Solved

Masking Drives for Terminal server users

Posted on 2004-08-29
7
1,396 Views
Last Modified: 2012-05-05
I have a Windows server 2003 and using Terminal server option for users. In the GPO I'm masking all local drives because I de not want users to see the c: to h: drives in the explorer. All users loging in a terminal server session have there local worstation drive loged and that works fine.

The probleme is that I'm trying to access a shared folder on the terminal servers h: but since I use the "mask all drives in GPO" it seems that I cannot see the network drive in the explorer of that users terminal session.

Is there a way to fixe that?

Thanks
0
Comment
Question by:yvallee
  • 4
  • 2
7 Comments
 
LVL 9

Expert Comment

by:SamuraiCrow
Comment Utility
In group policy there are two options in regards to user/drive interaction

hide drives
prevent access

The hide drive setting will still allow a users to access the drive but it won't show up in explorer.  The prevent access setting will do just that, prevent access.  Which setting are you using?

You can also create a custom administrative template to hide or prevent access to specific drives (not just the ones specified in the original microsoft policies).  Check out the following link for more info on the process:

http://ccaheaven.com/files/policy/xample.adm

Let me know if you would like more details or clarification
Crow
0
 

Author Comment

by:yvallee
Comment Utility
This could work but how and where do I start to create a custom policy that would allow me to hide from a: to h: ?

Is this in registry?

Thanks
0
 
LVL 9

Expert Comment

by:SamuraiCrow
Comment Utility
I've built out the custom adm file to hide the specific drives you want I will paste the info in a separate post.  Here are the instructions:

Copy the contents of the next post to a text file and rename the file HideDrives.adm
Open group policy or local policy editory (if it only needs to apply to one machine I use gpedit.msc on the local machine)
Under User configuration right click on Administrative Templates and choose Add/Remove Templates
In the Add/Remove Templates window click Add
Copy the HideDrive.adm file to the location shown, select it and click open
Close the Add/Remove Template Window
Expand User>Administrative Templates>MetaFrame Sample Policy>Windows NT>Explorer>Drive Restrictions
Doubleclick on Hide (or show) the selected drives
Enable the policy and from the drop down list select Hide Drives A-H

Good Luck
If you need more info or have problems with this let me know
Crow
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 9

Accepted Solution

by:
SamuraiCrow earned 500 total points
Comment Utility
CLASS USER

CATEGORY !!CCI

CATEGORY !!WindowsNT

CATEGORY !!Drives
      CATEGORY !!Restrictions
                  
            POLICY !!HideDrives

            ;
            ; This policy is will only show or hide the specified drives
            ; in the client session.  The registry key that this policy
            ; effects uses a decimal number which corresponds to a 26 bit
            ; binary string, with each bit representing a drive letter:
            ;
            ; 11111111111111111111111111
            ; ZYXWVUTSRQPONMLKJIHGFEDCBA
            ;
            ; 1=hide and 0=show. The above configuration corresponds to 67108863d and

will
            ; hide all drives.  If you wanted to hide the C: drive you would make
            ; the 3rd lowest bit a 0 and then convert the binary string to decimal.
            ;
            ; Note: Clearing the check box will delete the "NoDrives" entry
            ; entirely, and therefore, all drives will be automatically shown.
            ;
            ; Feel free to add aditional drive configurations or remove others.
            ; If you want to configure this policy to show a different combination
            ; of drives, create the desired binary string, convert to decimal
            ; and add a new entry to the ITEMLISTand define the string.
            ;
            ; Remember that this function affects Explorer and Explrer-style dialogs
            ; but it has NO effect on the command line.
            ;
            ; The naming conventions used below is that a ~ means hide and _ mean shown

only
            ;


            KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                  PART !!HideDrivesOptions      DROPDOWNLIST
                  VALUENAME "NoDrives"            
                  ITEMLIST
                        Name !!HideDrives~all      VALUE NUMERIC 67108863
                        NAME !!HideDrives~A      VALUE NUMERIC 1
                        NAME !!HideDrives~C      VALUE NUMERIC 4
                        NAME !!HideDrives~CD      VALUE NUMERIC 12                  

      
                        NAME !!HideDrives~CDA      VALUE NUMERIC 13
                        NAME !!HideDrives~M      VALUE NUMERIC 4096
                        NAME !!HideDrives~MN      VALUE NUMERIC 12288                  

      
                        NAME !!HideDrives~MNA      VALUE NUMERIC 12289
                        NAME !!HideDrives_C      VALUE NUMERIC 67108859
                        NAME !!HideDrives_U      VALUE NUMERIC 66060287
                        NAME !!HideDrives_UA      VALUE NUMERIC 66060286
                        NAME !!HideDrives_A-H      VALUE Numeric 255
                                                
                  END ITEMLIST
                  REQUIRED
                  END PART
                  PART !!DriveRestrictions_Tip1      TEXT      END PART
                  PART !!DriveRestrictions_Tip2      TEXT      END PART
                  PART !!DriveRestrictions_Tip3      TEXT      END PART
                  ;
                  ; NOTE: This is a sample policy that conflits with the
                  ; Shell\Restrictions\Hide Drives policy defined in common.adm and

the
                  ; in the ZAK. It is provided as a template that defines common drive
                  ; configurations in MetaFrame
                  ;
                  END POLICY
      END CATEGORY
END CATEGORY

END CATEGORY

END CATEGORY



[strings]
CCI="Metaframe Sample Policy"
WindowsNT="Windows NT"
Drives="Explorer"
Restrictions="Drive Restrictions"
HideDrives="Hide (or show) the selected drives"
HideDrivesOptions="Choose from the following configuration:"
HideDrives~all="All Drives are hidden"
HideDrives~A="Do Not show A:"
HideDrives~C="Do Not show C:"      
HideDrives~CD="Do Not show C: and D:"                  
HideDrives~CDA="Do Not show A: C: and D:"      
HideDrives~M="Do Not show M:"      
HideDrives~MN="Do Not show M: and N:"                        
HideDrives~MNA="Do Not show A: M: and N:"      
HideDrives_C="Show Only C:"
HideDrives_U="Show Only U:"
HideDrives_UA="Show Only A: and U:"
HideDrives_A-H="Hide A:-H: drives"
DriveRestrictions_Tip1=" Note: This is a sample policy that conflits with any Hide Drives"
DriveRestrictions_Tip2=" policy defined in common.adm and/or in the ZAK.  It is provided to"
DriveRestrictions_Tip3=" define common drive configurations in MetaFrame."
0
 

Author Comment

by:yvallee
Comment Utility
YES!

Thanks, this works very well.   AND you've shown me step by step, thanks you very very much Crow

A+
0
 
LVL 9

Expert Comment

by:SamuraiCrow
Comment Utility
Glad to assist.  Remember that you can edit the settings of this file to meet the changing needs of your terminal services enviroment.
0
 
LVL 1

Expert Comment

by:Secode
Comment Utility
Hi

I tried this as well, and it worked out fine. Howeever, it also applies when I log on as an administrator. Does anybody know how to make it apply to regular users only?

Eilif
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now