Do you remember the old days when we used the hide drives.adm template to hide specified drives along with some kind of hide drives calculator to get the proper value ? So if we wanted to hide drives for Domain Users but not the Domain Admins, we had to create another policy to lock it up again. Those days are long gone thanks to Group Policy Preferences, for me it’s the life before and after. Get rid of all your adm templates and 30+ page vbs logon scripts once for all. This will speed up the logon time and make your administration much easier.
To leverage Group Policy Preferences (GPP) you’ll need to administrate Group Policy’s from a Windows 2008 server (just member server) or Windows 7 with RSAT. On Windows XP and Windows 2003 machines you’ll need Group Policy Preference Client Side Extensions to properly read GPP settings.
Map network drives :
Open Group Policy Management Console (GPMC) and create a new policy. Browse to User Configuration – Preferences – Windows Settings – Drive Maps
In this example we map K: to the Accounting folder for all users member of the Accounting group. It’s possible to create many rules, if member of group A or B or and so on.
Hide Drives :
In this example we hide C: for all users except for Domain Admins. When you start playing around we GPP you’ll learn how really powerful it is. I highly recommend you start following Group Policy Center for weekly tips.
So here’s what I want you to do now :
- I hope you dig it – and that you’ll love it so much that you’ll share it with others
- You should become a Fan of my FaceBook page here
Nice article. I’m always using RES PowerFuse here. A great product to manage the Workspace and for example hide drives (like in this article).
Hi Martin,
Yes I know, but Group Policy’s are for free
I’ve had problems with 2008 terminal servers in environments with 2003 AD servers… If you create the policy for a 2008 server NEVER edit it on a 2003 server and vice versa – it can corrupt the GPO, and then the fun starts.
Hi Don,
That’s correct, when you start using Group Policy Preferences you ALWAYS do GPO admin from a W2K8 server. Check out this post regarding backup : How To Backup and Restore Group Policy
Using of wrong configured GPO Mapped drives is heavy increasing the logon time. 🙁
I recommend always in addition use Security filters on the GPO to reduce the logon time for users who has nothing to do with that GPO.
Thanks Alexey, I do agree. Normally the home drive is common and the rest is based upon Item Target Leveling for the GPO Mapped Drives
Thnaks for the nice post Trond!
I have seen that you in several articles praise the Group Policy Preferences (GPP).
I agree from an administrators point of view. It’s very easy to administrate.
But what about performance in a terminal server environment? Have you read this articel?
http://bit.ly/adfVii
We have made a script that cleans “c:\programdata\microsoft\group policy\history\” on reboot, but it feels like GPP is not realy intended to be used in terminal server environments.
Thanks for your comment Erik, I haven’t read this before but it seems like this is fixed with W2K8 Service Pack 1. In terms of performance we always see faster login with GPP instead of loginscripts. The script you’re using is one way to fix this, but I personally mean that everybody with more than 4 servers should run Citrix Provisioning Services. So in a PVS environment this won’t happen since the disk is write protected.
Hi Eirik,
thank you for your post.
I created the GPO to map a drive from a Win 2008 TS and for a Win 2003 TS.
The policy is applied to the Win 2003 server but the drive never appears on user sessions.
I looked at the event viewer but found nothing.
Have you have had such issue?
Thanks
Hi Seb, try linking the GPO to the Terminal Server OU and make sure you’re using Group Policy Loopback Processing Mode – http://support.microsoft.com/kb/231287
Hi Eirik, the GPO is linked to the OU and GP loopback is enabled. actually from GPRESULT I see the policy applied, but no drives mapped. The GPO config is the same as your post, I also tried to put Create instead of Replace… but same result.
Strange, please check the event log on the Terminal Servers in question. You could also try the same policy on a Windows 7 machine just to make sure. The User Security Context is required.
Solved! The Windows 2003 Server was missing Client Side Extensions for Windows Server 2003 (KB943729).
Thank you for your time Eirik.
Sebastiano
Thanks for your article, i need hide drives c:, d: and e: on my environment, because i need publish desktop for some users, i have a w2k8 servers x32, with xenApp 5, and w2k8 on domain, i try to make you say on this article but on my system i see always this drives, i can’t hide, when i configure drive maps on gpo to hide drives, i have one yellow triangle upper the name c:, d: or e:, what is wrong ? can you help me ? many thanks
Hi Antonio, If the GPO hide drives doesn’t work for you I would recommend doing this with the old style ADM templates. Take a look at this article : http://support.microsoft.com/kb/231289
Great article! I didn’t know this was available in AD.
Great Carlos, we learn something new every day 🙂 Are you working at the IT department of LionsGate films?
Hi there,
I played around with this “hidden” option and it seems to me that the removal behaviour sucks:
The mapped and hidden drive has gone, but every other share, mapped to that drive manually, is still hidden.
anyone out there, having an idea or a solution?
regards
Wolfgang
This is a great option for hiding the drives, especially in a XenApp or XenDesktop environment. Is there an easy way to also restrict access to drives or are we stuck with using the old style ADM templates?
In GPMC under Windows Explorer you’ll find a policy called “Prevent access to drives from My Computer”. Prevents users from using My Computer to gain access to the content of selected drives.
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
I believe you can hide multiple drives more easily with the GPO: User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer -> Hide these specific drives in My Computer
Yes you can, but this is for those that want to hide custom drivers that’s not part of the policy you specify above.
Great post!
There’s another way to hide mapped network drives using a GPO:
http://www.sysadmit.com/2014/09/gpo-ocultar-unidades.html