Microsoft KB Archive/291426

= After ZAK Installation, Error Messages Appear When Users Log On or Try to Use Programs =

Article ID: 291426

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition

-



This article was previously published under Q291426



SYMPTOMS
After you install the Zero Administration Kit (ZAK) on a computer that runs Windows NT Server 4.0, Terminal Server Edition, and that is already set up with programs and user permissions, various error messages may appear when a user tries to log on or use a program.



CAUSE
This behavior can occur if the ZAK lockout script (Zakwtsb2.exe) applies restrictions on files that programs need to use.



RESOLUTION
To resolve this behavior, either give all users Full Control permissions for the Terminal Server local hard disk, or restore the default Terminal Server permissions.



MORE INFORMATION
The following list describes the updated ZAK script files that are associated with the Zakwtsb2.exe file for Terminal Server.

Zakinstall.cmd: This file copies the ZAK files to the system root on the Terminal Server, in a folder named Zak. The file then calls Zakb1wrk.cmd.

Zakb1wrk.cmd: This file cleans up any files that Office 97 Setup places in the All Users\Startup folder. The file has many commented-out sections that you can customize for your environment. The file calls Acls.cmd, which sets the system access control lists, and Hide.cmd, which hides most of the local file system.

Acls.cmd: This file uses the Cacls command-line utility to set Read-only permissions for users on all files on the local system. It then goes back and modifies permissions on specific files or folders so that Office 97 and Windows NT work properly. This process performs the following actions:

NOTE: Unless specifically listed otherwise, administrators have full permissions for all files and folders.


 * Makes the boot files available only to administrators.
 * Gives users Read-only permissions for the Program Files folder.
 * Makes Windows NT accessories (Notepad, games, and so on) unavailable to users.
 * Gives everyone Change permissions for the Office and Office\Templates folders.
 * Gives everyone Change permissions for the Temp folder but does not allow deletion of the folder. To accomplish this, the process places a file in the root of the Temp folder and then restricts users from deleting that one file.
 * Sets user permissions for the Wtsrv folder and most of its subfolders to Read-only. The Help folder, Profiles folder, Spool folder, and folders related to Internet Explorer retain regular availability. Some specific files (for example, Explorer.exe and Wordpad.exe) require Read permissions so users can run them. For a complete list of allowed executable files, refer to the command file.
 * Denies any access to .inf files, .exe files, and .hlp files in the System folders.
 * Locks out user access to the Zak folder.
 * Allows Read access to specific files that Office needs to write to.

Hide.cmd: This file sets the Hidden attribute for most files on the computer, effectively hiding them without applying any system policies, so that a user who explores the local hard disk drive does not see most files or folders. There are exceptions. For example, it does not hide Microsoft PowerPoint templates (.ppt) because these files must be visible for PowerPoint to run properly.

Unhide.cmd: This file removes the Hidden attribute tag from all files on the system drive. It is included for the system administrator's convenience.

Keywords: kbprb KB291426

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.