For various reasons all users in our domain were domain admins. I am trying to remove this group from end users. It is a 2008 terminal server. We have a login script saved in the DCs netlogon. When a user is not in the domain admins, the script runs ok except for the copy command. These commands get "access is denied". The syntax of the line is: copy /Y C:\folder\*.* T:\folder1\folder2 The strange thing is users that have been created recently do not get this. This was originally a Windows 2000 domain and was migrated to 2008 a couple of years ago. It seems that users that were created before this migration seem to get the problem. I deleted one of these old users from AD and recreated them but they still have the problem. I dont know if there is something left behind that stays with the recreated user (same name). A completely new user with the same group membership and privileges can run it no problem. Any help much appreciated.

The users need permissions in T:\folder1\folder2. The difference is probably membership in a group that has the proper permissions in this folder. Either that, or the problem users do not have a T: drive mapping. For testing, run the copy statement as a problem user after logon. Any error message should help troubleshoot the problem. Richard MuellerMVP ADSI

Hi, As Richard mentioned, please make sure the problematic user has proper permission to write to the destination folder. For T: drive, is it a mapping network drive? After the problematic user logon, please run the above copy command separately. What is the result? If the "access is denied" error is showed, please double check the permissions first. Also, you can use Process Monitor to trace any trouble encountered when running the script manually. Please visit the following Web site: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx. Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It does indeed seem that the user it was working ok for (user 1) had their username in the NTFS permissions. The user that was having problems (user 2) did not. The T: is a substitute drive that is created by the login script. How would the permission be set on user 1's T: and not on user 2's and can I specify in the script to give the current user permissions on T:? Edit: Forget about it, have it sorted. The T: was mapped from yet another folder and inherited permissions! Thanks for the replies.