Hiding Server Drives for Citrix Users

Hi guys,
For security, we'd like to hide server drives for citrix users. Now I know you can use Tweak UI to do this, but this only affects the logged on user. You cant use this tool to affect ALL users that log on to the Citrix box. In Group Policy, you can hide drives up to F drive I think, or something like that, but what if your local server drive is drive M?
So my question is, how can you hide drives for ALL users? I have tried putting a reg file that runs in usrlogon.cmd, but it doesnt seem to like it, even if you grant permissions to users to edit the registry.
Any ideas greatly appreciated.

Simon
LVL 1
Simon336697Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
I've covered the part about how to hide specific (self-defined) drives using a group policy already in your other question, including a sample .adm file:
Importing a registry key when the user logs on.
http://oldlook.experts-exchange.com:8080/Operating_Systems/Windows_Server_2003/Q_21478793.html

If this question is more about how to hide specific drives when a user logs on to a Citrix session *only* (and not when he's logging on to his desktop), you need to use the loopback feature.
1. Create a new OU for your terminal servers, and move your terminal server(s) into it. Ceate a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oBdACommented:
And just for the fun of it, here's a little batch (requires W2k or later) that will calculate the value to be used when creating customized drive letter combinations.

====8<----[HideDrives.cmd]----
@echo off
setlocal
if "%~1"=="" goto Syntax
set i=1
:: *** Create a table with the values of the drive letters:
for %%a in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do (
  set /a Power[%%a] = i
  set /a i *= 2
)
set HideDrives=0
:: *** Calculate the value for the drive letters to be hidden.
:: *** If a letter has been found, set the table entry to zero to avoid
:: *** calculation errors if a drive letter is specified twice.
for %%a in (%*) do (
  set /a HideDrives += Power[%%a]
  set /a Power[%%a] = 0
)
:: *** If no valid drive letter found, explain the syntax:
if "%HideDrives%"=="0" goto Syntax
echo HideDrives value: %HideDrives%
goto leave

:Syntax
echo.
echo HideDrives.cmd
echo.
echo Caclulates the value to be used in the "Hide drives" group policy
echo when hiding customized drives.
echo Syntax:
echo HideDrives ^<Drive letter list^>
echo ^<Drive letter list^>: A space separated list of drive letters to be hidden.
echo Drive letters are case indifferent and can be listed in any order.
echo Example: HideDrives a M c
echo HideDrives value: 4101

:leave
====8<----[HideDrives.cmd]----
Simon336697Author Commented:
Hi oBdA

My god......this amount of work - you are a genius!
Thank you SO VERY MUCH for providing such incredible expertise here.

I really appreciate you responses mate. The skill here is of such a high level.

Thanks again.

Simon
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.