Skip to main content
Plan for Access-Denied Assistance

Published: August 16, 2012

Updated: August 16, 2012

Applies To: Windows Server 2012

There are a few considerations and decisions that should be made before you deploy access-denied assistance.

Use the following table to plan your access-denied assistance deployment in your organization.


Task Description

1.1 Determine the access-denied assistance model

Determine whether your organization should use an email model or a Web services model for access-denied assistance.

1.2. Determine who should handle access requests

You can assign each file share an owner distribution list that will receive access requests.

1.3. Customize the access-denied assistance message

The access-denied assistance message should be customized for your organization. The included message is only a sample.

1.4. Plan for exceptions

Exceptions happen when a user account needs access to a specific file share but they do not need access to everything that the security group has.

1.5. Determine how access-denied assistance is deployed

Access-denied assistance can be configured at the file server level or at the file share level.

There are two ways that you can configure access-denied assistance in your organization:

  • Email model In an email model, if a user is denied access, a customized error message is shown with a button to request assistance. When the user clicks the Request Assistance button, an email is sent to the folder owner with the specified information.

  • Web services model The Web services model is similar to the email model. Instead of the request assistance button being shown, a link is included in the access-denied assistance message that directs the user to request access through a self-service portal, such as Forefront Identity Manager.

The model that you choose is dependent on your organization.

When using the email model each of the file shares, you can determine whether access requests to each file share will be received by the administrator, a distribution list that represents the file share owners, or both.

The owner distribution list is configured by using the SMB Share – Advanced file share profile in the New Share Wizard in Server Manager.

You can also use the File Server Resource Manager console to configure the owner distribution list by editing the management properties of the classification properties.

Windows Server 2012 contains a sample message when you enable access-denied assistance. You should customize this message to meet the needs of your organization. One thing to consider including in the message is a link to your Intranet or help desk location.

You can also provide a specific access-denied assistance message per file share. This message will replace the global message when a user tries to access files within file share. For more information on how to configure a separate access-denied assistance message for a file share, see Deploy Access-Denied Assistance (Demonstration Steps).

How to deal with exceptions is an important consideration to plan for before you deploy access-denied assistance. Exceptions can happen if a user account needs access to a file share.

We recommend that the user account should not be added to any of the security groups that have access as part of the user’s role. Instead, you should create another security group for exceptions that contains those user accounts and grant access to the appropriate file share so that you can monitor this security group separately and enforce rules, such as expiring membership.

Access-denied assistance can be configured on a per-file server or per-share basis. By configuring access-denied assistance at the file share level, you can customize the message to include specific information about the file share itself. For example, you could specify the exception security group for that share in the message so the user would know which group in which they should request access. Another example is to specify a specific owner distribution list for the folder that represents the file share.

Some settings are global for the server. Enabling or disabling access-denied assistance is done on a server basis and the Request Assistance button is configured the file server level, so if you configure the file server to show the Request Assistance button, you cannot disable it on specific file shares.

For more information on configuring access-denied assistance at both a file share level and at a server level, see Deploy Access-Denied Assistance (Demonstration Steps).