This is the second part, here is the link to the first part : Citrix XenApp – Hiding system drives part 1/2 If you read the first part, now you know how to apply the Microsoft Windows 2003/2008/R2 GPO to hide A,B,C or/and D drives. But what's happening if you have a E: drive or O: ? You cannot use this GPO anymore, you need to create your own. This is simple to understand how it works, just read what's follow. By default the Hide Drives part in the system.adm file look like this : Then if I explain you this policy displays only specified drives on the client computer. The registry key that this policy affects uses a decimal number that corresponds to a 26-bit binary string, with each bit representing a drive letter: I choose an example where I want to hide A,B,C,D and E drives : Then convert to decimal. This binary string converts to 31 in decimal. Add this line to the [strings] section in the new HideDrives.adm file: After add this entry in the ITEMLIST section above and save the HideDrives.adm file. So the whole ADM file must look like this : I think you're good with this one, just import this ADM file and activate it following the part 1. Links : Microsoft KB (thx to CTXBlog.fr) CLASS USER CATEGORY !!HideDrives KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer POLICY !!HideDrives PART !!HideDrivesDropdown DROPDOWNLIST NOSORT REQUIRED VALUENAME "NoDrives" ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME !!HideABCDE VALUE NUMERIC 31 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT NAME !!RestNoDrives VALUE NUMERIC 0 END ITEMLIST END PART END POLICY END CATEGORY;HideDrives [strings] Blank=" " ABCDOnly="Restrict A, B, C and D drives only" ABConly="Restrict A, B and C drives only" ABOnly="Restrict A and B drives only" ALLDrives="Restrict all drives" COnly="Restrict C drive only" DOnly="Restrict D drive only" HideABCDE="Restrict A,C,E,D and E drives only" HideDrives="Hide Drives" HideDrivesDropdown="Hide Drives Selection" MoveProfile="Move Profiles" MoveProfileDropdown="Move User Profile Location" MOVEPROFILETOD="Move Profile to D Drive" RestNoDrives="Restore Drives"
Hiding system drives C, D, floppy if there is still one and CDRom seems to be easy but I saw many many time at some customer's place administrator unable to complete this simple operation. The reason is in most of the case, the administrator doesn't really know how to manage GPO and what is difference between user and machine GPOs. First you need to know there is a built-in GPO in Microsoft Windows 2003 / 2008 / R2 with these settings ready to be set. To set it up, you need to create a new GPO or edit an existing one and find these two GPO bellow as follow : Most of the administrators I spoke with told me they've done that already, but it still doesn't work, they rebooted XenApp servers, Domain controller, everything they could reboot... But they forgot the essential... These GPO above are USER GPO and this GPO is place on the XenApp OU in the Active Directory where there is no user at all. The solution is very simple you need to activate the GPO loopback : This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. Then with a gpupdate /enforce this hiding drives GPO is working ! Finally ! In the second part of this blog I will explain how you can go further and hide drives with other letters than A,B,C or D.