Novell Home

Hiding Drives in Windows XP Group Policy

Novell Cool Solutions: Trench

Digg This - Slashdot This

Updated: 19 Jan 2006
 

Shane Y. wrote: I am switching from Windows 2000 to XP and we hide all drives except the floppy, cd, and zip (A:, D:, & E:). In 2000 we used extensible policies and I could add options for which drives to hide in the zakwinnt.adm file. I cannot find any way to do this in the new Windows XP group policies. Where can I add options in XP to hide specific drives?

Answer: OPEN CALL: Anyone got some advice for Shane? Let us know.

Suggestions

Don Johnston

You can do this by modifying the system.adm template file. First setup policies and test them. This process copies the policy templates to the file server in the location you specified. Navigate to this location on the server and locate the adm folder. Open system.adm and locate the sections that hide drives and prevent access to drives.

Original system.adm:
POLICY !!NoDrives 
	    	#if version >= 4
		SUPPORTED !!SUPPORTED_Win2k
		#endif

            EXPLAIN !!NoDrives_Help
	    	PART !!NoDrivesDropdown	DROPDOWNLIST NOSORT REQUIRED
			VALUENAME "NoDrives"
			ITEMLIST
		    	NAME !!ABOnly           VALUE NUMERIC	3
		    	NAME !!COnly            VALUE NUMERIC	4
		    	NAME !!DOnly            VALUE NUMERIC 	8
		    	NAME !!ABConly          VALUE NUMERIC 	7
		    	NAME !!ABCDOnly         VALUE NUMERIC	15
		    	NAME !!ALLDrives        VALUE NUMERIC	67108863 DEFAULT 
                         ; low 26 bits on (1 bit per drive)
		    	NAME !!RestNoDrives     VALUE NUMERIC	0
			END ITEMLIST
	    	END PART			
	END POLICY

        POLICY !!NoViewOnDrive
	    	#if version >= 4
		SUPPORTED !!SUPPORTED_Win2k
		#endif

            EXPLAIN !!NoViewOnDrive_Help
	    	PART !!NoDrivesDropdown	DROPDOWNLIST NOSORT REQUIRED
		VALUENAME "NoViewOnDrive"
			ITEMLIST
		    	NAME !!ABOnly           VALUE NUMERIC	3
		    	NAME !!COnly            VALUE NUMERIC	4
		    	NAME !!DOnly            VALUE NUMERIC 	8
		    	NAME !!ABConly          VALUE NUMERIC 	7
		    	NAME !!ABCDOnly         VALUE NUMERIC	15
		    	NAME !!ALLDrives        VALUE NUMERIC	67108863 DEFAULT 
                         ; low 26 bits on (1 bit per drive)
		    	NAME !!RestNoDrives     VALUE NUMERIC	0
			END ITEMLIST
	    	END PART			
	END POLICY

Add lines or modify as desired. The trick is to convert the decimal number to binary so you can see through a 1 or 0 which drives are shown or hidden. For instance:

Using calc.exe in scientific mode enter 67108863 then click the bin radio button and you get 11111111111111111111111111

Each 1 represents a different drive letter up to 26 drives. Drive A is on the right and drive Z is on the left. A 1 means the drive is hidden and a 0 would mean the drive is displayed.

If you want to display drives A, E and F enter this into the calculator in binary:

11111111111111111111001110 in binary then click the Dec radio button to convert it to decimal and you get 67108814

Add the line below to the template and you will now have the additional option of letting users see only A,E and F.

NAME "See AEF"		VALUE NUMERIC	67108814

The section of the template you modified should look look something like this:

			ITEMLIST
		    	NAME !!ABOnly           VALUE NUMERIC	3
		    	NAME !!COnly            VALUE NUMERIC	4
		    	NAME !!DOnly            VALUE NUMERIC 	8
		    	NAME !!ABConly          VALUE NUMERIC 	7
		    	NAME !!ABCDOnly         VALUE NUMERIC	15
			NAME "See AEF"		VALUE NUMERIC	67108814
		    	NAME !!ALLDrives        VALUE NUMERIC	67108863 DEFAULT 

Now save this modified template and replace system.adm in the adm folder where your policies are stored on the server. Now edit your policies and you should see this new option.

Hope this helps.

Rolf Lidvall

Hiding drives in WinXP is governed from Group Policies:

User Configuration -> Administrative Templates ->
Windows Components -> Windows Explorer ->
"Hide these specified drives in My Computer"

The default settings are pretty useless so you will always have to edit the template-- system.adm-- OR make a new template with only these settings and this is what MS recommends:

"Microsoft does not recommend to change the System.adm file, but instead to create a new .adm file and import this .adm into the GPO. The reason is that if you apply changes to the system.adm file, these changes might get overwritten if Microsoft releases a new version of the system.adm file in a Service Pack."

Here is a *very useful* calculator: http://www.precedence.co.uk/nc/nodrive.php3

Daniel Schwartz

From a run box, type gpedit.msc, this launches the Group Policy editor. Then under User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer -> select "Hide these specified drives in My Computer" Then select the drive combination you wish to hide. This will hide them in Explorer also.

Vicki Wood

To do this, edit the system.adm file. In the section below, I've added the line "AllButEF". Anything you add should appear alphabetically. I'll explain how I determined the "value numeric" later.

POLICY !!NoDrives 
            EXPLAIN !!NoDrives_Help
	    PART !!NoDrivesDropdown	DROPDOWNLIST NOSORT REQUIRED
		VALUENAME "NoDrives"
		ITEMLIST
		    NAME !!ABOnly           VALUE NUMERIC	3
		    NAME !!COnly            VALUE NUMERIC	4
		    NAME !!DOnly            VALUE NUMERIC 	8
		    NAME !!ABConly          VALUE NUMERIC 	7
		    NAME !!ABCDOnly         VALUE NUMERIC	15
		    NAME !!AllButEF         VALUE NUMERIC 	48
		    NAME !!ALLDrives        VALUE NUMERIC	67108863
 DEFAULT 
                         ; low 26 bits on (1 bit per drive)
		    NAME !!RestNoDrives     VALUE NUMERIC	0
		END ITEMLIST
	    END PART			
	END POLICY

Further down in the same file under [strings], again alphabetically, I added this line:
AllButEF="Restrict drives E and F"

Now when I go to edit User Group XP Policies, under Windows Explorer settings the drop-down options for Hide These Specific Drives in My Computer include the option, "Restrict drives E and F".

Use the following (from http://support.microsoft.com/default.aspx?scid=kb;en-us;220955&Product=nts40) to determine what goes into VALUE NUMBERIC in the system.adm file:

11111111111111111111111111
   ZYXWVUTSRQPONMLKJIHGFEDCBA

This configuration corresponds to 67108863 in decimal and hides all drives. For example, if you want to hide drive C, make the third-lowest bit a 1 (this is displayed in binary as 0000000000000000000000100), and then convert the binary string to decimal, which comes out to a decimal value of 4.

Peter Asp

Check here for information on Hiding Drives using Group Policies

Shannon Powers

As seen on: http://www.g4tv.com/screensavers/features/25208/Sarahs_Windows_Tweak_Hide_Your_Drives.html

  1. Open Regedit.


  2. Navigate to this string:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer


  3. In the Explorer key folder, create a new DWORD value by right-clicking Explorer, then choosing New DWORD value. Name the value "NoDrives" (without the quotes). This value defines local and network drive visibility for each logical drive on the computer. All drives will be visible as long as this value's data is set to 0.


  4. Following the table below, enter the decimal number corresponding to the drive(s) you want to hide as NoDrives value data. When you right-click on NoDrives and choose Modify, make sure you select Decimal base, not Hexadecimal.

    Drive Number to hide
    A: 1
    B: 2
    C: 4
    D: 8
    E: 16
    F: 32
    G: 64
    H: 128
    I: 256
    J: 512
    K: 1024
    L: 2048
    M: 4096
    N: 8192
    O: 16384
    P: 32768
    Q: 65536
    R: 131072
    S: 262144
    T: 524288
    U: 1048576
    V: 2097152
    W: 4194304
    X: 8388608
    Y: 16777216
    Z: 33554432
    All drives 67108863


  5. If you want to hide more than one drive, you simply add the drive amounts together for a combined total.
    For example, to hide the D:/ and T:/ drives, add the decimal value for the D:/ drive to the decimal value to the T:/ drive.
    8 (D) + 524288 (T) = 524296


  6. To disable all of your visible drives, set the value to 67108863.

You must reboot your PC to see your changes. Have fun hiding, you little sneaks!

Sami Kapanen

You can still use the extensible policies to do this, they work just fine on XP (although not supported officially).

Dwayne Watkins

My only other suggestion, so as to not be redundant to the other solutions, is a free program called X-setup [Editor's note: it's only free for non-commercial use according to their website, but the commercial pricing looks VERY affordable.]. It takes the Windows power toys 10 steps further.

From within this program you can show/hide drives in addition to setting functions for each, in addition to making 1001 other Windows tweaks. Another cool thing about this program is that it will record and save the changes you make in the program to an external file of your naming, which you can view and edit to your leisure.

I use it often when I need to make a change to Windows and do not want to run regedit and/or Snapshot.

John Snider

Under the user Configuration
  Administrative Templates
    Windows Components
      Windows Explorer
	"Hide these spcified drives in My Computer"
		Options:
			Restrict A and B drives only
			Restrict C drive only
			Restrict D drive only
			Restrict A, B, and C drives only
			Restrict A, B, C, and D drives only
			Restrict all drives
			Do not restrict drives

	"Prevent Access to drives from My Computer"
		Options:
			Restrict A and B drives only
			Restrict C drive only
			Restrict D drive only
			Restrict A, B, and C drives only
			Restrict A, B, C, and D drives only
			Restrict all drives
			Do not restrict drives

Cory Turk

Here is how I did it. In my adm file you will see that I am only allowing H,K,L drive to be shown. Edit this to customize your needs and then import this adm file into your group policy under administrative templates.

CLASS USER

CATEGORY !!ZAK

CATEGORY !!ZAK_WindowsNT
		
			
CATEGORY !!UserProfiles

	;
	; The following policies are all listed under the heading
	; "User Profiles through System Policies"
	; They are used to configure the path to many of the folders
	; normally controlled by user profile settings
	;
	; Each policy has only one part which is an "EDITTEXT" box.  
 	; This is the box in System Policy Editor that you enter
	; the given path.
 	;


	KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
	;
	; These policies all configure this key.  They all define their own Valuenames
	; and data in this key.  Each one has a default value that is defined 
	; in the [strings] section
	;

	POLICY !!UserProfiles_AppData

	; each part of a policy corresponds to one configurable setting	
	; these policies only have one part each, the edit box.

		Part !!UserProfiles_AppDataPath	
			
			EDITTEXT 	; Defines an edit box.
			REQUIRED 	; If the policy is checked, this part must have a value.
			EXPANDABLETEXT 	; Text can be environmental variables.
		
		Default !!UserProfiles_AppDataPathDefault   ; Defines the def value for the textbox.
		Valuename "AppData"		; Registry setting that is added to the Registry
		End Part

	End Policy

	POLICY !!UserProfiles_Favorites
		Part !!UserProfiles_FavoritesPath	EDITTEXT REQUIRED EXPANDABLETEXT
		Default !!UserProfiles_FavoritesPathDefault
		Valuename "Favorites"
		End Part
	End Policy

	POLICY !!UserProfiles_NetHood
		Part !!UserProfiles_NetHoodPath		EDITTEXT REQUIRED EXPANDABLETEXT
		Default !!UserProfiles_NetHoodPathDefault
		Valuename "NetHood"
		End Part
	End Policy

	POLICY !!UserProfiles_PrintHood
		Part !!UserProfiles_PrintHoodPath	EDITTEXT REQUIRED EXPANDABLETEXT
		Default !!UserProfiles_PrintHoodPathDefault
		Valuename "PrintHood"
		End Part
	End Policy

	POLICY !!UserProfiles_Recent
		Part !!UserProfiles_RecentPath		EDITTEXT REQUIRED EXPANDABLETEXT
		Default !!UserProfiles_RecentPathDefault
		Valuename "Recent"
		End Part
	End Policy

	POLICY !!UserProfiles_SendTo
		Part !!UserProfiles_SendToPath		EDITTEXT REQUIRED EXPANDABLETEXT
		Default !!UserProfiles_SendToPathDefault
		Valuename "SendTo"
		End Part
	End Policy
END CATEGORY





CATEGORY !!IE_SECURITY


	KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
	
	;
	; The policy below sets values in the above Registry Key
	;

	POLICY !!IE_EnableActiveX

	;
	; The IE Security Policy has four checkboxes to
	; configure the settings in IE defined under Active Content 
 	; in the security tab of the view\options menu.
	; The four checkboxes simply toggle either between 
	; 1 and 0 or 'yes' and 'no'.  
	;

		PART !!IE_DownloadActiveX		CHECKBOX
		VALUENAME "Code Download"
			VALUEON "yes"
			VALUEOFF "no" 
		END PART

		Part !!IE_AllowControls			CHECKBOX 
		VALUENAME "Security_RunActiveXControls"
			VALUEON  NUMERIC 1
			VALUEOFF NUMERIC 0
 		END PART

		PART !!IE_AllowActiveXScripts		CHECKBOX 
		VALUENAME "Security_RunScripts"
			VALUEON  NUMERIC 1
			VALUEOFF NUMERIC 0
		END PART			

		PART !!IE_EnableJava			CHECKBOX 
		VALUENAME "Security_RunJavaApplets"
			VALUEON  NUMERIC 1
			VALUEOFF NUMERIC 0
		END PART
				
	END POLICY




	POLICY !!IE_SecurityLevel

	;
	; This policy configures the safety level settings in IE 
	; in the security tab in the view\options menu
 	; 
	; Because setting this feature configures two different registry keys,
 	; it uses the ACTIONLIST parameter to set both keys with one dropdown list. 
	; 


		PART !!IE_SetSecurityLevel		DROPDOWNLIST
		KEYNAME "Software\Microsoft\Internet Explorer\Security"

		; Each part configures it's own Registry key

		VALUENAME "Safety Warning Level"
		ITEMLIST
			Name !!IE_SecurityHigh		VALUE "FailInform"
			ACTIONLIST
				KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
				VALUENAME "Trust Warning Level"		Value "High"
			END ACTIONLIST

			Name !!IE_SecurityMedium	VALUE "Query"
			ACTIONLIST
				KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
				VALUENAME "Trust Warning Level"		Value "Medium"
			END ACTIONLIST

			Name !!IE_SecurityLow		VALUE "SucceedSilent"
			ACTIONLIST
				KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
				VALUENAME "Trust Warning Level"		Value "No Security"
			END ACTIONLIST

			
		END ITEMLIST
		REQUIRED
		END PART

		PART !!IE_SetSecurityLevelNote1		TEXT	END PART
		PART !!IE_SetSecurityLevelNote2		TEXT	END PART
		
	END POLICY

END CATEGORY




CATEGORY !!Drives
	CATEGORY !!Restrictions
			
		POLICY !!HideDrives

		;
		; This policy is will show only specified drives
		; on the client machine.  The registry key that this policy
		; effects uses a decimal number which corresponds to a 26 bit
		; binary string, with each bit representing a drive letter:
		;
		; 11111111111111111111111111
		; ZYXWVUTSRQPONMLKJIHGFEDCBA
		;
		; The above configuration corresponds to 67108863d and will
		; hide all drives.  If you wanted to hide all drives but C: you would make 
		; the 3rd lowest bit a 0 and then convert the binary string to decimal.
		;
		; Note: it is not necessary to create an option to show all drives (0d),
		; because clearing the check box will delete the "NoDrives" entry
		; entirely, and therefore, all drives will be automatically shown.
		;
		; If you want to configure this policy to show a different combination
		; of drives, simply create the desired binary string, convert to decimal
		; and add a new entry to the ITEMLIST.
		; 

		KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

			PART !!HideDrivesOptions	DROPDOWNLIST
			VALUENAME "NoDrives"		
			ITEMLIST
				Name !!HideDrives_all	VALUE NUMERIC 67108863
				NAME !!HideDrives_C	VALUE NUMERIC 67108859 ; (67108863 - 4)
				NAME !!HideDrives_U	VALUE NUMERIC 66060287 
				NAME !!HideDrives_CU	VALUE NUMERIC 66060283
				NAME !!HideDrives_COU	VALUE NUMERIC 66043899
				NAME !!HideDrives_W	VALUE NUMERIC 62914559  ;added by KMS
				NAME !!HideDrives_WC	VALUE NUMERIC 62914555  ;added by KMS
				NAME !!HideDrives_PW	VALUE NUMERIC 62881791	;added by KMS
				NAME !!HideDrives_MN	VALUE NUMERIC 12288	;added by KMS
                                NAME !!HideDrives_HKL VALUE NUMERIC 67105663 ;added by CRT

			END ITEMLIST
			REQUIRED
			END PART
			PART !!DriveRestrictions_Tip1	TEXT	END PART
			PART !!DriveRestrictions_Tip2	TEXT	END PART
			;
			; This policy conflicts with the shell\restrictions\hide drives
			; policy.  This is mentioned here to alert administrators.
			;
			END POLICY
	END CATEGORY
END CATEGORY

END CATEGORY

CATEGORY !!ZAK_WINDOWS


	POLICY !!WINDOWS_LOAD

		KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Windows"
	
		PART !!WINDOWS_LOADmsg		EDITTEXT REQUIRED 
		VALUENAME "load"
		END PART
	END POLICY
  
END CATEGORY

END CATEGORY



[strings]
ZAK="ZAK Policies"
ZAK_WindowsNT="Windows NT"
UserProfiles="User Profiles through System Policies"
UserProfiles_AppData="AppData Folder"
UserProfiles_AppDataPath="Enter Path to AppData folder"
UserProfiles_AppDataPathDefault="%USERPROFILE%\AppData"
UserProfiles_Favorites="Favorites Folder"
UserProfiles_FavoritesPath="Enter Path to Favorites folder"
UserProfiles_FavoritesPathDefault="%USERPROFILE%\Favorites"
UserProfiles_NetHood="NetHood Folder"
UserProfiles_NetHoodPath="Enter Path to NetHood folder"
UserProfiles_NetHoodPathDefault="%USERPROFILE%\NetHood"
UserProfiles_PrintHood="PrintHood Folder"
UserProfiles_PrintHoodPath="Enter Path to PrintHood folder"
UserProfiles_PrintHoodPathDefault="%USERPROFILE%\PrintHood"
UserProfiles_Recent="Recent Folder"
UserProfiles_RecentPath="Enter Path to Recent folder"
UserProfiles_RecentPathDefault="%USERPROFILE%\Recent"
UserProfiles_SendTo="SendTo Folder"
UserProfiles_SendToPath="Enter Path to SendTo folder"
UserProfiles_SendToPathDefault="%USERPROFILE%\SendTo"
IE_Security="Internet Explorer Security"
IE_EnableActiveX="Active Content"
IE_DownloadActiveX="Allow downloading of ActiveX content"
IE_AllowControls="Enable ActiveX Controls and Plug-ins"
IE_AllowActiveXScripts="Run ActiveX Scripts"
IE_EnableJava="Enable Java Programs"
IE_SecurityLevel="Active Content Security Level"
IE_SetSecurityLevel="Select Security Level"
IE_SecurityHigh="High"
IE_SecurityMedium="Medium"
IE_SecurityLow="No Security"
IE_SetSecurityLevelNote1="Note: if 'No Security' is selected, Active Content will be"
IE_SetSecurityLevelNote2="downoaded without prompting the user."
Drives="Drives"
Restrictions="Restrictions"
HideDrives="Show only selected drives"
HideDrivesOptions="Choose Drives that will be shown:"
HideDrives_all="Don't show any drives"
HideDrives_C="Only C:"
HideDrives_U="Only U:"
HideDrives_W="Only W:"
HideDrives_WC="Show ONLY W: and C:"
HideDrives_CU="Both C: and U:"
HideDrives_COU="Both C: O: and U:"
HideDrives_PW="Show ONLY P: and W:"
HideDrives_MN="Show all BUT M: and N:"
HideDrives_HKL="Show only HKL:"
DriveRestrictions_Tip1="NOTE: This policy conflits with the Shell\Restrictions\Hide Drives"
DriveRestrictions_Tip2="policy defined in common.adm"
ZAK_WINDOWS="Windows"
WINDOWS_LOAD="Load"
WINDOWS_LOADmsg="Enter Program to be run on Startup"

Hope this helps and email me if you have questions.

Paul Kochie

Use a Group Policy:
User Configuration\Administrative Templates\Windows Components\Windows Explorer
Hide these specified drives in My Computer

See full instructions here.

Chris Stoermer

We were attempting something very similar and found that a policy created through Active Directory has all the options from the local group policies and most all of the settings for "Policy Editor". Follow the instructions for creating a policy package on your AD server. Let me know if that doesn't work.

Luke Meijer

Windows XP Group policy

User Configuration --> Administrative templates --> Windows Components --> Windows Explorer --> Hide these specified drives in My Computer

Sara Whipple

Make sure that you have a .adm policy attached to a user policy package that is associated with the users that you want to affect.

Modify the following XP-Only setting:

User Configuration/Administrative Templates/Windows Explorer/Hide these specified drives in My Computer

Michel Demé

Here is an OpenOffice sheet to compute the decimal value by filling a map letter list with unwanted drives.

Darrel Wilcox

"Microsoft didn't make it easy to perform this calculation: luckily Darrel has done that for us!"
--Shaun Pond, ZENworks Product Specialist

Looks like all of the info here was taken from the TID on MS's web site. While all of this is well and good, it can sometimes be a pain to get the decimal number correct if you are hiding lots of drives. Therefore, I thought I would share a simple little program I devised to get that number for you. Hope this helps!

NOTE: The password for the zip file is a lowercase a

Download the file.

Danny Stark

It's not a Group Policy anymore, it a registry entry. See this Microsoft KB article- Hide physical drives in Windows Explorer

Bob Pahls

Look under Group Policies
   Local Computer Configuration
      User Configration
         Administrative Templates
            Windows Components
               Windows Explorer

There are two options:

  1. Hide these Specified drives in My Computer
  2. Prevent access to drives from My Computer

There are explanations on each setting in the GP page.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell