Symptoms
Users logging on to a MetaFrame Presentation Server are unable to execute files residing on client mapped drives and may receive the following error message:
“Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access them.”
Once a Citrix MetaFrame XP 1.0 server is updated with Service Pack 4, this security change, by default, will be applied.
Cause
This is by design.
Resolution
The resolution to this issue is documented in the “MetaFrame Presentation Server 3.0 Administrator Guide” as follows:
Granting Users Execute Permission on Mapped Client Drives
As a security precaution, when a user logs onto MetaFrame Presentation Server, by default, the server maps client drives without user execute permission. For users to be able to execute files residing on mapped client drives, you must override this default by editing the value of ExecuteFromMappedDrive in the registry on a server running MetaFrame Presentation Server.
CAUTION! Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
To change the ExecuteFromMappedDrive registry setting
1. After installing MetaFrame Presentation Server, run regedit.
2. Find the key
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Cdm/ Parameters/ExecuteFromMappedDrive
3. To grant users execute permission on mapped drives, set
ExecuteFromMappedDrive to 1.
To deny users execute permission on mapped drives, which is the default, set
ExecuteFromMappedDrive to 0.
4. Restart the server for the change to take effect.
You can turn off client drive mapping through policies you configure in MetaFrame Presentation Server. MetaFrame Presentation Server now fully applies client drive access restrictions that you specify in policy rules that turn off mapping to client drives. Releases earlier than MetaFrame Presentation Server 3.0 allowed applications to access a restricted client drive through a UNC path even when a MetaFrame Presentation Server policy rule turned off mapping to the client drive. Now, applications cannot access client drives restricted through policy rules that turn off mapping to the client drive.
More Information
