Gates Foundation Granted Computers  
RSS
Threads [ Previous | Next ]
Question about adding and restricting drive letters
Showing 6 results.
Question about adding and restricting drive letters
5:36 PM EDT 10/22/07
A while ago I downloaded and installed the driveadm.exe file to allow people to use flash drives and other usb items. We have it set to 'restrict all but A, E, F, and G.' This works for single usb devices.

However, to allow multiple usb drive letters all at once (such as a memory card reader), it looks like the only option is to select 'Restrict only C and D.' This gives them access to the network drive/folder (drive H: ) through My Computer, which we definitely do not want, but there are no more options to restrict these and allow for more drive letters.

Is there any work around for this, to allow more drive letters to be accessed but still restricting C: D: and H:, those I want locked down?

Thanks!

Message was edited by:
lakedaemon
Re: Question about adding and restricting drive letters
10:22 PM EDT 10/22/07 as a reply to A T.
Yes you can.

All that driveadm.exe file does is copy a policy template file named OSv2.adm into the proper location on your C drive. This file is a version of the original os.adm that has been edited to give extra options for hiding drives. The .adm files generally are just text files that define the options and variables you see when you open up System Policy Editor.

1. Click Start > Programs > Administrative Tools > Policy Editor. The System Policy Editor opens.
2. Click Options, and select Policy Template. The Policy Template Options window opens.
3. Select C:\WINNT\inf\os.adm (or OSv2.adm if that is the one that is loaded), and click Remove. The file is removed from the Policy Template Options window.
4. Browse to C:\WINNT\inf\ and open the .adm file you just removed with Notepad.
5. Find the NoDrives policy and add a line with the correct value to hide the drive letters you want.
6. Save the file.
7. Back in System Policy Editor, with the Options window still open, add the adm file back in.
8. Load ntconfig.pol and browse to the "Hide these drives..." setting. You should now see the option you added.

OK, so the tricky part is figuring out what to add. Here is an MS article about editing this setting: http://support.microsoft.com/kb/231289
You have to create a 26 bit binary number, where each digit corresponds to a drive letter. This isn't as difficult as it sounds if you write out the alphabet Z to A and then above that write a 0 above each letter you will show, and a 1 above each you will hide. Then you will need to convert that long number into a decimal figure. Here is an example of an online converter you can use:
http://mistupid.com/computers/binaryconv.htm

The rest of the line you will add to the file is easy, because you can just copy and edit slightly one of the others.

Dale
Re: Question about adding and restricting drive letters
1:35 PM EDT 10/30/07 as a reply to Dale Musselman.
That worked perfectly, thank you, thank you!!

Now, do you by any chance know of the way to hide that pesky drive H:? emoticon

H: is restricted, but still visible in 'My Computer.'

ETA: Never mind, figured it out. Wasn't that hard. emoticon

Message was edited by:
lakedaemon
Re: Question about adding and restricting drive letters
8:46 PM EST 11/25/07 as a reply to Dale Musselman.
I did this once several years ago and now need to add an additional letter. I have the file saved on the computer, but the instructions say go to Administrative Tools --> Policy Editor. My problem: Policy editor isn't there. Is there another way to find it?
Re: Question about adding and restricting drive letters
2:07 PM EST 11/26/07 as a reply to Teresa Pennington.
The first thing to check is that your Profile Restrictions are in place. When you remove them, it also completely removes Policy Editor. So you have to do this whole procedure with all restrictions turned on.

But if for some reason they are on and everything seems to be locked down correctly, but you just don't have Policy Editor listed in Admin Tools, you can do either of these:
1. Go to Start>Run and type in: poledit.exe
2. Especially if #1 doesn't work, you might also try removing the Profile restrictions and then reinstalling them.

Dale
Re: Question about adding and restricting drive letters
10:19 PM EST 11/30/07 as a reply to Dale Musselman.
Thanks, that helped. I had the profile restrictions off.