Masking Drives for Terminal server users

Posted on 2004-08-29
Last Modified: 2012-05-05
I have a Windows server 2003 and using Terminal server option for users. In the GPO I'm masking all local drives because I de not want users to see the c: to h: drives in the explorer. All users loging in a terminal server session have there local worstation drive loged and that works fine.

The probleme is that I'm trying to access a shared folder on the terminal servers h: but since I use the "mask all drives in GPO" it seems that I cannot see the network drive in the explorer of that users terminal session.

Is there a way to fixe that?

Question by:yvallee
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Expert Comment

ID: 11927731
In group policy there are two options in regards to user/drive interaction

hide drives
prevent access

The hide drive setting will still allow a users to access the drive but it won't show up in explorer.  The prevent access setting will do just that, prevent access.  Which setting are you using?

You can also create a custom administrative template to hide or prevent access to specific drives (not just the ones specified in the original microsoft policies).  Check out the following link for more info on the process:

Let me know if you would like more details or clarification

Author Comment

ID: 11928086
This could work but how and where do I start to create a custom policy that would allow me to hide from a: to h: ?

Is this in registry?


Expert Comment

ID: 11932713
I've built out the custom adm file to hide the specific drives you want I will paste the info in a separate post.  Here are the instructions:

Copy the contents of the next post to a text file and rename the file HideDrives.adm
Open group policy or local policy editory (if it only needs to apply to one machine I use gpedit.msc on the local machine)
Under User configuration right click on Administrative Templates and choose Add/Remove Templates
In the Add/Remove Templates window click Add
Copy the HideDrive.adm file to the location shown, select it and click open
Close the Add/Remove Template Window
Expand User>Administrative Templates>MetaFrame Sample Policy>Windows NT>Explorer>Drive Restrictions
Doubleclick on Hide (or show) the selected drives
Enable the policy and from the drop down list select Hide Drives A-H

Good Luck
If you need more info or have problems with this let me know
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.


Accepted Solution

SamuraiCrow earned 500 total points
ID: 11932728



      CATEGORY !!Restrictions
            POLICY !!HideDrives

            ; This policy is will only show or hide the specified drives
            ; in the client session.  The registry key that this policy
            ; effects uses a decimal number which corresponds to a 26 bit
            ; binary string, with each bit representing a drive letter:
            ; 11111111111111111111111111
            ; 1=hide and 0=show. The above configuration corresponds to 67108863d and

            ; hide all drives.  If you wanted to hide the C: drive you would make
            ; the 3rd lowest bit a 0 and then convert the binary string to decimal.
            ; Note: Clearing the check box will delete the "NoDrives" entry
            ; entirely, and therefore, all drives will be automatically shown.
            ; Feel free to add aditional drive configurations or remove others.
            ; If you want to configure this policy to show a different combination
            ; of drives, create the desired binary string, convert to decimal
            ; and add a new entry to the ITEMLISTand define the string.
            ; Remember that this function affects Explorer and Explrer-style dialogs
            ; but it has NO effect on the command line.
            ; The naming conventions used below is that a ~ means hide and _ mean shown


            KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                  PART !!HideDrivesOptions      DROPDOWNLIST
                  VALUENAME "NoDrives"            
                        Name !!HideDrives~all      VALUE NUMERIC 67108863
                        NAME !!HideDrives~A      VALUE NUMERIC 1
                        NAME !!HideDrives~C      VALUE NUMERIC 4
                        NAME !!HideDrives~CD      VALUE NUMERIC 12                  

                        NAME !!HideDrives~CDA      VALUE NUMERIC 13
                        NAME !!HideDrives~M      VALUE NUMERIC 4096
                        NAME !!HideDrives~MN      VALUE NUMERIC 12288                  

                        NAME !!HideDrives~MNA      VALUE NUMERIC 12289
                        NAME !!HideDrives_C      VALUE NUMERIC 67108859
                        NAME !!HideDrives_U      VALUE NUMERIC 66060287
                        NAME !!HideDrives_UA      VALUE NUMERIC 66060286
                        NAME !!HideDrives_A-H      VALUE Numeric 255
                  END ITEMLIST
                  END PART
                  PART !!DriveRestrictions_Tip1      TEXT      END PART
                  PART !!DriveRestrictions_Tip2      TEXT      END PART
                  PART !!DriveRestrictions_Tip3      TEXT      END PART
                  ; NOTE: This is a sample policy that conflits with the
                  ; Shell\Restrictions\Hide Drives policy defined in common.adm and

                  ; in the ZAK. It is provided as a template that defines common drive
                  ; configurations in MetaFrame
                  END POLICY



CCI="Metaframe Sample Policy"
WindowsNT="Windows NT"
Restrictions="Drive Restrictions"
HideDrives="Hide (or show) the selected drives"
HideDrivesOptions="Choose from the following configuration:"
HideDrives~all="All Drives are hidden"
HideDrives~A="Do Not show A:"
HideDrives~C="Do Not show C:"      
HideDrives~CD="Do Not show C: and D:"                  
HideDrives~CDA="Do Not show A: C: and D:"      
HideDrives~M="Do Not show M:"      
HideDrives~MN="Do Not show M: and N:"                        
HideDrives~MNA="Do Not show A: M: and N:"      
HideDrives_C="Show Only C:"
HideDrives_U="Show Only U:"
HideDrives_UA="Show Only A: and U:"
HideDrives_A-H="Hide A:-H: drives"
DriveRestrictions_Tip1=" Note: This is a sample policy that conflits with any Hide Drives"
DriveRestrictions_Tip2=" policy defined in common.adm and/or in the ZAK.  It is provided to"
DriveRestrictions_Tip3=" define common drive configurations in MetaFrame."

Author Comment

ID: 11934429

Thanks, this works very well.   AND you've shown me step by step, thanks you very very much Crow


Expert Comment

ID: 11934462
Glad to assist.  Remember that you can edit the settings of this file to meet the changing needs of your terminal services enviroment.

Expert Comment

ID: 13333193

I tried this as well, and it worked out fine. Howeever, it also applies when I log on as an administrator. Does anybody know how to make it apply to regular users only?


Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question