Hiding Drives in Windows XP Group Policy
Novell Cool Solutions: Trench
|
Digg This -
Slashdot This
Updated: 19 Jan 2006 |
Shane Y. wrote: I am switching from Windows 2000 to XP and we hide all drives except the floppy, cd, and zip (A:, D:, & E:). In 2000 we used extensible policies and I could add options for which drives to hide in the zakwinnt.adm file. I cannot find any way to do this in the new Windows XP group policies. Where can I add options in XP to hide specific drives?
Answer: OPEN CALL: Anyone got some advice for Shane? Let us know.
Suggestions
- Don Johnston
- Rolf Lidvall
- Daniel Schwartz
- Vicki Wood
- Peter Asp
- Shannon Powers
- Sami Kapanen
- Dwayne Watkins
- John Snider
- Cory Turk
- Paul Kochie
- Chris Stoermer
- Luke Meijer
- Sara Whipple
- Michel Demé
- Darrel Wilcox
- Danny Stark
- Bob Pahls NEW
Don Johnston
You can do this by modifying the system.adm template file. First setup policies and test them. This process copies the policy templates to the file server in the location you specified. Navigate to this location on the server and locate the adm folder. Open system.adm and locate the sections that hide drives and prevent access to drives.
Original system.adm:
POLICY !!NoDrives
#if version >= 4
SUPPORTED !!SUPPORTED_Win2k
#endif
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY
POLICY !!NoViewOnDrive
#if version >= 4
SUPPORTED !!SUPPORTED_Win2k
#endif
EXPLAIN !!NoViewOnDrive_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME "NoViewOnDrive"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY
Add lines or modify as desired. The trick is to convert the decimal number to binary so you can see through a 1 or 0 which drives are shown or hidden. For instance:
Using calc.exe in scientific mode enter 67108863 then click the bin radio button and you get 11111111111111111111111111
Each 1 represents a different drive letter up to 26 drives. Drive A is on the right and drive Z is on the left. A 1 means the drive is hidden and a 0 would mean the drive is displayed.
If you want to display drives A, E and F enter this into the calculator in binary:
11111111111111111111001110 in binary then click the Dec radio button to convert it to decimal and you get 67108814
Add the line below to the template and you will now have the additional option of letting users see only A,E and F.
NAME "See AEF" VALUE NUMERIC 67108814
The section of the template you modified should look look something like this:
ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME "See AEF" VALUE NUMERIC 67108814 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
Now save this modified template and replace system.adm in the adm folder where your policies are stored on the server. Now edit your policies and you should see this new option.
Hope this helps.
Rolf Lidvall
Hiding drives in WinXP is governed from Group Policies:
User Configuration -> Administrative Templates ->
Windows Components -> Windows Explorer ->
"Hide these specified drives in My Computer"
The default settings are pretty useless so you will always have to edit the template-- system.adm-- OR make a new template with only these settings and this is what MS recommends:
"Microsoft does not recommend to change the System.adm file, but instead to create a new .adm file and import this .adm into the GPO. The reason is that if you apply changes to the system.adm file, these changes might get overwritten if Microsoft releases a new version of the system.adm file in a Service Pack."
Here is a *very useful* calculator: http://www.precedence.co.uk/nc/nodrive.php3
Daniel Schwartz
From a run box, type gpedit.msc, this launches the Group Policy editor. Then under User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer -> select "Hide these specified drives in My Computer" Then select the drive combination you wish to hide. This will hide them in Explorer also.
Vicki Wood
To do this, edit the system.adm file. In the section below, I've added the line "AllButEF". Anything you add should appear alphabetically. I'll explain how I determined the "value numeric" later.
POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!AllButEF VALUE NUMERIC 48
NAME !!ALLDrives VALUE NUMERIC 67108863
DEFAULT
; low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0
END ITEMLIST
END PART
END POLICY
Further down in the same file under [strings], again alphabetically, I
added this line:
AllButEF="Restrict drives E and F"
Now when I go to edit User Group XP Policies, under Windows Explorer settings the drop-down options for Hide These Specific Drives in My Computer include the option, "Restrict drives E and F".
Use the following (from http://support.microsoft.com/default.aspx?scid=kb;en-us;220955&Product=nts40) to determine what goes into VALUE NUMBERIC in the system.adm file:
11111111111111111111111111 ZYXWVUTSRQPONMLKJIHGFEDCBA
This configuration corresponds to 67108863 in decimal and hides all drives. For example, if you want to hide drive C, make the third-lowest bit a 1 (this is displayed in binary as 0000000000000000000000100), and then convert the binary string to decimal, which comes out to a decimal value of 4.
Peter Asp
Check here for information on Hiding Drives using Group Policies
Shannon Powers
As seen on: http://www.g4tv.com/screensavers/features/25208/Sarahs_Windows_Tweak_Hide_Your_Drives.html
- Open Regedit.
- Navigate to this string:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - In the Explorer key folder, create a new DWORD value by right-clicking Explorer, then choosing New DWORD value. Name the value "NoDrives" (without the quotes). This value defines local and network drive visibility for each logical drive on the computer. All drives will be visible as long as this value's data is set to 0.
- Following the table below, enter the decimal number corresponding to the
drive(s) you want to hide as NoDrives value data. When you right-click on
NoDrives and choose Modify, make sure you select Decimal base, not
Hexadecimal.
Drive Number to hide
A: 1
B: 2
C: 4
D: 8
E: 16
F: 32
G: 64
H: 128
I: 256
J: 512
K: 1024
L: 2048
M: 4096
N: 8192
O: 16384
P: 32768
Q: 65536
R: 131072
S: 262144
T: 524288
U: 1048576
V: 2097152
W: 4194304
X: 8388608
Y: 16777216
Z: 33554432
All drives 67108863 - If you want to hide more than one drive, you simply add the drive amounts
together for a combined total.
For example, to hide the D:/ and T:/ drives, add the decimal value for the D:/ drive to the decimal value to the T:/ drive.
8 (D) + 524288 (T) = 524296 - To disable all of your visible drives, set the value to 67108863.
You must reboot your PC to see your changes. Have fun hiding, you little sneaks!
Sami Kapanen
You can still use the extensible policies to do this, they work just fine on XP (although not supported officially).
Dwayne Watkins
My only other suggestion, so as to not be redundant to the other solutions, is a free program called X-setup [Editor's note: it's only free for non-commercial use according to their website, but the commercial pricing looks VERY affordable.]. It takes the Windows power toys 10 steps further.
From within this program you can show/hide drives in addition to setting functions for each, in addition to making 1001 other Windows tweaks. Another cool thing about this program is that it will record and save the changes you make in the program to an external file of your naming, which you can view and edit to your leisure.
I use it often when I need to make a change to Windows and do not want to run regedit and/or Snapshot.
John Snider
Under the user Configuration
Administrative Templates
Windows Components
Windows Explorer
"Hide these spcified drives in My Computer"
Options:
Restrict A and B drives only
Restrict C drive only
Restrict D drive only
Restrict A, B, and C drives only
Restrict A, B, C, and D drives only
Restrict all drives
Do not restrict drives
"Prevent Access to drives from My Computer"
Options:
Restrict A and B drives only
Restrict C drive only
Restrict D drive only
Restrict A, B, and C drives only
Restrict A, B, C, and D drives only
Restrict all drives
Do not restrict drives
Cory Turk
Here is how I did it. In my adm file you will see that I am only allowing H,K,L drive to be shown. Edit this to customize your needs and then import this adm file into your group policy under administrative templates.
CLASS USER
CATEGORY !!ZAK
CATEGORY !!ZAK_WindowsNT
CATEGORY !!UserProfiles
;
; The following policies are all listed under the heading
; "User Profiles through System Policies"
; They are used to configure the path to many of the folders
; normally controlled by user profile settings
;
; Each policy has only one part which is an "EDITTEXT" box.
; This is the box in System Policy Editor that you enter
; the given path.
;
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
;
; These policies all configure this key. They all define their own Valuenames
; and data in this key. Each one has a default value that is defined
; in the [strings] section
;
POLICY !!UserProfiles_AppData
; each part of a policy corresponds to one configurable setting
; these policies only have one part each, the edit box.
Part !!UserProfiles_AppDataPath
EDITTEXT ; Defines an edit box.
REQUIRED ; If the policy is checked, this part must have a value.
EXPANDABLETEXT ; Text can be environmental variables.
Default !!UserProfiles_AppDataPathDefault ; Defines the def value for the textbox.
Valuename "AppData" ; Registry setting that is added to the Registry
End Part
End Policy
POLICY !!UserProfiles_Favorites
Part !!UserProfiles_FavoritesPath EDITTEXT REQUIRED EXPANDABLETEXT
Default !!UserProfiles_FavoritesPathDefault
Valuename "Favorites"
End Part
End Policy
POLICY !!UserProfiles_NetHood
Part !!UserProfiles_NetHoodPath EDITTEXT REQUIRED EXPANDABLETEXT
Default !!UserProfiles_NetHoodPathDefault
Valuename "NetHood"
End Part
End Policy
POLICY !!UserProfiles_PrintHood
Part !!UserProfiles_PrintHoodPath EDITTEXT REQUIRED EXPANDABLETEXT
Default !!UserProfiles_PrintHoodPathDefault
Valuename "PrintHood"
End Part
End Policy
POLICY !!UserProfiles_Recent
Part !!UserProfiles_RecentPath EDITTEXT REQUIRED EXPANDABLETEXT
Default !!UserProfiles_RecentPathDefault
Valuename "Recent"
End Part
End Policy
POLICY !!UserProfiles_SendTo
Part !!UserProfiles_SendToPath EDITTEXT REQUIRED EXPANDABLETEXT
Default !!UserProfiles_SendToPathDefault
Valuename "SendTo"
End Part
End Policy
END CATEGORY
CATEGORY !!IE_SECURITY
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
;
; The policy below sets values in the above Registry Key
;
POLICY !!IE_EnableActiveX
;
; The IE Security Policy has four checkboxes to
; configure the settings in IE defined under Active Content
; in the security tab of the view\options menu.
; The four checkboxes simply toggle either between
; 1 and 0 or 'yes' and 'no'.
;
PART !!IE_DownloadActiveX CHECKBOX
VALUENAME "Code Download"
VALUEON "yes"
VALUEOFF "no"
END PART
Part !!IE_AllowControls CHECKBOX
VALUENAME "Security_RunActiveXControls"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART !!IE_AllowActiveXScripts CHECKBOX
VALUENAME "Security_RunScripts"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART !!IE_EnableJava CHECKBOX
VALUENAME "Security_RunJavaApplets"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY !!IE_SecurityLevel
;
; This policy configures the safety level settings in IE
; in the security tab in the view\options menu
;
; Because setting this feature configures two different registry keys,
; it uses the ACTIONLIST parameter to set both keys with one dropdown list.
;
PART !!IE_SetSecurityLevel DROPDOWNLIST
KEYNAME "Software\Microsoft\Internet Explorer\Security"
; Each part configures it's own Registry key
VALUENAME "Safety Warning Level"
ITEMLIST
Name !!IE_SecurityHigh VALUE "FailInform"
ACTIONLIST
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "Trust Warning Level" Value "High"
END ACTIONLIST
Name !!IE_SecurityMedium VALUE "Query"
ACTIONLIST
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "Trust Warning Level" Value "Medium"
END ACTIONLIST
Name !!IE_SecurityLow VALUE "SucceedSilent"
ACTIONLIST
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
VALUENAME "Trust Warning Level" Value "No Security"
END ACTIONLIST
END ITEMLIST
REQUIRED
END PART
PART !!IE_SetSecurityLevelNote1 TEXT END PART
PART !!IE_SetSecurityLevelNote2 TEXT END PART
END POLICY
END CATEGORY
CATEGORY !!Drives
CATEGORY !!Restrictions
POLICY !!HideDrives
;
; This policy is will show only specified drives
; on the client machine. The registry key that this policy
; effects uses a decimal number which corresponds to a 26 bit
; binary string, with each bit representing a drive letter:
;
; 11111111111111111111111111
; ZYXWVUTSRQPONMLKJIHGFEDCBA
;
; The above configuration corresponds to 67108863d and will
; hide all drives. If you wanted to hide all drives but C: you would make
; the 3rd lowest bit a 0 and then convert the binary string to decimal.
;
; Note: it is not necessary to create an option to show all drives (0d),
; because clearing the check box will delete the "NoDrives" entry
; entirely, and therefore, all drives will be automatically shown.
;
; If you want to configure this policy to show a different combination
; of drives, simply create the desired binary string, convert to decimal
; and add a new entry to the ITEMLIST.
;
KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
PART !!HideDrivesOptions DROPDOWNLIST
VALUENAME "NoDrives"
ITEMLIST
Name !!HideDrives_all VALUE NUMERIC 67108863
NAME !!HideDrives_C VALUE NUMERIC 67108859 ; (67108863 - 4)
NAME !!HideDrives_U VALUE NUMERIC 66060287
NAME !!HideDrives_CU VALUE NUMERIC 66060283
NAME !!HideDrives_COU VALUE NUMERIC 66043899
NAME !!HideDrives_W VALUE NUMERIC 62914559 ;added by KMS
NAME !!HideDrives_WC VALUE NUMERIC 62914555 ;added by KMS
NAME !!HideDrives_PW VALUE NUMERIC 62881791 ;added by KMS
NAME !!HideDrives_MN VALUE NUMERIC 12288 ;added by KMS
NAME !!HideDrives_HKL VALUE NUMERIC 67105663 ;added by CRT
END ITEMLIST
REQUIRED
END PART
PART !!DriveRestrictions_Tip1 TEXT END PART
PART !!DriveRestrictions_Tip2 TEXT END PART
;
; This policy conflicts with the shell\restrictions\hide drives
; policy. This is mentioned here to alert administrators.
;
END POLICY
END CATEGORY
END CATEGORY
END CATEGORY
CATEGORY !!ZAK_WINDOWS
POLICY !!WINDOWS_LOAD
KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Windows"
PART !!WINDOWS_LOADmsg EDITTEXT REQUIRED
VALUENAME "load"
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
ZAK="ZAK Policies"
ZAK_WindowsNT="Windows NT"
UserProfiles="User Profiles through System Policies"
UserProfiles_AppData="AppData Folder"
UserProfiles_AppDataPath="Enter Path to AppData folder"
UserProfiles_AppDataPathDefault="%USERPROFILE%\AppData"
UserProfiles_Favorites="Favorites Folder"
UserProfiles_FavoritesPath="Enter Path to Favorites folder"
UserProfiles_FavoritesPathDefault="%USERPROFILE%\Favorites"
UserProfiles_NetHood="NetHood Folder"
UserProfiles_NetHoodPath="Enter Path to NetHood folder"
UserProfiles_NetHoodPathDefault="%USERPROFILE%\NetHood"
UserProfiles_PrintHood="PrintHood Folder"
UserProfiles_PrintHoodPath="Enter Path to PrintHood folder"
UserProfiles_PrintHoodPathDefault="%USERPROFILE%\PrintHood"
UserProfiles_Recent="Recent Folder"
UserProfiles_RecentPath="Enter Path to Recent folder"
UserProfiles_RecentPathDefault="%USERPROFILE%\Recent"
UserProfiles_SendTo="SendTo Folder"
UserProfiles_SendToPath="Enter Path to SendTo folder"
UserProfiles_SendToPathDefault="%USERPROFILE%\SendTo"
IE_Security="Internet Explorer Security"
IE_EnableActiveX="Active Content"
IE_DownloadActiveX="Allow downloading of ActiveX content"
IE_AllowControls="Enable ActiveX Controls and Plug-ins"
IE_AllowActiveXScripts="Run ActiveX Scripts"
IE_EnableJava="Enable Java Programs"
IE_SecurityLevel="Active Content Security Level"
IE_SetSecurityLevel="Select Security Level"
IE_SecurityHigh="High"
IE_SecurityMedium="Medium"
IE_SecurityLow="No Security"
IE_SetSecurityLevelNote1="Note: if 'No Security' is selected, Active Content will be"
IE_SetSecurityLevelNote2="downoaded without prompting the user."
Drives="Drives"
Restrictions="Restrictions"
HideDrives="Show only selected drives"
HideDrivesOptions="Choose Drives that will be shown:"
HideDrives_all="Don't show any drives"
HideDrives_C="Only C:"
HideDrives_U="Only U:"
HideDrives_W="Only W:"
HideDrives_WC="Show ONLY W: and C:"
HideDrives_CU="Both C: and U:"
HideDrives_COU="Both C: O: and U:"
HideDrives_PW="Show ONLY P: and W:"
HideDrives_MN="Show all BUT M: and N:"
HideDrives_HKL="Show only HKL:"
DriveRestrictions_Tip1="NOTE: This policy conflits with the Shell\Restrictions\Hide Drives"
DriveRestrictions_Tip2="policy defined in common.adm"
ZAK_WINDOWS="Windows"
WINDOWS_LOAD="Load"
WINDOWS_LOADmsg="Enter Program to be run on Startup"
Hope this helps and email me if you have questions.
Paul Kochie
Use a Group Policy:
User Configuration\Administrative Templates\Windows Components\Windows Explorer
Hide these specified drives in My Computer
See full instructions here.
Chris Stoermer
We were attempting something very similar and found that a policy created through Active Directory has all the options from the local group policies and most all of the settings for "Policy Editor". Follow the instructions for creating a policy package on your AD server. Let me know if that doesn't work.
Luke Meijer
Windows XP Group policy
User Configuration --> Administrative templates --> Windows Components --> Windows Explorer --> Hide these specified drives in My Computer
Sara Whipple
Make sure that you have a .adm policy attached to a user policy package that is associated with the users that you want to affect.
Modify the following XP-Only setting:
User Configuration/Administrative Templates/Windows Explorer/Hide these specified drives in My Computer
Michel Demé
Here is an OpenOffice sheet to compute the decimal value by filling a map letter list with unwanted drives.
Darrel Wilcox
 |
|
||
|
|
||
|
|
|
|
|
|
||
|
|
||
"Microsoft didn't make it easy to perform this calculation: luckily Darrel has done that for us!"Looks like all of the info here was taken from the TID on MS's web site. While all of this is well and good, it can sometimes be a pain to get the decimal number correct if you are hiding lots of drives. Therefore, I thought I would share a simple little program I devised to get that number for you. Hope this helps!
NOTE: The password for the zip file is a lowercase a
Danny Stark
It's not a Group Policy anymore, it a registry entry. See this Microsoft KB article- Hide physical drives in Windows Explorer
Bob Pahls
Look under Group Policies
Local Computer Configuration
User Configration
Administrative Templates
Windows Components
Windows Explorer
There are two options:
- Hide these Specified drives in My Computer
- Prevent access to drives from My Computer
There are explanations on each setting in the GP page.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com