Directorio activo

Politicas de Grupo
Aplicar una GPO para un Terminal Services Server

Hola a todos otra vez! Luego de un largo tiempo sin publicar nada, me animo a escribir
algo. La tardanza ha sido en parte por el tiempo (o la falta de el), en parte (en gran parte)
por haraganería, pero mayormente porque me gusta escribir cosas que sean de utilidad y
de relevancia para los que se animen a leer este blog y me gusta esperar tener algo para
escribir que valga la pena, así que espero no equivocarme con este post :D. Entrando en
el tema, no se si les ha pasado esto: Tiene un su compañía un servidor de Terminal
Services al que algunos usuarios del dominio accederán de manera regular para realizar
algunas tareas especificas o ejecutar alguna aplicacion. Pero como los usuarios son del
dominio puede ser que tengan ciertas Políticas de Grupos (GPO) aplicadas que
correspondan al OU que pertenecen o al grupo, y quisieramos que cuando inicien sesion
en el Terminal Services Server se le aplique una Política mas restrictiva que la que se le
aplica en su computadora. Por ejemplo, digamos que un usuario del dominio se le aplica
una GPO que le permite tener acceso a los discos de su computadora y a algunos items
del Panel de Control, pero este usuario necesita ejecutar algunas aplicaciones accediendo
remotamente a un servidor Terminal Services, pero queremos que este no pueda acceder
a los discos en este servidor, que no pueda entrar al Control Panel, etc. Para esto
necesitamos que se le aplique una GPO especifica pero solo cuando haga Login en el
equipo especifico, en este caso el Terminal Services Server.

Para esto lo primero que tenemos que hacer es crear un OU y mover a esta el o los
servidores Terminal Services en el cual aplicaremos la política, por ejemplo, la OU la
podríamos llamar "Terminal_Services_Sever". En el siguiente gráfico se muestra la OU
que contiene un equipo llamado "TERMINAL_SRV_01".

Una vez hemos creado nuestro OU, abriremos la consola "Group Policy Management",
esta consola se utiliza para administrar las políticas de grupo del dominio, viene incluida
en Windows Server 2008 pero también puede utilizarse en Windows Server 2003, pero
debe descargarse aparte. Si no la tienen la pueden descargar aquí. Cuando hayamos
abierto la consola Group Policy Management, nos dirigimos a la nueva OU que creamos
(Terminal_Services_Server) y hacemos clic derecho encima de esta, luego seleccionamos
la opción "Create a GPO in this domain, and Link it here..." como se muestra en el
siguiente gráfico:
Al hacer clic en esta opción se nos pedirá un nombre para la nueva GPO, en este caso
elegí el nombre "Terminal_GPO". Cuando le hayamos puesto el nombre, nos aparecerá
el link de la GPO debajo de la OU que creamos, como se muestra en el siguiente gráfico.
Aquí debemos hacer clic derecho ahora encima de la GPO y seleccionamos "Edit..."

Se abrirá entonces la ventana del Editor de la Política de Grupo que acabamos de crear,
aquí nos dirigiremos a la seccion "Computer Configuration" luego nos moveremos a
"Policies" (en Windows Server 2003 este paso no es necesario), luego a "Administrative
Templates", "System" y por ultimo hacemos clic encima de "Group Policy". Aquí
buscamos la directiva "User Group Policy loopback processing mode", como se muestra
en el siguiente gráfico:

Hacemos doble clic encima de la directiva indicada anteriormente y seleccionamos

"Enable", luego en la sección "Mode" seleccionamos "Replace":

Con esto lo que hacemos es indicarle al equipo donde se aplique, en el caso de nuestro
ejemplo al servidor Terminal Service, que no aplique al usuario que se loguea la política
de grupo del dominio que corresponde al usuario, sino que la reemplace con la que se
indica en esta misma politica. Una vez hacemos clic en aceptar, podemos movernos en el
Editor de la Política a la sección "User Configuration" y personalizar el entorno de los
usuarios que se conectaran a este Terminal Services como querramos, sin preocuparnos
de que esta Política se le vaya a aplicar a los usuarios en sus computadoras también.
Bueno, esto ha sido todo por ahora. Espero como siempre que les haya sido de utilidad.

http://www.eltipodeinformatica.com/2011/11/aplicar-una-gpo-para-un-terminal.html

Interactive Login Legal Notice Removal

Labels: Group Policy, Scripts, Windows General

Most corporate are at some point required to show a legal notice prior to logging on
to a computer. This is normally configured by group policy.

The settings are under - Computer Configuration - Policies - Security - Local

Policies - Security Options:

 Interactive logon: Message test for users attempting to log on

 Interactive logon: Message Title for users to attempt to log on
By default these values are blank, and as such the screen is not displayed at logon
time. When these fields have a value, it writes it to the registry and thus causes the
notice to be displayed.

The problem comes in if you want to remove the legal notice from a machine.
If the policies does not define a value or a value of "" nothing is written to the
registry.

So the registry setting written by a policy cannot be erased by another policy. To

fix this you have to manually go and clean up the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"LegalNoticeCaption"=""
"LegalNoticeText"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Policies\System]
"legalnoticecaption"=""
"legalnoticetext"=""

Remeber - to make this a permanent fix you need to ensure that there is no GPO is
re-enforcing the legal notice.
http://fixmyitsystem.com/2013/03/interactive-login-legal-notice-removal.html

Deploying Legal Notices to

domain computers using Group
Policy
February 8, 2008June 26, 2015 by

310430 How to configure Windows Server 2003 to display a message when users log on
http://support.microsoft.com/default.aspx?scid=kb;EN-US;310430

It seems there is a security policy setting that helps us accomplish this task. So, we follow the article and, Figure 1 shows the results.

Figure 1- Configuring a legal caption in security policy

 These examples are from a computer running Windows Vista Service Pack 1 with Remote
Server Administration Tools. However, you can use Windows Server 2003 or Windows XP
with the Group Policy Management Console (GPMC) to accomplish these results.

Now, notice our Legal Notice on a Windows Vista SP1 computer and on Windows Server 2003 computer

Figure 2- Legal Notice on Windows Vista SP1

Figure 3- Legal Notice on Windows Server 2003

Where is the formatting? How quickly we go from pretty to… “not so pretty”. There’s no way we are going to let the legal department see
this. We have to fix it. But first, let’s briefly explain why this is happening.
This problem originates from Windows NT 4; when we added Legal Notice Text to the operating system. At that time, it was a single string
and did not support carriage returns. We made several attempts to change this behavior shortly after Windows 2000. Interestingly enough,
those changes resulted in using a comma (,) as a delimiter for the carriage return. Kinda cool huh?…. Not! Eight years later, legal council
craft very concise legal goo—which just might have a few commas included within the text. Then, administrators would have to enclose
grammatical commas in quotation marks so Windows would not parse it as a carriage return. That didn’t work well. In Windows Server
2003, we changed the editor to accept a carriage return; now allowing you to format your text within the policy, as we did in the example.
Well, that only solves the comma problem because there was not a change on Windows parses the strings. Windows now inserts the commas
and quotes for you when it writes the policy setting. And, as you can see in our example; we started with two paragraphs or more and ended
with a single blob of text in window. Lastly, this behavior has not changed with Windows Server 2008 or Windows Vista Service Pack 1.
So—how do I format this text?

You need to use a script to have your legal notice text appear properly formatted. Figure 4 shows a script you can use in a computer startup
script (not a user logon script). The script writes the legal notice text to the policy registry key—just as if it were applied using the security
policy settings. But, the script allows you to keep your formatting.

Here is the code for the script. Copy and paste this code into a text file. Be sure to save the text file with a .vbs extension or it will not run
correctly. Each command should appear on its own line (no text wrapping) as some of the text in the example is wrapped for readability.

‘==========================================================================
‘
‘ VBScript Source File —
‘
‘ NAME: legal.vbs
‘
‘ AUTHOR: Mike Stephens , Microsoft Corporation
‘
‘ DATE: 11/26/2007
‘
‘ COMMENT: sample computer startup script to deploy legalcaption and legaltext
‘
‘ ==========================================================================

set wShell = CreateObject(“Wscript.Shell”)

strLegalCaption = “Legal Notice”

Const POLICY_KEY = “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\”

Const LEGAL_CAPTION_VALUENAME = “legalnoticecaption”
Const LEGAL_TEXT_VALUENAME = “legalnoticetext”

strLegalText = “”

strLegalText = strLegalText & “The easiest way is to insert the entire paragraph on one
line, between the quotation marks.” & vbcrlf &vbcrlf

‘ Copy the line above and repeat for each paragraph in the legal notice.
‘ Remember it is best to limit your notice to two paragraph that contain no more than 4
‘ sentences.

wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, “REG_SZ”

WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, “REG_SZ”

Figure 4- Sample Vbscript code to write legal caption text

You’ll want to modify the sample code from Figure 4 to include your legal notice. Let me explain the script and which part requires your
modifications.

Line 1: set wShell =

CreateObject(“Wscript.Shell”)
This line creates a Windows Scripting Host shell object. The script uses method (or function) from the shell object to write to the registry.

Line 2: strLegalCaption = “Legal Notice”

Line 2 creates a variable named strLegalCaption and assigns the text Legal Notice to the variable. This is the text Windows uses for the title
of the legal notice dialog box, which appears when the user presses CTRL+ALT+DEL.

Line 3-5:
Const POLICY_KEY = “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\”
Const LEGAL_CAPTION_VALUENAME = “legalnoticecaption”
Const LEGAL_TEXT_VALUENAME = “legalnoticetext”

These lines create what is called a constant. Constants mean just that- they remain constant—their values cannot change; unlike the values of
a variable, which can change. Line 3 is representative of the registry key location to which the script writes. Line 4 holds the registry value
name for the legal caption (title of the dialog box) while line 5 holds the value of the legal text (message in the dialog box). Constants work
similarly to search and replace features found in text editors and word processors. When Windows runs the script, it looks at the constants
declared in the script and then searches the remainder of the script for those words which are designated as constants. It then replaces the
word with the assigned value. Then, Windows continues running the script.

Line 6: strLegalText = “”
Line 6 creates a variable named strLegalText and assigns and empty string to the variable. The is equivalent to a blank line (without a
carriage return).

Line 7:
strLegalText = strLegalText & “The easiest way is to insert the entire paragraph on one
line, between the quotation marks.” & vbcrlf & vbcrlf

This line is the important line. This line defines the text of your legal notice ( the text appearing in the dialog box). The registry value name
LegalNoticeText is a single string value. Therefore, the script must concatenate your entire legal text notice into one line of text, to include
carriage returns. The first part of line 7 shows strLegalText = StrLegalText &. This command phrase handles concatenating your paragraphs
into a single line of text; so we can write it into the single string registry value. The next phrase in the script is between the quotation marks.
This represents the first paragraph of your legal notice. You’ll want to paste the entire paragraph between the quotation marks. The best way
to do this is paste your paragraph into notepad ensuring that word wrap is off (click Format from the menu to ensure there is not a check next
to Word Wrap). Position the cursor to the end of the first line. Use the delete key to move the text on the next to the current line. Be sure to
keep your spaces. Follow this process until the entire paragraph is on one line (you’ll more than likely have to scroll to the right. Make sure
you have an opening and closing quotation marks. It is likely your script will fail if the command is not on a single line.

Important

Quotation mark (“) represents the beginning and end of string when using Vbscript. Any
alpha-numeric characters between the quotation marks, including spaces is included in the
string—just like if you were typing a long file name as an argument for a command line
application. Be certain your legal text does not include any quotation marks. If possible, you
single quote marks (‘).

Copy and paste your original line 7 and repeat the above for each paragraph you want included in your legal text. Things to look for are:

 Inserting quotation marks between the beginning and ending quotation marks.

 The entire command is not on a single line

  You keep the & vbcrlf & vbcrlf immediately after the ending quotation mark at the end of each line that represents a paragraph in
your legal text.

My legal text notice in this example is three paragraphs with the last paragraph being a single sentence. Therefore, lines 7-9 will look similar
for my example script (wrapped for readability—these are three separate commands on three separate lines).

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie
sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” &
vbcrlf & vbcrlf

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie
sind mit Vernunft und Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” &
vbcrlf & vbcrlf

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren.” &
vbcrlf & vbcrlf

Line 8, 9 (Sample script in Figure 4)

wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, “REG_SZ”
WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, “REG_SZ”

These two lines do all the work. Both lines use the Windows Scripting Host shell object to write to the registry of the local computer. This is
accomplished using the RegWrite method. The first parameter to the RegWrite method is the full registry path (hive and value name). The
second parameter is the value the script writes into the value name. The last parameter is the data type if the value name—in this case both
value are strings, which are REG_SZ data types.

Line 8 uses the POLICY_KEY constant and the LEGAL_CAPTION_VALUENAME constant to build the path to which the scripts writes.
StrLegalCaption is the variable we used to hold the value of the legal caption. Line 9 uses the POLICY_KEY constant and the
LEGAL_TEXT_VALUENAME constant to build the path to which the script writes. StrLegalText is the variable we used to hold the value
of the legal text.

Below is the example script created for contoso.com’s legal text notice, which is based on the sample script from Figure 4.

‘==========================================================================
‘
‘ VBScript Source File —
‘
‘ NAME: legal.vbs
‘
‘ AUTHOR: Mike Stephens , Microsoft Corporation
‘
‘ DATE: 11/26/2007
‘
‘ COMMENT: sample computer startup script to deploy legalcaption and legaltext
‘
‘ ==========================================================================

set wShell = CreateObject(“Wscript.Shell”)

strLegalCaption = “Legal Notice”

Const POLICY_KEY = “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\”

Const LEGAL_CAPTION_VALUENAME = “legalnoticecaption”
Const LEGAL_TEXT_VALUENAME = “legalnoticetext”

strLegalText = “”

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und Rechten geboren. Sie sind mit Vernunft und
Gewissen begabt und sollen einander im Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf
 strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und
Rechten geboren. Sie sind mit Vernunft und Gewissen begabt und sollen einander im
Geist der Brüderlichkeit begegnen.” & vbcrlf & vbcrlf

strLegalText = strLegalText & ” Alle Menschen sind frei und gleich an Würde und
Rechten geboren.” & vbcrlf & vbcrlf

‘ Copy the line above and repeat for each paragraph in the legal notice.
‘ Remember it is best to limit your notice to two paragraph that contain no more than 4
‘ sentences.

wShell.RegWrite POLICY_KEY & LEGAL_CAPTION_VALUENAME, strLegalCaption, “REG_SZ”

WShell.RegWrite POLICY_KEY & LEGAL_TEXT_VALUENAME, strLegalText, “REG_SZ”

Figure 5- Contoso.com’s legal notice script

If you can, disable your existing Group Policy object that contains your legal text notice security policy settings. Now, create a new Group
Policy object and assign this at the level appropriate for your environment. Configure this GPO with a computer startup script and include
your script. Refresh Group Policy and then logoff your workstation. Press CTRL+ALT+DEL.

Figure 6- Formatted legal notice

https://blogs.technet.microsoft.com/askds/2008/02/08/deploying-legal-notices-to-
domain-computers-using-group-policy/
 How To Configure
Legal Notices On
Domain Computers
Using Group Policy
Posted by Prajwal Desai

Date: March 18, 2013

in: Windows Server 2008 R2

22 Comments

63654 Views

Home

Windows Server

Windows Server 2008 R2

 49
 Facebook12
 Twitter20
 Google+2
 LinkedIn1
 Love This1
 Email0
 WhatsApp
 Print13

 Pinterest0
 Gmail
 Digg
 Del
 Tumblr
 Reddit
 Xing0
 Line
 SMS
 Telegram


How To Configure Legal Notices On Domain Computers Using Group Policy – Few years ago
when i was working on Windows Server 2008 R2, I was told by my manager to configure a logon
banner. What came to my mind was to write a script for it and run the script at logon. There are 2
ways to configure legal notices on domain computers, you can configure it by writing a script and
executing it at the logon or configuring legal notice using a group policy. I believe the second
method is very easy. You can configure Windows Server to display a message to users when they
log on. You can use the message display functionality to personalize the logon process, provide
news or information, and for other similar purposes. The message appears after the user presses
CTRL+ALT+DEL and disappears after the user clicks OK.

In this post we will see on how to configure legal notices on domain computers using group policy.
We will create a group policy, modify the policy settings and link it to the domain. I am configuring
this policy on a domain controller running Windows server 2008 R2 SP1 edition.

Login to the domain controller machine with the administrator account. Click on Start, Click on
Administrative Tools, Click on Group Policy Management. Under Domains, right click your
domain and click on Create a GPO in this domain, and link it here.

We will create a policy named Logon_Banner. Click on OK.

Right the policy Logon_Banner and click on Edit. On Group Policy Management Editor, click on
Computer Configuration, expand Policies, expand Windows Setttings, expand Security Settings,
expand Local Policies, click on Security Options.
On the right pane look for the policy Interactive Logon : Message text for users attempting to log
on. This security setting specifies a text message that is displayed to users when they log on. You
can paste the Logon text that is to be displayed to the users before they log in. Click on Apply and
OK.
On the right pane look for the policy Interactive Logon : Message title for users attempting to log
on. This security setting allows the title to appear in the title bar of the window that contains the
Interactive logon.Type the title text and click on Apply and OK.
On the client computer open the command prompt and run the command gpupdate.
Log off from the client computer. Hold CTRL+ALT and press DEL. You must find the logon
banner. Click on OK to login to the computer.

http://prajwaldesai.com/how-to-configure-legal-notices-on-domain-computers-using-
group-policy/
How To Restrict Access To Drives In My Computer In Windows

If you have a shared or public computer that several people use, you might want to
restrict access to it’s drives to prevent users from deleting important data. Today
we look at restricting access to some or all drives on the machine using Local
Group Policy.

Note: This method uses Local Group Policy Editor which is not available on home
versions of Windows 7 or Vista

First type gpedit.msc in the search box of the Start Menu and hit Enter.

Now navigate to User Configuration \ Administrative Templates \ Windows

Components \ Windows Explorer. Then on the right side under Setting, double click
on Prevent access to drives from My Computer.
Select Enable then under Options from the drop down menu you can restrict a
certain drive, a combination of drives, or restrict them all. The main drive you would
probably want to restrict is the C:\ drive or which ever lettered drive Windows is
installed on. Restricting all drives means they can’t access the CD or DVD drive,
and cannot use a flash drive if they need to get files from it.

Note: This setting won’t prevent users from using programs that access the local
drives.

The restrictions take effect immediately, no restart is required. When a user opens
up My Computer they’ll be able to see which drives are listed, but when they try to
access a restricted drive, they’ll get the following error message.
For the screenshots in this tutorial we used Windows 7 Ultimate, but this process
also works with XP Professional and Vista (not in Home versions) the screens just
look different.

Local Group Policy allows you to customize several settings for how you want to
administer your machine. Restricting access to certain drives in addition to other
security and access measures, can help keep a shared computer stable and
secure.
http://www.howtogeek.com/howto/8035/how-to-restrict-access-to-drive-in-my-
computer-on-windows/

Remote Desktop Services Blog

How to restrict users from

accessing local drives of an RD
Session Host server while using
RemoteApp programs
Hello, my name is Pankaj Pande and I would like to discuss a method that an administrator can use to keep users from storing files in public
folders and scattering files randomly throughout a virtual machine pool or Remote Desktop Session Host (RD Session Host) server farm,
while using Remote Desktop Services and RemoteApp programs. (Note: an “RD Session Host server” was formerly called a “terminal
server” in Windows Server 2008.)

Currently, when a user creates an RDP session or a RemoteApp program, they can see, and in some cases transverse, drives C and D of the
RD Session Host server. They can also save anything on the desktop, which might look like their personal desktop, but it’s actually the
desktop of the RD Session Host server.

Restrictions will disable Libraries and Favorites and will hide or restrict users or a group of users from accessing and viewing any drives on
the RD Session Host server. Users will be provided with an error message even if they use the UNC path to access the drives.

The primary reason to remove Favorites and Libraries and access to drives is because they contain mostly accessed locations on a system, so
in the case of the RD Session Host server, this includes the desktop, downloads, recent places, etc. It is recommended that a user not save any
documents to these locations.

Removing Favorites and Libraries

You must perform these modifications on the RD Session Host server. You can use the Registry to make these changes.

Using the Registry (applies to all users including the

administrators)
Note: Back up the key first and take ownership of the ShellFolder before changing the value of Attributes.

1. For Favorites, the key is:

[HKEY_CLASSES_ROOTCLSID{323CA680-C24D-4099-B94D-446DD2D7249E}ShellFolder]
“Attributes”=dword:a0900100
Changing a0900100 to a9400100 will hide Favorites from the navigation pane.

2. For Libraries, the key is:

[HKEY_CLASSES_ROOTCLSID{031E4825-7B94-4dc3-B131-E946B44C8DD5}ShellFolder]
“Attributes”=dword:b080010d
Changing b080010d to b090010d will hide Libraries from the navigation pane.

Hiding/Preventing Access to Drives

You can use Group Policy settings to hide and restrict access to drives on the RD Session Host server. By enabling these settings you can
ensure that users do not inadvertently access data stored on other drives, or delete or damage programs or other critical system files on drive
C.

The following settings are located in the Group Policy Management Console under User ConfigurationPoliciesAdministrative
TemplatesWindows ComponentsWindows Explorer:

 Hide these specified drives in My Computer. You can remove the icons for specified drives from a user’s My Computer folder
by enabling this setting and using the drop-down list to select the drives you would like to hide. However, this setting does not
restrict access to these drives.

 Prevent access to drives from My Computer. Enable this setting to prevent users from accessing the chosen combination of
drives. Use this setting to lock down the RD Session Host server for users accessing it for their primary desktop.

Applies to:

 Windows Server 2008 R2

 Windows Server 2008

 Windows Server 2003

Other Group Policy Settings for Additional

Security
You can also enable the following Group Policy settings at User ConfigurationAdministrative TemplatesWindows ComponentsWindows
Explorer:

 Hides the Manage item on the Windows Explorer context menu — Enabled

 Remove Hardware tab — Enabled

 Remove “Map Network Drive” and “Disconnect Network Drive” — Enabled

 Remove Search button from Windows Explorer — Enabled

 Disable Windows Explorer’s default context menu — Enabled

 Remove Run menu from Start Menu — Enabled

Applies to:

 Windows Server 2008 R2

 Windows Server 2008

 Windows 7

 Windows Vista

 Windows XP

https://blogs.msdn.microsoft.com/rds/2011/05/26/how-to-restrict-users-from-accessing-
local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs/
 Using Group Policy Objects to hide
specified drives
 Email

 Print

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change
has affected your software updates and security options. Learn what this means
for you and how to stay protected.
This article was previously published under Q231289

SUMMARY
With Group Policy Objects in Windows, there is a "Hide these specified drives in My
Computer" option that lets you hide specific drives. However, it may be necessary to
hide only certain drive, but retain access to others.

There are seven default options for restricting access to drives. You can add other
restrictions by modifying the System.adm file for the default domain policy or any
custom Group Policy Object (GPO). The seven default selections are:

 Restrict A, B, C and D drives only

 Restrict A, B and C drives only

 Restrict A and B drives only

 Restrict all drives

 Restrict C drive only

 Restrict D drive only

 Do not restrict drives

Microsoft does not recommend to change the System.adm file, but instead to create a
new .adm file and import this .adm into the GPO. The reason is that if you apply
changes to the system.adm file, these changes might get overwritten if Microsoft
releases a new version of the system.adm file in a Service Pack.

The whitepaper "Implementing Registry-Based Group Policy for Applications" explains

how to write custom .ADM files. To view this whitepaper, please see the following
Microsoft Web site:
 http://download.microsoft.com/download/1/7/2/1725520f-1228-4dff-9c5d-
594042475844/rbppaper.doc

MORE INFORMATION
The default location of the System.adm file for a default domain policy is:

%SystemRoot%\Sysvol\Sysvol\YourDomainName\Policies\{31B2F340-016D-11D2-945F-
00C04FB984F9}\Adm\System.adm

The contents of these folders are replicated throughout a domain by the File
Replication service (FRS). Note that the Adm folder and its contents are not populated
until the default domain policy is loaded for the first time.

To make changes to this policy for one of the seven default values:

1. Start the Microsoft Management Console. On the Console menu, click Add/Remove
Snap-in.
2. Add the Group Policy snap-in for the default domain policy. To do this, click Browse
when you are prompted to select a Group Policy Object (GPO). The default GPO is Local
Computer. You can also add GPOs for other domain partitions (specifically,
Organizational Units).
3. Open the following sections: User Configuration, Administrative Templates, Windows
Components, and Windows Explorer.
4. Click Hide these specified drives in My Computer.

5. Click to select the Hide these specified drives in My Computer check box.

6. Click the appropriate option in the drop-down box.

These settings remove the icons representing the selected hard disks from My
Computer, Windows Explorer, and My Network Places. Also, these drives do not appear
in the Open dialog box of any programs.

This policy is designed to protect certain drives, including the floppy disk drive, from
misuse. It can also be used to direct users to save their work to certain drives.

To use this policy, select a drive or combination of drives in the drop-down box. To
display all drives (hide none), disable this policy or click the Do not restrict drives
option.

This policy does not prevent users from using other programs to gain access to local
and network drives or prevent them from viewing and changing drive characteristics by
using the Disk Management snap-in.

The default values are not the only values that you can use. By editing the System.adm
file, you can add your own custom values. This is the portion of the System.adm to be
modified:

POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUI
RED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!ALLDrives VALUE NUMERIC 67108863
;low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0 (Default
)
END ITEMLIST
END PART
END POLICY

[strings]
ABCDOnly="Restrict A, B, C and D drives only"
ABConly="Restrict A, B and C drives only"
ABOnly="Restrict A and B drives only"
ALLDrives="Restrict all drives"
COnly="Restrict C drive only"
DOnly="Restrict D drive only"
RestNoDrives="Do not restrict drives"
The [strings] section represents substitutions of the actual values in the drop-down box.

This policy displays only specified drives on the client computer. The registry key that
this policy affects uses a decimal number that corresponds to a 26-bit binary string,
with each bit representing a drive letter:

11111111111111111111111111
ZYXWVUTSRQPONMLKJIHGFEDCBA

This configuration corresponds to 67108863 in decimal and hides all drives. If you want
to hide drive C, make the third-lowest bit a 1, and then convert the binary string to
decimal.

It is not necessary to create an option to show all drives, because clearing the check
box deletes the "NoDrives" entry entirely, and all drives are automatically shown.

If you want to configure this policy to show a different combination of drives, create the
appropriate binary string, convert to decimal, and add a new entry to the ITEMLIST
section with a corresponding [strings] entry. For example, to hide drives L, M, N, and O,
create the following string

00000000000111100000000000
ZYXWVUTSRQPONMLKJIHGFEDCBA

and convert to decimal. This binary string converts to 30720 in decimal. Add this line to
the [strings] section in the System.adm file:

LMNO_Only="Restrict L, M, N and O drives only"

Add this entry in the ITEMLIST section above and save the System.adm file.

NAME !!LMNO_Only VALUE NUMERIC 30720

This creates an eighth entry in the drop-down box to hide drives L, M, N, and O only.
Use this method to include more values in the drop-down box. The modified section of
the System.adm file appears as follows:

POLICY !!NoDrives
EXPLAIN !!NoDrives_Help
 PART !!NoDrivesDropdown DROPDOWNLIST NOSORT REQUI
RED
VALUENAME "NoDrives"
ITEMLIST
NAME !!ABOnly VALUE NUMERIC 3
NAME !!COnly VALUE NUMERIC 4
NAME !!DOnly VALUE NUMERIC 8
NAME !!ABConly VALUE NUMERIC 7
NAME !!ABCDOnly VALUE NUMERIC 15
NAME !!ALLDrives VALUE NUMERIC 67108863
;low 26 bits on (1 bit per drive)
NAME !!RestNoDrives VALUE NUMERIC 0 (Default
)
NAME !!LMNO_Only VALUE NUMERI
C 30720
END ITEMLIST
END PART
END POLICY

[strings]
ABCDOnly="Restrict A, B, C and D drives only"
ABConly="Restrict A, B and C drives only"
ABOnly="Restrict A and B drives only"
ALLDrives="Restrict all drives"
COnly="Restrict C drive only"
DOnly="Restrict D drive only"
RestNoDrives="Do not restrict drives"
LMNO_Only="Restrict L, M, N and O drives only"

This [strings] section represents substitutions of the actual values in the drop-down
box.
 For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:

230263 HOW TO: Create custom MMC snap-in tools using Microsoft Management
Console

Properties

Article ID: 231289 - Last Review: 08/19/2009 06:43:44 - Revision: 5.0

Applies to

 Windows Server 2008 R2 Datacenter

 Windows Server 2008 R2 Enterprise

 Windows Server 2008 R2 Standard

 Windows Server 2008 Datacenter

 Windows Server 2008 Enterprise

 Windows Server 2008 Standard

 Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)

 Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)

 Microsoft Windows 2000 Datacenter Server

 Microsoft Windows 2000 Advanced Server

 Microsoft Windows 2000 Professional Edition

 Microsoft Windows 2000 Server

https://support.microsoft.com/en-us/kb/231289