
      • List Folder Contents
      • Read

        Screen_Shot_2017-05-12_at_6.41.53_PM.png

  17. Now that the script has been added and permissions have been set. Return to the Logon/Logoff GPO policy settings and add the script:

    Screen_Shot_2017-05-12_at_6.54.48_PM.png
    Screen_Shot_2017-05-12_at_6.55.06_PM.png
    Screen_Shot_2017-05-12_at_6.55.14_PM.png

  18. Click Apply and then OK and close out of the GPO Editor and Management console.

User Configuration in AD

  1. Open the Active Directory Users and Computers management console.
  2. Open the Properties for any User Account(s) you wish to apply the logon script to.

    Screen_Shot_2017-05-12_at_6.37.45_PM.png

  3. Click on the Profile tab and check the box next to Logon script and then type logon.bat in the text box.

    Screen_Shot_2017-05-12_at_6.55.45_PM.png

  4. Update the system's GPO Policies.

    Screen_Shot_2017-05-12_at_6.56.23_PM.png

 

The Terminal Service Server should now be configured for connecting to Storage Sync.

Egnyte Community

Egnyte Community

Want to connect with other Egnyte users and our Egnyte team? Share ideas and ask questions in our Community .