How To Hide Additional Drive Letters On A Server

When Creating a Server Management Group Policy on Windows Server 2003, there are two options that can be set to either Hide or Prevent users from working with the server’s drives:

  • Hide these specified drives in My Computer
  • Prevent access to drives from My Computer

When these options are enabled, there is a drop down box that allows the selection of various drive combinations.  What if the drives you need hidden are not on the list?  This article will show you three ways to add any combination of drive letters to be hidden or denied access:

  1. Modify System.adm
  2. Create a new ADM file
  3. Use the ICAClient.adm file provided by Citrix

Why bother with either manual process when there is a 3rd Party utility called GPDrivesOptions that automates the creation of the necessary information?  There are places that do not allow 3rd Party utilities to be run on Domain Controllers or Management Stations.  Also, if Change Management is used, it may take longer to go through the approval process to modify System.adm than it takes to create a new ADM file and use it for your Group Policy.

Update February 26, 2015: The GPDrivesOptions article no longer exists on Petri.com.

Microsoft has KB article 231289 that explains the process to add custom drive letter combinations.  Using KB231298, if you wanted to hide access to drives A, B, D, E, G, P and R:

The 26-bit string of drive letters is represented as:

11111111111111111111111111
ZYXWVUTSRQPONMLKJIHGFEDCBA

If you prefer to not work in Binary, the decimal value for each drive letter is:

Drive Letter Decimal Value Binary Value
Z

33554432

10000000000000000000000000

Y

16777216

1000000000000000000000000

X

8388608

100000000000000000000000

W

4194304

10000000000000000000000

V

2097152

1000000000000000000000

U

1048576

100000000000000000000

T

524288

10000000000000000000

S

262144

1000000000000000000

R

131072

100000000000000000

Q

65536

10000000000000000

P

32768

1000000000000000

O

16384

100000000000000

N

8192

10000000000000

M

4096

1000000000000

L

2048

100000000000

K

1024

10000000000

J

512

1000000000

I

256

100000000

H

128

10000000

G

64

1000000

F

32

100000

E

16

10000

D

8

1000

C

4

100

B

2

10

A

1

1

Putting “0”s for the drives to not be hidden results in:

00000000101000000001011011
ZYXWVUTSRQPONMLKJIHGFEDCBA

The binary string is 101000000001011011.  Converted to decimal is 163,931.

If you prefer to work with decimal, add up the value for each drive letter:

A

1

B

2

D

8

E

16

G

64

P

32768

R

131072

163931

Method 1 — Modify System.adm:

To change System.adm, go to a command prompt and type in the following commands:

  • CD %SYSTEMROOT%\INF and press Enter
  • COPY SYSTEM.ADM SYSTEM_BACKUP.ADM and press Enter
  • Notepad system.adm

With Notepad open, press Ctrl-F and Find [strings].  Add this line to the [strings] section:

ABDEGPR_Only=”Restrict A, B, D, E, G, P and R drives only”

Press Ctrl-Home to return to the top, then press Ctrl-F and Find !!NoDrives.  Add this entry in the ITEMLIST section for !!NoDrives:

NAME !!ABDEGPR_Only                  VALUE NUMERIC                  163931

Scroll down just a little until you see the !!NoViewOnDrive Policy.  Add this entry in the ITEMLIST section for !!NoViewOnDrive  Save the System.adm file and exit Notepad.

NAME !!ABDEGPR_Only                  VALUE NUMERIC                  163931

See Figures 1 and 2 for system.adm before changes and Figures 3 and 4 for system.adm after changes.

Figure 1 (system.adm before changes)

Figure 1

Figure 2 (system.adm before changes)

Figure 2

Figure 3 (system.adm after changes)

Figure 3

Figure 4 (system.adm after changes)

Figure 4

Save the System.adm file, exit Notepad and exit the command prompt.  In the Group Policy Object Editor, right-click Administrative Templates in the User Configuration section and select Add/Remove Templates… (Figure 5).

Figure 5

Click system and then the Remove button (Figure 6).

Figure 6

Click the Add… button, scroll to find system.adm, click system.adm and then click Open (Figure 7).

Figure 7

Click Close (Figure 8).

Figure 8

Expand Administrative Templates, expand Windows Components, click Windows Explorer and double-click Hide these specified drives from My Computer (Figure 9).

Figure 9

Click the Dropdown box, the new drive restriction selection is now available (Figure 10).

Figure 10

Select the new drive restriction and repeat for the Prevent access to drives from My Computer policy setting (Figure 11).

Figure 11

Exit editing the GPO and the new drive restrictions have been added to your GPO.

Method 2 — Create a new ADM file:

Why use Method 2?  If changes are not allowed to be made or Change Control processes must be followed to make changes to files installed by the Operating System, then Method 2 is an easy option.  It should take less than five minutes to complete Method 2.

To create a new ADM file, go to a command prompt and type in the following commands:

  • CD %SYSTEMROOT%\INF and press Enter
  • Notepad HideDrives.adm
  • Answer Yes to the Do you want to create a new file? popup

Enter, or copy and paste, the following text into the new HideDrives.adm file:

#if version >= 3
CLASS USER
CATEGORY !!WindowsComponents
	CATEGORY !!WindowsExplorer
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
		POLICY !!NoDrives
			EXPLAIN !!NoDrives_Help
			PART !!NoDrivesDropdown       DROPDOWNLIST NOSORT REQUIRED
			VALUENAME "NoDrives"
				ITEMLIST
					NAME !!ShowAll       VALUE NUMERIC       0
					NAME !!HideAll       VALUE NUMERIC       67108863 DEFAULT
					NAME !!ABDEGPR_Only       VALUE NUMERIC       163931
				END ITEMLIST
			END PART
		END POLICY
		POLICY !!NoViewOnDrive
			EXPLAIN !!NoViewOnDrive_Help
			PART !!NoViewOnDriveDropdown       DROPDOWNLIST NOSORT REQUIRED
			VALUENAME "NoViewOnDrive"
				ITEMLIST
					NAME !!ShowAll       VALUE NUMERIC       0
					NAME !!HideAll       VALUE NUMERIC       67108863 DEFAULT
					NAME !!ABDEGPR_Only       VALUE NUMERIC       163931
				END ITEMLIST
			END PART
		END POLICY
	END CATEGORY ; WindowsExplorer
END CATEGORY ; WindowsComponents
#endif
[strings]
NoDrives="Show only certain drives in My Computer"
NoDrives_Help="Removes the icons representing all but selected hard drives from My Computer"
NoDrivesDropdown="Pick one of the following combinations"
NoViewOnDrive="Prevent access to drives from My Computer."
NoViewOnDrive_Help="Prevents users from using My Computer to gain access to the content of selected drives."
NoViewOnDriveDropdown="Pick one of the following combinations"
WindowsComponents="Windows Components"
WindowsExplorer="Windows Explorer"
ShowAll="Show all drives"
HideAll="Hide all drives"
ABDEGPR_Only="Restrict A, B, D, E, G, P and R drives only"

Save the HideDrives.adm file, exit Notepad and exit the command prompt.  In the Group Policy Object Editor, create a New Group Policy Object (GPO), name it Hide Server Drives. Edit the Hide Server Drives GPO, right-click Administrative Templates in the User Configuration section and select Add/Remove Templates… (Figure 12).

Update 10-Jan-2014.  To keep you from having weird characters placed in your text file by Copy & Paste, I have placed a copy of HideDrives.adm here.

Figure 12

In this GPO, the only policies that will be used are:

  • Hide these specified drives in My Computer
  • Prevent access to drives from My Computer

To remove excess policies for this single purpose group policy, remove the other five Policy Templates (Figure 13):

  • conf
  • inetres
  • system
  • wmplayer
  • wuau

Figure 13

Click Add…, click HideDrives.adm and then click Open (Figure 14).

Figure 14

Click Close (Figure 15).

Figure 15

Expand Administrative Templates, expand Windows Components, click Windows Explorer and double-click Hide these specified drives from My Computer (Figure 16).

Figure 16

Click Enabled and from the dropdown box select the new Restrict A, B, D, E, G, P and R drives only option (Figure 17).

Figure 17

Repeat for the Prevent access to drives from My Computer policy setting (Figure 18).

Figure 18

Exit editing the GPO and the new drive restrictions have been added to your GPO.

Method 3 — Use the ICAClient.adm file provided by Citrix:

If you are using Citrix XenApp and are also using the ICA Client version 10.x or higher then Citrix makes available ICAClient.adm.  Using this ADM file allows you to specify any combination of drive letters with no math involved.  Also, this ADM file is fully supported by Citrix if it has not been altered.  Citrix recommends using ICAClient.adm as the preferred way of controlling drives.  This GPO, in conjunction with the client-side XenApp plug-in, controls access to the specified drive letters.

Either download ICAClient.adm.zip and extract the ICAClient.adm file to c:\Windows\inf or copy the file from C:\Program Files\Citrix\ICA Client\Configuration.  In the Group Policy Object Editor, create a New Group Policy Object (GPO), name it ICAClient Hide Server Drives. Edit the Hide Server Drives GPO, right-click Administrative Templates in the User Configuration section and select Add/Remove Templates… (Figure 19).

Figure 19

In this GPO, the only policy that will be used is Client drive mapping.

To remove excess policies for this single purpose group policy, remove the other five Policy Templates (Figure 20):

  • conf
  • inetres
  • system
  • wmplayer
  • wuau

Figure 20

Click Add…, click icaclient.adm and then click Open (Figure 21).

Figure 21

Click Close (Figure 22).

Figure 22

Expand Administrative Templates, expand Citrix Components, expand Presentation Server Client, click Remoting client devices and double-click Client drive mapping (Figure 23).

Figure 23

Click Enabled, make sure Enable client drive mapping is checked and enter ABDEGPR in the box for Do not map drives: and click OK (Figure 24).

Figure 24

Exit editing the GPO and the new drive restrictions have been added to your GPO.

In this article you learned three methods of adding additional drive letters to hide or prevent access to for use on your Terminal or XenApp Servers.

In future articles you will learn:

  • How to keep this GPO from applying to the administrators in charge of the Servers
  • How to backup and document this management GPO
  • How to test the effect of this GPO on administrative and non-administrative users
, , ,

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

4 Responses to “How To Hide Additional Drive Letters On A Server”

  1. ACuba Says:

    Nice and thx

    Reply

  2. Hadi Says:

    Hi Carl,
    I am getting error (pleases find below),

    ——— Error————-

    on HideDrives.adm on line 3:

    Error 62 the corresponding string was not found in the [string] section

    found: !!windowscomponents

    The file can’t be loaded

    ——–End of error message——

    Checked the internet is pointing to extra space in string but not able to find the extra space ( I did copy the adm from your site)

    Regards,
    Hadi

    Reply

    • Carl Webster Says:

      That must have been caused by a Copy & Paste issue with weird characters somehow winding up in your file. I have placed a copy of HideDrives.adm here.

      Thanks

      Webster

      Reply

Leave a Reply