DOCUMENT:Q291426 11-DEC-2001 [winnt] TITLE :Error Messages Appear When User Open Programs on Terminal Server PRODUCT :Microsoft Windows NT PROD/VER::4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0, Terminal Server Edition ------------------------------------------------------------------------------- SYMPTOMS ======== After you install the Zero Administration Kit (ZAK) on a computer that runs Windows NT Server 4.0, Terminal Server Edition, and that is already set up with programs and user permissions, various error messages may appear when a user tries to log on or use a program. CAUSE ===== This behavior can occur if the ZAK lockout script (Zakwtsb2.exe) applies restrictions on files that programs need to use. RESOLUTION ========== To resolve this behavior, either give all users Full Control permissions for the Terminal Server local hard disk, or restore the default Terminal Server permissions. MORE INFORMATION ================ The following list describes the updated ZAK script files that are associated with the Zakwtsb2.exe file for Terminal Server. Zakinstall.cmd: This file copies the ZAK files to the system root on the Terminal Server, in a folder named Zak. The file then calls Zakb1wrk.cmd. Zakb1wrk.cmd: This file cleans up any files that Office 97 Setup places in the All Users\Startup folder. The file has many commented-out sections that you can customize for your environment. The file calls Acls.cmd, which sets the system access control lists, and Hide.cmd, which hides most of the local file system. Acls.cmd: This file uses the Cacls command-line utility to set Read-only permissions for users on all files on the local system. It then goes back and modifies permissions on specific files or folders so that Office 97 and Windows NT work properly. This process performs the following actions: NOTE: Unless specifically listed otherwise, administrators have full permissions for all files and folders. - Makes the boot files available only to administrators. - Gives users Read-only permissions for the Program Files folder. - Makes Windows NT accessories (Notepad, games, and so on) unavailable to users. - Gives everyone Change permissions for the Office and Office\Templates folders. - Gives everyone Change permissions for the Temp folder but does not allow deletion of the folder. To accomplish this, the process places a file in the root of the Temp folder and then restricts users from deleting that one file. - Sets user permissions for the Wtsrv folder and most of its subfolders to Read-only. The Help folder, Profiles folder, Spool folder, and folders related to Internet Explorer retain regular availability. Some specific files (for example, Explorer.exe and Wordpad.exe) require Read permissions so users can run them. For a complete list of allowed executable files, refer to the command file. - Denies any access to .inf files, .exe files, and .hlp files in the System folders. - Locks out user access to the Zak folder. - Allows Read access to specific files that Office needs to write to. Hide.cmd: This file sets the Hidden attribute for most files on the computer, effectively hiding them without applying any system policies, so that a user who explores the local hard disk drive does not see most files or folders. There are exceptions. For example, it does not hide Microsoft PowerPoint templates (.ppt) because these files must be visible for PowerPoint to run properly. Unhide.cmd: This file removes the Hidden attribute tag from all files on the system drive. It is included for the system administrator's convenience. Additional query words: ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400search kbNTTermServ400 kbNTTermServSearch Version : :4.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.