Datacrash.net - [Updated] Hide local drives

[Updated] Hide local drives

Written by Hans Straat, Thursday, 30 March 2006

Introduction

This howto will show you how you can hide local drives on a Terminal Server or Local workstation by editting the system.adm template. This can be helpfull if you want to deny users to see or even access local harddrives on a terminal server.

What do we use

To calculate the drives I want to hide I used Dave’s Drive Calculator.
Download Daves Drive Calculator

To edit the system.adm I used Notepad.exe which can of course be found on every windows operating system.
Note: Make a backup of your system.adm first before editing it! In Windows 2000 you need to edit the user.adm

What are we gonna hide

In this howto we are going to hide the drives A,C and O drive. If you open dave’s drive calculator and fill in the drives and press calculate, you will see you get the number 16389

Dave's Drive Calculator

Edit the system.adm

Now we are going to edit the system.adm which is located in windows\inf directory. Note that the inf directory is a hidden directory!.

After you opened the system.adm in notepad hit F3 and search for ABCONLY Now you get to the policy !!NoDrives

Partial example from the system.adm (example 1)
You can edit the part and under abcdonly fill in your own policy (example 2)

Example 1
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
   VALUENAME "NoDrives"
   ITEMLIST
      NAME !!ABOnly           VALUE NUMERIC 3
      NAME !!COnly            VALUE NUMERIC 4
      NAME !!DOnly            VALUE NUMERIC 8
      NAME !!ABConly          VALUE NUMERIC 7
      NAME !!ABCDOnly         VALUE NUMERIC 15
      NAME !!ALLDrives        VALUE NUMERIC 67108863 DEFAULT
                         ; low 26 bits on (1 bit per drive)
Example 2
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED
   VALUENAME "NoDrives"
   ITEMLIST
      NAME !!ABOnly           VALUE NUMERIC 3
      NAME !!COnly            VALUE NUMERIC 4
      NAME !!DOnly            VALUE NUMERIC 8
      NAME !!ABConly         VALUE NUMERIC 7
      NAME !!ABCDOnly       VALUE NUMERIC 15
   NAME !!ACOOnly    VALUE NUMERIC 16389
      NAME !!ALLDrives        VALUE NUMERIC 67108863 DEFAULT
                         ; low 26 bits on (1 bit per drive)

After you edited both the !!NoDrives and !!NoViewOnDrive you need to browse to the [strings] section. Cause if you save the adm now and try to load it it will give you an error stating the string section ACOOnly is missing.

As you can see I added the ACOOnly to the string section

ACOonly="Restrict A, C and O drives only" Wil result as the example below.
[code]
ABCDOnly="Restrict A, B, C and D drives only"
ABConly="Restrict A, B and C drives only"
ABOnly="Restrict A and B drives only"
ACOonly="Restrict A, C and O drives only"

Import the edited system.adm

Now you can open gpedit.msc (the group policy editor) or GPMC (Group Policy Management Console) and at administrative templates choose add/remove template (requires right click)

Now browse to the system.adm and acknowledge that you want to overwrite the system.adm

Group Policy Editor Import template

Group Policy Editor

Confirm that you want to overwrite the excisting system.adm file (make sure you have backupped the original system.adm file!!)

Confirm File Replace

Now you are able to select the A,C and O drive to hide on your server or of course workstation

Hide these specified drives in My Computer properties

Well this is all there is about hiding drives. You can also edit the system.adm to deny access to these calculated drives. This is mostly used in Terminal Server environments and not on local workstations but you can also implement it on workstations. Make sure you deny read access to local administrators then because once implemented also a local administrator on a workstation won't get access then!

NOTE:

These policy will not work if a user is allowed to use the command prompt or applications like Total Commander. This is caused by the fact that these programs don't use the windows shell. There is no workaround for this.

For the lazy people :) on Petri.co is a tool that also generates the adm template for you. http://www.petri.co.il/gpdrivesoptions.htm

Comments

Add New

Naval - Awsom

Unregistered | 2007-01-29 07:31:38

This is one awsm article mate... many thanks for sharing it.

Phar - Excellent Article..

Unregistered | 2007-02-06 22:26:37

True lifesaver..thanks.

Rocky - 1 Question...

Unregistered | 2007-03-04 15:39:39

After importing the tempalte..wher I need to make changes i.e. ACO only...i.e. last window..wher can I get it?

mutsje - ACO?

Unregistered | 2007-03-07 10:04:38

Not sure what you want to achive but if you want to achive ACO only you have to make the atribute NAME !!ACOOnly valuenumeric xxxxxx etc and in the [string] section you make the explenation how to name the policy that you see in your gui ACOOnly="Restrict drives A,C and O only"
If you have more questions about policies please open a topic in the forums "Windows related questions"

regards,
Hans Straat

Only registered users can write comments!

< Prev		Next >

[ Back ]