IT administrators certainly know that restricting the access certain users or user categories have in Windows 10 is a must, especially because the changes they could make may eventually affect system performance and stability.
Setting up the level of access could even come in handy on home systems with more than one user account, though it goes without saying that this method is mostly used within large corporate networks.
When trying to access files they aren’t allowed to load, users are provided with an access denied error, typically instructing them to get in touch with the system administrator.
Windows comes with further settings in this regard, including options to customize the access denied message with all kinds of content, including even links which they would have to click to request access.
First and foremost, let’s see where this option is located. You need to launch the Group Policy Editor by typing gpedit.msc in the Start menu and then navigate to this path:
Computer Configuration > Administrative Templates > System > Access-Denied Assistance
Without any tweaks, there are two different policies on the right side of the screen, and the one you’re going to use is called:
Customize message for Access Denied errors
By default, this policy is set to Not Configured, so you to double-click it to change its status. By enabling it, you can create a customized message that is displayed when users get an access denied error, with additional parameters (which you must set up) in the lower part of the screen.
Microsoft explains in the description of the policy:
“This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access.”
Once enabled, the policy unlocks additional customization options, including setting up your own message to be displayed to users. There’s a dedicated setting to enable users to request assistance.
As said, users can even send an email to IT admins in order to request access to the files they’re trying to open, and you can set up your own email that would be automatically used as the default template for this purpose.
This option comes with its very own configuration settings, and you can set up the email recipient and email parameters, like including user and device claims and logging all messages in the Application and Services event log.
If you don’t configure this setting, Windows will use the default access denied message, so keep this in mind if you’re planning to set up restrictions on the devices in your network.
“If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message,” Microsoft explains.
This policy was originally introduced in Windows 8, and it is also available in Windows RT (which is obviously a thing of the past already), Windows Server 2012, and newer OS versions like Windows 10.
Setting up the policy that does require a system reboot and all the changes are applied automatically. Keep in mind that the restricted access must be enabled before activating this policy, alongside the assistance service. To do this, enable the policy called Enable access-denied assistance on client for all file types in the same location as the one mentioned above.