1. Home
  2. Applications
  3. How To Hide Additional Drive Letters On A Server

How To Hide Additional Drive Letters On A Server

0
0

Updated June 16, 2009 with corrections for Method 3.

When Creating a Server Management Group Policy on Windows Server 2003, there are two options that can be set to either Hide or Prevent users from working with the server’s drives:

·         Hide these specified drives in My Computer

·         Prevent access to drives from My Computer

When these options are enabled, there is a drop down box that allows the selection of various drive combinations.  What if the drives you need hidden are not on the list?  This article will show you three ways to add any combination of drive letters to be hidden or denied access:

1.       Modify System.adm

2.       Create a new ADM file

3.       Use the ICAClient.adm file provided by Citrix

Why bother with either manual process when there is a 3rd Party utility called GPDrivesOptions that automates the creation of the necessary information?  There are places that do not allow 3rd Party utilities to be run on Domain Controllers or Management Stations.  Also, if Change Management is used, it may take longer to go through the approval process to modify System.adm than it takes to create a new ADM file and use it for your Group Policy. 

Microsoft has KB article 231289 that explains the process to add custom drive letter combinations.  Using KB231298, if you wanted to hide access to drives A, B, D, E, G, P and R:

The 26-bit string of drive letters is represented as:

11111111111111111111111111
ZYXWVUTSRQPONMLKJIHGFEDCBA

If you prefer to not work in Binary, the decimal value for each drive letter is:

Drive Letter

Decimal Value

Binary Value

Z

33554432

10000000000000000000000000

Y

16777216

1000000000000000000000000

X

8388608

100000000000000000000000

W

4194304

10000000000000000000000

V

2097152

1000000000000000000000

U

1048576

100000000000000000000

T

524288

10000000000000000000

S

262144

1000000000000000000

R

131072

100000000000000000

Q

65536

10000000000000000

P

32768

1000000000000000

O

16384

100000000000000

N

8192

10000000000000

M

4096

1000000000000

L

2048

100000000000

K

1024

10000000000

J

512

1000000000

I

256

100000000

H

128

10000000

G

64

1000000

F

32

100000

E

16

10000

D

8

1000

C

4

100

B

2

10

A

1

1

 Putting "0"s for the drives to not be hidden results in:

00000000101000000001011011
ZYXWVUTSRQPONMLKJIHGFEDCBA

The binary string is 101000000001011011.  Converted to decimal is 163,931. 

If you prefer to work with decimal, add up the value for each drive letter:

A

1

B

2

D

8

E

16

G

64

P

32768

R

131072

163931

 

Method 1 – Modify System.adm:

To change System.adm, go to a command prompt and type in the following commands:

·         CD %SYSTEMROOT%INF and press Enter

·         COPY SYSTEM.ADM SYSTEM_BACKUP.ADM and press Enter

·         Notepad system.adm

With Notepad open, press Ctrl-F and Find [strings].  Add this line to the [strings] section:

ABDEGPR_Only="Restrict A, B, D, E, G, P and R drives only"

Press Ctrl-Home to return to the top, then press Ctrl-F and Find !!NoDrivesAdd this entry in the ITEMLIST section for !!NoDrives:

NAME !!ABDEGPR_Only               VALUE NUMERIC             163931

Scroll down just a little until you see the !!NoViewOnDrive Policy.  Add this entry in the ITEMLIST section for !!NoViewOnDrive  Save the System.adm file and exit Notepad.

NAME !!ABDEGPR_Only               VALUE NUMERIC             163931

See Figures 1 and 2 for system.adm before changes and Figures 3 and 4 for system.adm after changes.

Figure 1 (system.adm before changes)

Figure 2 (system.adm before changes)

Figure 3 (system.adm after changes)

Figure 4 (system.adm after changes)

Save the System.adm file, exit Notepad and exit the command prompt.  In the Group Policy Object Editor, right-click Administrative Templates in the User Configuration section and select Add/Remove Templates… (Figure 5).

Figure 5

Click system and then the Remove button (Figure 6).

Figure 6

Click the Add… button, scroll to find system.adm, click system.adm and then click Open (Figure 7).

Figure 7

Click Close (Figure 8).

Figure 8

Expand Administrative Templates, expand Windows Components, click Windows Explorer and double-click Hide these specified drives from My Computer (Figure 9).

Figure 9

Click the Dropdown box, the new drive restriction selection is now available (Figure 10).

Figure 10

Select the new drive restriction and repeat for the Prevent access to drives from My Computer policy setting (Figure 11).

Figure 11

Exit editing the GPO and the new drive restrictions have been added to your GPO.

 

Method 2 – Create a new ADM file:

Why use Method 2?  If changes are not allowed to be made or Change Control processes must be followed to make changes to files installed by the Operating System, then Method 2 is an easy option.  It should take less than five minutes to complete Method 2.

To create a new ADM file, go to a command prompt and type in the following commands:

·         CD %SYSTEMROOT%INF and press Enter

·         Notepad HideDrives.adm

·         Answer Yes to the Do you want to create a new file? popup

Enter, or copy and paste, the following text into the new HideDrives.adm file:

#if version >= 3
CLASS USER
CATEGORY !!WindowsComponents
  CATEGORY !!WindowsExplorer
    KEYNAME "SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"
    POLICY !!NoDrives
      EXPLAIN !!NoDrives_Help
      PART !!NoDrivesDropdown     DROPDOWNLIST NOSORT REQUIRED
        VALUENAME "NoDrives"
          ITEMLIST
            NAME !!ShowAll VALUE NUMERIC 0
            NAME !!HideAll VALUE NUMERIC 67108863 DEFAULT
            NAME !!ABDEGPR_Only   VALUE NUMERIC 163931
          END ITEMLIST
      END PART
    END POLICY
    POLICY !!NoViewOnDrive
      EXPLAIN !!NoViewOnDrive_Help
      PART !!NoViewOnDriveDropdown DROPDOWNLIST NOSORT REQUIRED
        VALUENAME "NoViewOnDrive"
          ITEMLIST
            NAME !!ShowAll VALUE NUMERIC 0
            NAME !!HideAll VALUE NUMERIC 67108863 DEFAULT
            NAME !!ABDEGPR_Only   VALUE NUMERIC 163931
          END ITEMLIST
      END PART
    END POLICY
  END CATEGORY ; WindowsExplorer
END CATEGORY ; WindowsComponents
#endif
[strings]
NoDrives="Show only certain drives in My Computer"
NoDrives_Help="Removes the icons representing all but selected hard drives from My Computer"
NoDrivesDropdown="Pick one of the following combinations"
NoViewOnDrive="Prevent access to drives from My Computer."
NoViewOnDrive_Help="Prevents users from using My Computer to gain access to the content of selected drives."
NoViewOnDriveDropdown="Pick one of the following combinations"
WindowsComponents="Windows Components"
WindowsExplorer="Windows Explorer"
ShowAll="Show all drives"
HideAll="Hide all drives"
ABDEGPR_Only="Restrict A, B, D, E, G, P and R drives only"

Save the HideDrives.adm file, exit Notepad and exit the command prompt.  In the Group Policy Object Editor, create a New Group Policy Object (GPO), name it Hide Server Drives. Edit the Hide Server Drives GPO, right-click Administrative Templates in the User Configuration section and select Add/Remove Templates… (Figure 12).

Figure 12

 In this GPO, the only policies that will be used are:

·         Hide these specified drives in My Computer

·         Prevent access to drives from My Computer

To remove excess policies for this single purpose group policy, remove the other five Policy Templates (Figure 13): 

·         conf

·         inetres

·         system

·         wmplayer

·         wuau

 Figure 13

 Click Add…, click HideDrives.adm and then click Open (Figure 14).

 Figure 14

 Click Close (Figure 15).

 Figure 15

 Expand Administrative Templates, expand Windows Components, click Windows Explorer and double-click Hide these specified drives from My Computer (Figure 16).

 Figure 16

 Click Enabled and from the dropdown box select the new Restrict A, B, D, E, G, P and R drives only option (Figure 17).

 Figure 17

 Repeat for the Prevent access to drives from My Computer policy setting (Figure 18).

 Figure 18

 Exit editing the GPO and the new drive restrictions have been added to your GPO.

 

Method 3 – Use the ICAClient.adm file provided by Citrix:

If you are using Citrix XenApp and are also using the ICA Client version 10.x or higher then Citrix makes available ICAClient.adm.  Using this ADM file allows you to specify any combination of drive letters with no math involved.  Also, this ADM file is fully supported by Citrix if it has not been altered.  Citrix recommends using ICAClient.adm as the preferred way of controlling drives.  This GPO, in conjunction with the client-side XenApp plug-in, controls access to the specified drive letters.

Either download ICAClient.adm.zip and extract the ICAClient.adm file to c:Windowsinf or copy the file from C:Program FilesCitrixICA ClientConfiguration. In the Group Policy Object Editor, create a New Group Policy Object (GPO), name it ICAClient Hide Server Drives. Edit the Hide Server Drives GPO, right-click Administrative Templates in the User Configuration section and select Add/Remove Templates… (Figure 19).

 Figure 19

 In this GPO, the only policy that will be used is Client drive mapping.

 To remove excess policies for this single purpose group policy, remove the other five Policy Templates (Figure 20): 

·         conf

·         inetres

·         system

·         wmplayer

·         wuau

 Figure 20

Click Add…, click icaclient.adm and then click Open (Figure 21).

 Figure 21

 Click Close (Figure 22).

 Figure 22

  Expand Administrative Templates, expand Citrix Components, expand Presentation Server Client, click Remoting client devices and double-click Client drive mapping (Figure 23).

 Figure 23

 Click Enabled, make sure Enable client drive mapping is checked and enter ABDEGPR in the box for Do not map drives: and click OK (Figure 24).

 Figure 24

 Exit editing the GPO and the new drive restrictions have been added to your GPO.

In this article you learned three methods of adding additional drive letters to hide or prevent access to for use on your Terminal or XenApp Servers.

In future articles you will learn:

·         How to keep this GPO from applying to the administrators in charge of the Servers

·         How to backup and document the GPO used to hide drives

·         How to test the effect of this GPO on administrative and non-administrative users

 

Categories:
DABCC DABCC.com, the world leader in sharing the finest Virtualization & Cloud news and support resources. #Citrix, #VMware, #Microsoft, #Mobility and much more! Brought to you by @douglasabrown & team!

Featured Resources:

Related Articles:

| LATEST FEATURED RESOURCES

White Papers

‘All You Need to Know About Microsoft Windows Nano Server’ Veeam White Paper

Now updated for Windows Server 2016 GA release! You probably heard about Windows Nano Server already … but what is it exactly, and how do you get started with it? What value will it bring to your environment? Nano Server is a headless, 64-bit only deployment option for Windows Server 2016. Microsoft created this component specifically with […]

Downloads

Download Commvault VM Backup and Recovery: end-to-end VM backup, recovery and cloud management

Commvault’s ability to provide end-to-end VM backup, recovery and cloud management creates a significantly better way to build, protect and optimize VMs throughout their lifecycle. Our best-in-class software for VM backup, recovery and cloud management delivers a number of significant benefits, including: VM recovery with live recovery options; backup to and in the cloud; custom-fit […]

On-Demand Webinars

Architecting for today’s desktop environments – FSLogix On-Demand Webinar

October 19, 2017 Webinar with David Young, Solutions Architect and Product Champion, and Brandon Lee, Solutions Marketer. Video Recording of a live demo of FSLogix and an overview of the latest release of FSLogix Apps featuring Roaming XenApp Email Search and OneDrive App along with Skype for Business Global Address List and Device Based Licensing. […]

Latest Videos

Current State of EUC – E2EVC Video

Session from @E2EVC 2017 Orlando. For event information please visit www.e2evc.com/home. For slides, additional info etc please contact the presenter directly on Twitter. For best video and sound quality do visit the event! This video is from the fine folks at E2EVC Conference

Views All IT News on DABCC.com
Views All IT Videos on DABCC.com
Win a Tesla P100D

Visit Our Sponsors