diff --git a/package.json b/package.json
index d8c3bfbe..d963df45 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.2.9-e",
+  "version": "0.2.9-h",
   "keywords": [
     "Remote Management",
     "Intel AMT",
diff --git a/views/default.handlebars b/views/default.handlebars
index a1b79a10..cb788a8c 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -2730,9 +2730,14 @@
             var meshlinks = mesh.links['user/' + domain + '/' + userinfo.name.toLowerCase()];
             var meshrights = meshlinks.rights;
             var consoleRights = ((meshrights & 16) != 0);
+
+            // Check if we have terminal and file access
+            var terminalAccess = ((meshrights == 0xFFFFFFFF) || ((meshrights & 512) == 0));
+            var fileAccess = ((meshrights == 0xFFFFFFFF) || ((meshrights & 1024) == 0));
+
             QV('cxdesktop', ((mesh.mtype == 1) || (node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 1) != 0) || (node.intelamt && (node.intelamt.state == 2))) && ((meshrights & 8) || (meshrights & 256)));
-            QV('cxterminal', ((mesh.mtype == 1) || (node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 2) != 0) || (node.intelamt && (node.intelamt.state == 2))) && (meshrights & 8));
-            QV('cxfiles', ((mesh.mtype == 2) && ((node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 4) != 0))) && (meshrights & 8));
+            QV('cxterminal', ((mesh.mtype == 1) || (node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 2) != 0) || (node.intelamt && (node.intelamt.state == 2))) && (meshrights & 8) && terminalAccess);
+            QV('cxfiles', ((mesh.mtype == 2) && ((node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 4) != 0))) && (meshrights & 8) && fileAccess);
             QV('cxevents', (node.intelamt != null) && ((node.intelamt.state == 2) || (node.conn & 2)) && (meshrights & 8));
             QV('cxconsole', (consoleRights && (mesh.mtype == 2) && ((node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 8) != 0))) && (meshrights & 8));
 
@@ -3575,9 +3580,14 @@
                 Q('MainComputerImage').setAttribute("src", "images/icons200-" + node.icon + "-1.jpg");
                 Q('MainComputerImage').className = ((!node.conn) || (node.conn == 0)?'gray':'');
 
+                // Check if we have terminal and file access
+                var terminalAccess = ((meshrights == 0xFFFFFFFF) || ((meshrights & 512) == 0));
+                var fileAccess = ((meshrights == 0xFFFFFFFF) || ((meshrights & 1024) == 0));
+                var amtAccess = ((meshrights == 0xFFFFFFFF) || ((meshrights & 2048) == 0));
+
                 // Setup/Refresh the desktop tab
-                setupTerminal();
-                setupFiles();
+                if (terminalAccess) { setupTerminal(); }
+                if (fileAccess) { setupFiles(); }
                 var consoleRights = ((meshrights & 16) != 0);
                 if (consoleRights) { setupConsole(); } else { if (panel == 15) { panel = 10; } }
 
@@ -3585,9 +3595,9 @@
                 // mesh.mtype: 1 = Intel AMT only, 2 = Mesh Agent
                 // node.agent.caps (bitmask): 1 = Desktop, 2 = Terminal, 4 = Files, 8 = Console
                 QV('MainDevDesktop', ((mesh.mtype == 1) || (node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 1) != 0) || (node.intelamt && (node.intelamt.state == 2))) && ((meshrights & 8) || (meshrights & 256)));
-                QV('MainDevTerminal', ((mesh.mtype == 1) || (node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 2) != 0) || (node.intelamt && (node.intelamt.state == 2))) && (meshrights & 8));
-                QV('MainDevFiles', ((mesh.mtype == 2) && ((node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 4) != 0))) && (meshrights & 8));
-                QV('MainDevAmt', (node.intelamt != null) && ((node.intelamt.state == 2) || (node.conn & 2)) && (meshrights & 8));
+                QV('MainDevTerminal', ((mesh.mtype == 1) || (node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 2) != 0) || (node.intelamt && (node.intelamt.state == 2))) && (meshrights & 8) && terminalAccess);
+                QV('MainDevFiles', ((mesh.mtype == 2) && ((node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 4) != 0))) && (meshrights & 8) && fileAccess);
+                QV('MainDevAmt', (node.intelamt != null) && ((node.intelamt.state == 2) || (node.conn & 2)) && (meshrights & 8) && amtAccess);
                 QV('MainDevConsole', (consoleRights && (mesh.mtype == 2) && ((node.agent == null) || (node.agent.caps == null) || ((node.agent.caps & 8) != 0))) && (meshrights & 8));
                 QV('p15uploadCore', (node.agent != null) && (node.agent.caps != null) && ((node.agent.caps & 16) != 0));
                 QH('p15coreName', ((node.agent != null) && (node.agent.core != null))?node.agent.core:'');
@@ -5813,7 +5823,7 @@
                 var trash = '', rights = 'Partial Rights', r = sortedusers[i].rights;
                 if (r == 0xFFFFFFFF) rights = 'Full Administrator'; else if (r == 0) rights = 'No Rights';
                 if ((i != userinfo._id) && (meshrights == 0xFFFFFFFF || (((meshrights & 2) != 0)))) { trash = '<a onclick=p20deleteUser(event,"' + encodeURIComponent(sortedusers[i].id) + '") title="Remote user rights to this mesh" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>'; }
-                x += '<tr onclick=p20viewuser("' + encodeURIComponent(sortedusers[i].id) + '") style=cursor:pointer' + (((count % 2) == 0)?';background-color:#DDD':'') + '><td><div title="User" class=m2></div><div>&nbsp;' + sortedusers[i].name + '<div></div></div></td><td><div style=float:right>' + trash + '</div><div>' + rights + '</div></td></tr>';
+                x += '<tr onclick=p20viewuser("' + encodeURIComponent(sortedusers[i].id) + '") style=cursor:pointer' + (((count % 2) == 0) ? ';background-color:#DDD' : '') + '><td><div title="User" class=m2></div><div>&nbsp;' + EscapeHtml(decodeURIComponent(sortedusers[i].name)) + '<div></div></div></td><td><div style=float:right>' + trash + '</div><div>' + rights + '</div></td></tr>';
                 ++count;
             }
 
@@ -5921,17 +5931,20 @@
             if (xxdialogMode) return;
             var x = "Allow a user to manage this device group and devices in this group<br /><br />";
             x += addHtmlValue('User Name', '<input id=dp20username style=width:230px maxlength=32 onchange=p20validateAddMeshUserDialog() onkeyup=p20validateAddMeshUserDialog() />');
-            x += '<br><div>';
+            x += '<br><div style="height:120px;overflow-y:scroll;border:1px solid gray">';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20fulladmin>Full Administrator<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20editmesh>Edit Device Group<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20manageusers>Manage Device Group Users<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20managecomputers>Manage Device Group Computers<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20remotecontrol>Remote Control<br>';
+            x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20remoteview style=margin-left:12px>Remote View Only<br>';
+            x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20noterminal style=margin-left:12px>No Terminal Access<br>';
+            x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20nofiles style=margin-left:12px>No File Access<br>';
+            x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20noamt style=margin-left:12px>No Intel&reg; AMT<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20meshagentconsole>Mesh Agent Console<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20meshserverfiles>Server Files<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20wakedevices>Wake Devices<br>';
             x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20editnotes>Edit Device Notes<br>';
-            x += '<input type=checkbox onchange=p20validateAddMeshUserDialog() id=p20remoteview>Remote View Only<br>';
             x += '</div>';
             setDialogMode(2, "Add User to Device Group", 3, p20showAddMeshUserDialogEx, x);
             p20validateAddMeshUserDialog();
@@ -5950,7 +5963,10 @@
             QE('p20meshserverfiles', !Q('p20fulladmin').checked);
             QE('p20wakedevices', !Q('p20fulladmin').checked);
             QE('p20editnotes', !Q('p20fulladmin').checked);
-            QE('p20remoteview', !Q('p20fulladmin').checked);
+            QE('p20remoteview', !Q('p20fulladmin').checked && Q('p20remotecontrol').checked);
+            QE('p20noterminal', !Q('p20fulladmin').checked && Q('p20remotecontrol').checked);
+            QE('p20nofiles', !Q('p20fulladmin').checked && Q('p20remotecontrol').checked);
+            QE('p20noamt', !Q('p20fulladmin').checked && Q('p20remotecontrol').checked);
         }
 
         function p20showAddMeshUserDialogEx() {
@@ -5965,6 +5981,9 @@
                 if (Q('p20wakedevices').checked == true) meshadmin += 64;
                 if (Q('p20editnotes').checked == true) meshadmin += 128;
                 if (Q('p20remoteview').checked == true) meshadmin += 256;
+                if (Q('p20noterminal').checked == true) meshadmin += 512;
+                if (Q('p20nofiles').checked == true) meshadmin += 1024;
+                if (Q('p20noamt').checked == true) meshadmin += 2048;
             }
             meshserver.send({ action: 'addmeshuser', meshid: currentMesh._id, meshname: currentMesh.name, username: Q('dp20username').value , meshadmin: meshadmin});
         }
@@ -5974,19 +5993,22 @@
             userid = decodeURIComponent(userid);
             var r = '', cmeshrights = currentMesh.links['user/' + domain + '/' + userinfo.name.toLowerCase()].rights, meshrights = currentMesh.links[userid].rights;
             if (meshrights == 0xFFFFFFFF) r = ', Full Administrator (all rights)'; else {
-                if ((meshrights &   1) != 0) r += ', Edit Device Group';
-                if ((meshrights &   2) != 0) r += ', Manage Device Group Users';
-                if ((meshrights &   4) != 0) r += ', Manage Device Group Computers';
-                if ((meshrights &   8) != 0) r += ', Remote Control';
-                if ((meshrights &  16) != 0) r += ', Agent Console';
-                if ((meshrights &  32) != 0) r += ', Server Files';
-                if ((meshrights &  64) != 0) r += ', Wake Devices';
-                if ((meshrights & 128) != 0) r += ', Edit Notes';
-                if ((meshrights & 256) != 0) r += ', Remote View Only';
+                if ((meshrights &    1) != 0) r += ', Edit Device Group';
+                if ((meshrights &    2) != 0) r += ', Manage Device Group Users';
+                if ((meshrights &    4) != 0) r += ', Manage Device Group Computers';
+                if ((meshrights &    8) != 0) r += ', Remote Control';
+                if ((meshrights &   16) != 0) r += ', Agent Console';
+                if ((meshrights &   32) != 0) r += ', Server Files';
+                if ((meshrights &   64) != 0) r += ', Wake Devices';
+                if ((meshrights &  128) != 0) r += ', Edit Notes';
+                if ((meshrights &  256) != 0) r += ', Remote View Only';
+                if ((meshrights &  512) != 0) r += ', No Terminal';
+                if ((meshrights & 1024) != 0) r += ', No Files';
+                if ((meshrights & 2048) != 0) r += ', No Intel&reg; AMT';
             }
             r = r.substring(2);
             if (r == '') { r = 'No Rights'; }
-            var buttons = 1, x = addHtmlValue('User Name', userid.split('/')[2]);
+            var buttons = 1, x = addHtmlValue('User Name', EscapeHtml(decodeURIComponent(userid.split('/')[2])));
             x += addHtmlValue('Permissions', r);
             if ((('user/' + domain + '/' + userinfo.name.toLowerCase()) != userid) && (cmeshrights == 0xFFFFFFFF || (((cmeshrights & 2) != 0) && (meshrights != 0xFFFFFFFF)))) buttons += 4;
             setDialogMode(2, "Device Group User", buttons, p20viewuserEx, x, userid);