Hiding Drives in Windows XP Group Policy
Novell Cool Solutions: Trench
Digg This -
Updated: 19 Jan 2006
Shane Y. wrote: I am switching from Windows 2000 to XP and we hide all drives except the floppy, cd, and zip (A:, D:, & E:). In 2000 we used extensible policies and I could add options for which drives to hide in the zakwinnt.adm file. I cannot find any way to do this in the new Windows XP group policies. Where can I add options in XP to hide specific drives?
Answer: OPEN CALL: Anyone got some advice for Shane? Let us know.
- Don Johnston
- Rolf Lidvall
- Daniel Schwartz
- Vicki Wood
- Peter Asp
- Shannon Powers
- Sami Kapanen
- Dwayne Watkins
- John Snider
- Cory Turk
- Paul Kochie
- Chris Stoermer
- Luke Meijer
- Sara Whipple
- Michel Demé
- Darrel Wilcox
- Danny Stark
- Bob Pahls NEW
You can do this by modifying the system.adm template file. First setup policies and test them. This process copies the policy templates to the file server in the location you specified. Navigate to this location on the server and locate the adm folder. Open system.adm and locate the sections that hide drives and prevent access to drives.
Original system.adm: POLICY !!NoDrives #if version >= 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!NoDrives_Help PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED VALUENAME "NoDrives" ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT ; low 26 bits on (1 bit per drive) NAME !!RestNoDrives VALUE NUMERIC 0 END ITEMLIST END PART END POLICY POLICY !!NoViewOnDrive #if version >= 4 SUPPORTED !!SUPPORTED_Win2k #endif EXPLAIN !!NoViewOnDrive_Help PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED VALUENAME "NoViewOnDrive" ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT ; low 26 bits on (1 bit per drive) NAME !!RestNoDrives VALUE NUMERIC 0 END ITEMLIST END PART END POLICY
Add lines or modify as desired. The trick is to convert the decimal number to binary so you can see through a 1 or 0 which drives are shown or hidden. For instance:
Using calc.exe in scientific mode enter 67108863 then click the bin radio button and you get 11111111111111111111111111
Each 1 represents a different drive letter up to 26 drives. Drive A is on the right and drive Z is on the left. A 1 means the drive is hidden and a 0 would mean the drive is displayed.
If you want to display drives A, E and F enter this into the calculator in binary:
11111111111111111111001110 in binary then click the Dec radio button to convert it to decimal and you get 67108814
Add the line below to the template and you will now have the additional option of letting users see only A,E and F.
NAME "See AEF" VALUE NUMERIC 67108814
The section of the template you modified should look look something like this:
ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME "See AEF" VALUE NUMERIC 67108814 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT
Now save this modified template and replace system.adm in the adm folder where your policies are stored on the server. Now edit your policies and you should see this new option.
Hope this helps.
Hiding drives in WinXP is governed from Group Policies:
User Configuration -> Administrative Templates ->
Windows Components -> Windows Explorer ->
"Hide these specified drives in My Computer"
The default settings are pretty useless so you will always have to edit the template-- system.adm-- OR make a new template with only these settings and this is what MS recommends:
"Microsoft does not recommend to change the System.adm file, but instead to create a new .adm file and import this .adm into the GPO. The reason is that if you apply changes to the system.adm file, these changes might get overwritten if Microsoft releases a new version of the system.adm file in a Service Pack."
Here is a *very useful* calculator: http://www.precedence.co.uk/nc/nodrive.php3
From a run box, type gpedit.msc, this launches the Group Policy editor. Then under User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer -> select "Hide these specified drives in My Computer" Then select the drive combination you wish to hide. This will hide them in Explorer also.
To do this, edit the system.adm file. In the section below, I've added the line "AllButEF". Anything you add should appear alphabetically. I'll explain how I determined the "value numeric" later.
POLICY !!NoDrives EXPLAIN !!NoDrives_Help PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED VALUENAME "NoDrives" ITEMLIST NAME !!ABOnly VALUE NUMERIC 3 NAME !!COnly VALUE NUMERIC 4 NAME !!DOnly VALUE NUMERIC 8 NAME !!ABConly VALUE NUMERIC 7 NAME !!ABCDOnly VALUE NUMERIC 15 NAME !!AllButEF VALUE NUMERIC 48 NAME !!ALLDrives VALUE NUMERIC 67108863 DEFAULT ; low 26 bits on (1 bit per drive) NAME !!RestNoDrives VALUE NUMERIC 0 END ITEMLIST END PART END POLICY
Further down in the same file under [strings], again alphabetically, I
added this line:
AllButEF="Restrict drives E and F"
Now when I go to edit User Group XP Policies, under Windows Explorer settings the drop-down options for Hide These Specific Drives in My Computer include the option, "Restrict drives E and F".
Use the following (from http://support.microsoft.com/default.aspx?scid=kb;en-us;220955&Product=nts40) to determine what goes into VALUE NUMBERIC in the system.adm file:
This configuration corresponds to 67108863 in decimal and hides all drives. For example, if you want to hide drive C, make the third-lowest bit a 1 (this is displayed in binary as 0000000000000000000000100), and then convert the binary string to decimal, which comes out to a decimal value of 4.
Check here for information on Hiding Drives using Group Policies
- Open Regedit.
- Navigate to this string:
- In the Explorer key folder, create a new DWORD value by right-clicking Explorer, then choosing New DWORD value. Name the value "NoDrives" (without the quotes). This value defines local and network drive visibility for each logical drive on the computer. All drives will be visible as long as this value's data is set to 0.
- Following the table below, enter the decimal number corresponding to the
drive(s) you want to hide as NoDrives value data. When you right-click on
NoDrives and choose Modify, make sure you select Decimal base, not
Drive Number to hide
All drives 67108863
- If you want to hide more than one drive, you simply add the drive amounts
together for a combined total.
For example, to hide the D:/ and T:/ drives, add the decimal value for the D:/ drive to the decimal value to the T:/ drive.
8 (D) + 524288 (T) = 524296
- To disable all of your visible drives, set the value to 67108863.
You must reboot your PC to see your changes. Have fun hiding, you little sneaks!
You can still use the extensible policies to do this, they work just fine on XP (although not supported officially).
My only other suggestion, so as to not be redundant to the other solutions, is a free program called X-setup [Editor's note: it's only free for non-commercial use according to their website, but the commercial pricing looks VERY affordable.]. It takes the Windows power toys 10 steps further.
From within this program you can show/hide drives in addition to setting functions for each, in addition to making 1001 other Windows tweaks. Another cool thing about this program is that it will record and save the changes you make in the program to an external file of your naming, which you can view and edit to your leisure.
I use it often when I need to make a change to Windows and do not want to run regedit and/or Snapshot.
Under the user Configuration Administrative Templates Windows Components Windows Explorer "Hide these spcified drives in My Computer" Options: Restrict A and B drives only Restrict C drive only Restrict D drive only Restrict A, B, and C drives only Restrict A, B, C, and D drives only Restrict all drives Do not restrict drives "Prevent Access to drives from My Computer" Options: Restrict A and B drives only Restrict C drive only Restrict D drive only Restrict A, B, and C drives only Restrict A, B, C, and D drives only Restrict all drives Do not restrict drives
Here is how I did it. In my adm file you will see that I am only allowing H,K,L drive to be shown. Edit this to customize your needs and then import this adm file into your group policy under administrative templates.
CLASS USER CATEGORY !!ZAK CATEGORY !!ZAK_WindowsNT CATEGORY !!UserProfiles ; ; The following policies are all listed under the heading ; "User Profiles through System Policies" ; They are used to configure the path to many of the folders ; normally controlled by user profile settings ; ; Each policy has only one part which is an "EDITTEXT" box. ; This is the box in System Policy Editor that you enter ; the given path. ; KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" ; ; These policies all configure this key. They all define their own Valuenames ; and data in this key. Each one has a default value that is defined ; in the [strings] section ; POLICY !!UserProfiles_AppData ; each part of a policy corresponds to one configurable setting ; these policies only have one part each, the edit box. Part !!UserProfiles_AppDataPath EDITTEXT ; Defines an edit box. REQUIRED ; If the policy is checked, this part must have a value. EXPANDABLETEXT ; Text can be environmental variables. Default !!UserProfiles_AppDataPathDefault ; Defines the def value for the textbox. Valuename "AppData" ; Registry setting that is added to the Registry End Part End Policy POLICY !!UserProfiles_Favorites Part !!UserProfiles_FavoritesPath EDITTEXT REQUIRED EXPANDABLETEXT Default !!UserProfiles_FavoritesPathDefault Valuename "Favorites" End Part End Policy POLICY !!UserProfiles_NetHood Part !!UserProfiles_NetHoodPath EDITTEXT REQUIRED EXPANDABLETEXT Default !!UserProfiles_NetHoodPathDefault Valuename "NetHood" End Part End Policy POLICY !!UserProfiles_PrintHood Part !!UserProfiles_PrintHoodPath EDITTEXT REQUIRED EXPANDABLETEXT Default !!UserProfiles_PrintHoodPathDefault Valuename "PrintHood" End Part End Policy POLICY !!UserProfiles_Recent Part !!UserProfiles_RecentPath EDITTEXT REQUIRED EXPANDABLETEXT Default !!UserProfiles_RecentPathDefault Valuename "Recent" End Part End Policy POLICY !!UserProfiles_SendTo Part !!UserProfiles_SendToPath EDITTEXT REQUIRED EXPANDABLETEXT Default !!UserProfiles_SendToPathDefault Valuename "SendTo" End Part End Policy END CATEGORY CATEGORY !!IE_SECURITY KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings" ; ; The policy below sets values in the above Registry Key ; POLICY !!IE_EnableActiveX ; ; The IE Security Policy has four checkboxes to ; configure the settings in IE defined under Active Content ; in the security tab of the view\options menu. ; The four checkboxes simply toggle either between ; 1 and 0 or 'yes' and 'no'. ; PART !!IE_DownloadActiveX CHECKBOX VALUENAME "Code Download" VALUEON "yes" VALUEOFF "no" END PART Part !!IE_AllowControls CHECKBOX VALUENAME "Security_RunActiveXControls" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END PART PART !!IE_AllowActiveXScripts CHECKBOX VALUENAME "Security_RunScripts" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END PART PART !!IE_EnableJava CHECKBOX VALUENAME "Security_RunJavaApplets" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END PART END POLICY POLICY !!IE_SecurityLevel ; ; This policy configures the safety level settings in IE ; in the security tab in the view\options menu ; ; Because setting this feature configures two different registry keys, ; it uses the ACTIONLIST parameter to set both keys with one dropdown list. ; PART !!IE_SetSecurityLevel DROPDOWNLIST KEYNAME "Software\Microsoft\Internet Explorer\Security" ; Each part configures it's own Registry key VALUENAME "Safety Warning Level" ITEMLIST Name !!IE_SecurityHigh VALUE "FailInform" ACTIONLIST KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings" VALUENAME "Trust Warning Level" Value "High" END ACTIONLIST Name !!IE_SecurityMedium VALUE "Query" ACTIONLIST KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings" VALUENAME "Trust Warning Level" Value "Medium" END ACTIONLIST Name !!IE_SecurityLow VALUE "SucceedSilent" ACTIONLIST KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings" VALUENAME "Trust Warning Level" Value "No Security" END ACTIONLIST END ITEMLIST REQUIRED END PART PART !!IE_SetSecurityLevelNote1 TEXT END PART PART !!IE_SetSecurityLevelNote2 TEXT END PART END POLICY END CATEGORY CATEGORY !!Drives CATEGORY !!Restrictions POLICY !!HideDrives ; ; This policy is will show only specified drives ; on the client machine. The registry key that this policy ; effects uses a decimal number which corresponds to a 26 bit ; binary string, with each bit representing a drive letter: ; ; 11111111111111111111111111 ; ZYXWVUTSRQPONMLKJIHGFEDCBA ; ; The above configuration corresponds to 67108863d and will ; hide all drives. If you wanted to hide all drives but C: you would make ; the 3rd lowest bit a 0 and then convert the binary string to decimal. ; ; Note: it is not necessary to create an option to show all drives (0d), ; because clearing the check box will delete the "NoDrives" entry ; entirely, and therefore, all drives will be automatically shown. ; ; If you want to configure this policy to show a different combination ; of drives, simply create the desired binary string, convert to decimal ; and add a new entry to the ITEMLIST. ; KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer PART !!HideDrivesOptions DROPDOWNLIST VALUENAME "NoDrives" ITEMLIST Name !!HideDrives_all VALUE NUMERIC 67108863 NAME !!HideDrives_C VALUE NUMERIC 67108859 ; (67108863 - 4) NAME !!HideDrives_U VALUE NUMERIC 66060287 NAME !!HideDrives_CU VALUE NUMERIC 66060283 NAME !!HideDrives_COU VALUE NUMERIC 66043899 NAME !!HideDrives_W VALUE NUMERIC 62914559 ;added by KMS NAME !!HideDrives_WC VALUE NUMERIC 62914555 ;added by KMS NAME !!HideDrives_PW VALUE NUMERIC 62881791 ;added by KMS NAME !!HideDrives_MN VALUE NUMERIC 12288 ;added by KMS NAME !!HideDrives_HKL VALUE NUMERIC 67105663 ;added by CRT END ITEMLIST REQUIRED END PART PART !!DriveRestrictions_Tip1 TEXT END PART PART !!DriveRestrictions_Tip2 TEXT END PART ; ; This policy conflicts with the shell\restrictions\hide drives ; policy. This is mentioned here to alert administrators. ; END POLICY END CATEGORY END CATEGORY END CATEGORY CATEGORY !!ZAK_WINDOWS POLICY !!WINDOWS_LOAD KEYNAME "Software\Microsoft\Windows NT\CurrentVersion\Windows" PART !!WINDOWS_LOADmsg EDITTEXT REQUIRED VALUENAME "load" END PART END POLICY END CATEGORY END CATEGORY [strings] ZAK="ZAK Policies" ZAK_WindowsNT="Windows NT" UserProfiles="User Profiles through System Policies" UserProfiles_AppData="AppData Folder" UserProfiles_AppDataPath="Enter Path to AppData folder" UserProfiles_AppDataPathDefault="%USERPROFILE%\AppData" UserProfiles_Favorites="Favorites Folder" UserProfiles_FavoritesPath="Enter Path to Favorites folder" UserProfiles_FavoritesPathDefault="%USERPROFILE%\Favorites" UserProfiles_NetHood="NetHood Folder" UserProfiles_NetHoodPath="Enter Path to NetHood folder" UserProfiles_NetHoodPathDefault="%USERPROFILE%\NetHood" UserProfiles_PrintHood="PrintHood Folder" UserProfiles_PrintHoodPath="Enter Path to PrintHood folder" UserProfiles_PrintHoodPathDefault="%USERPROFILE%\PrintHood" UserProfiles_Recent="Recent Folder" UserProfiles_RecentPath="Enter Path to Recent folder" UserProfiles_RecentPathDefault="%USERPROFILE%\Recent" UserProfiles_SendTo="SendTo Folder" UserProfiles_SendToPath="Enter Path to SendTo folder" UserProfiles_SendToPathDefault="%USERPROFILE%\SendTo" IE_Security="Internet Explorer Security" IE_EnableActiveX="Active Content" IE_DownloadActiveX="Allow downloading of ActiveX content" IE_AllowControls="Enable ActiveX Controls and Plug-ins" IE_AllowActiveXScripts="Run ActiveX Scripts" IE_EnableJava="Enable Java Programs" IE_SecurityLevel="Active Content Security Level" IE_SetSecurityLevel="Select Security Level" IE_SecurityHigh="High" IE_SecurityMedium="Medium" IE_SecurityLow="No Security" IE_SetSecurityLevelNote1="Note: if 'No Security' is selected, Active Content will be" IE_SetSecurityLevelNote2="downoaded without prompting the user." Drives="Drives" Restrictions="Restrictions" HideDrives="Show only selected drives" HideDrivesOptions="Choose Drives that will be shown:" HideDrives_all="Don't show any drives" HideDrives_C="Only C:" HideDrives_U="Only U:" HideDrives_W="Only W:" HideDrives_WC="Show ONLY W: and C:" HideDrives_CU="Both C: and U:" HideDrives_COU="Both C: O: and U:" HideDrives_PW="Show ONLY P: and W:" HideDrives_MN="Show all BUT M: and N:" HideDrives_HKL="Show only HKL:" DriveRestrictions_Tip1="NOTE: This policy conflits with the Shell\Restrictions\Hide Drives" DriveRestrictions_Tip2="policy defined in common.adm" ZAK_WINDOWS="Windows" WINDOWS_LOAD="Load" WINDOWS_LOADmsg="Enter Program to be run on Startup"
Hope this helps and email me if you have questions.
Use a Group Policy:
User Configuration\Administrative Templates\Windows Components\Windows Explorer
Hide these specified drives in My Computer
See full instructions here.
We were attempting something very similar and found that a policy created through Active Directory has all the options from the local group policies and most all of the settings for "Policy Editor". Follow the instructions for creating a policy package on your AD server. Let me know if that doesn't work.
Windows XP Group policy
User Configuration --> Administrative templates --> Windows Components --> Windows Explorer --> Hide these specified drives in My Computer
Make sure that you have a .adm policy attached to a user policy package that is associated with the users that you want to affect.
Modify the following XP-Only setting:
User Configuration/Administrative Templates/Windows Explorer/Hide these specified drives in My Computer
Here is an OpenOffice sheet to compute the decimal value by filling a map letter list with unwanted drives.
"Microsoft didn't make it easy to perform this calculation: luckily Darrel has done that for us!"
Looks like all of the info here was taken from the TID on MS's web site. While all of this is well and good, it can sometimes be a pain to get the decimal number correct if you are hiding lots of drives. Therefore, I thought I would share a simple little program I devised to get that number for you. Hope this helps!
NOTE: The password for the zip file is a lowercase a
It's not a Group Policy anymore, it a registry entry. See this Microsoft KB article- Hide physical drives in Windows Explorer
Look under Group Policies
Local Computer Configuration
There are two options:
- Hide these Specified drives in My Computer
- Prevent access to drives from My Computer
There are explanations on each setting in the GP page.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com