Egnyte Help Desk

Terminal Server and Egnyte Storage Sync

Issue

Microsoft moved from an user based session model to a machine based session model with Windows Server 2012R2. This new model causes Storage Sync to mix up sser permissions when accessing ELC Shares. The permissions that are applied to all mapped drives on the Terminal Service Server will reflect that of the last user to log in regardless of cloud assigned permissions. 

Solution

Windows needs to connect to a different server for each and every user that opens a session. This can be achieved through DNS and a simple logon script. This process will create a wildcard DNS A record for the Storage Sync device and with %USERNAME% system variables to force Windows into launching isolated connections for each user.  This process allows the Terminal Server to establish a separate connection for each user connecting to Storage Sync.  

Once the DNS wildcard prefix has been added, users that log into the server can be automatically provisioned the mapped share with a logon script through a group policy or AD logon scripts.

Requirements

  • Powershell Version 4.0
    • Open the powershell command prompt
      > powershell -version 4.0
    • If the command returns:
      Cannot start Windows PowerShell version 4.0 because it is not installed.

      The version of PowerShell will need an update.

NOTE: Run this test on every Terminal Service Server

 

Configure DNS

1.  Open your "DNS Manager" and expand your Domain's "Forward Lookup Zones" 

Screen_Shot_2017-05-12_at_6.36.15_PM.png

2.  Right Click and select "New Host (A or AAAA)..."

Screen_Shot_2017-05-12_at_6.36.26_PM.png

3.  This record will use the hostname and IP address of the ELC device to create a wildcard subdomain of the ELC device:

  • Name (uses parent domain name if blank): *.<ELC Host name>
  • IP address: <ELC appliance IP> 

Screen_Shot_2017-05-12_at_6.37.01_PM.png

  • Test this new record with nslookup to verify it works:

Screen_Shot_2017-05-12_at_7.12.47_PM.png

 

Configuring the GPO and Logon Scripts

Refer to the following examples as a potential way of mapping user shares.  Since each environment is not alike, these steps may not be applicable as described.  

 

  1. Open your "Group Policy Manager" and Create a new GPO:
    • Screen_Shot_2017-05-12_at_7.18.23_PM.png
  2. After this GPO is named and created right click the GPO and select "Edit".
  3. Navigate to:
    • Computer Configuration > Policies > Administrative Templates > System > Group Policy
    • Screen_Shot_2017-05-12_at_6.34.27_PM.png
  4. Locate and double click "Configure Logon Script Delay"
  5. Mark the policy as "Enabled" and set the "Minute" value to "0":
    • Screen_Shot_2017-05-12_at_6.34.03_PM.png
  6. Click "OK".
  7. Navigate to:
    • User Configuration > Policies > Windows Settings > Scripts (logon/logoff)
    • Screen_Shot_2017-05-12_at_6.34.47_PM.png
  8. Double click "Logon" to edit this policy value.
  9. On the "Scripts" tab click "Show Files"
  10. This will open an explorer window in which we will create a new txt file named "logon" which will be used as our logon script.
  11. Edit the "logon.txt" file and paste the following code inside:

    @ECHO OFF

    powershell -command "New-PSDrive -Name <Drive Letter> -PSProvider FileSystem -Root \\%USERNAME%.<ELC Host Name>.<Domain>\ELC -Scope "Global" -Persist; $(New-Object -ComObject shell.application).NameSpace( '<Drive Letter>:\' ).self.name='<Drive Name>'"

    • NOTE: Make sure to edit the parts in bold before saving the script.

  12. Once the code has been saved to the "logon.txt" file you will need to rename the to "logon.bat"
  13. In Explorer navigate one folder up. This folder should be named "Scripts" and contain two directories:
    • Logoff or Logon

  14. Right click the "Logon" Folder and select "Properties."
  15. Click on the "Security" tab to edit the folder permissions followed by the "Add" button.
  16. We will add and set permissions for the "Domain Users" group:
    • Add the group:
      • Screen_Shot_2017-05-12_at_6.43.20_PM.png
    • Set the permissions to:
      • Read & Execute
      • List Folder Contents
      • Read
      • Screen_Shot_2017-05-12_at_6.41.53_PM.png
  17. Now that the script has been added and permissions have been set. Return to the "Logon/Logoff" GPO policy settings and add the script:
    • Screen_Shot_2017-05-12_at_6.54.48_PM.png

    • Screen_Shot_2017-05-12_at_6.55.06_PM.png
      Screen_Shot_2017-05-12_at_6.55.14_PM.png
  18. Click "Apply" and then "OK" and close out of the GPO Editor and Management console.

User Configuration in AD

  1. Open the "Active Directory Users and Computers" management console.
  2. Open the "Properties" for any User Account(s) you wish to apply the logon script to.
    • Screen_Shot_2017-05-12_at_6.37.45_PM.png
  3. Click on the "Profile" Tab and check the box next to "Logon script" and then type "logon.bat" in the text box.
    • Screen_Shot_2017-05-12_at_6.55.45_PM.png
  4. Update the system's GPO Policies.
    • Screen_Shot_2017-05-12_at_6.56.23_PM.png

The Terminal Service Server should now be configured for connecting to Storage Sync.

Egnyte Community

Egnyte Community

Want to connect with other Egnyte users and our Egnyte team? Share ideas and ask questions in our Community.

Help Improve Egnyte

Every day we work hard to make Egnyte better with feedback from users to improve our products. Sign up to participate in Egnyte User Studies.