3

I would like to know what's the recommended solution for the following problem.

We do not want users to see (or at least not to modify) the drives D and E of a server they have remote access to.

However, the tools installed on that server still need to have access to those drives in order to be able to work properly.

Rickson
  • 145
  • 1
  • 6
  • There's a Group Policy setting you can enable to hide those drives from users. The setting does not prevent programmatic access to those drives. – joeqwerty Jan 25 '19 at 17:11
  • Do you know which one? Does it also work for drive E? – Rickson Jan 25 '19 at 17:17
  • 1
    https://gpsearch.azurewebsites.net/#2650 – joeqwerty Jan 25 '19 at 17:25
  • Found that one, too. However, it does not allow hiding of drive E. – Rickson Jan 25 '19 at 17:34
  • 1
    Right. There's a setting to restrict/hide access to all drives. That's the one you should use. It will prevent users from viewing and accessing all local drives in Windows/File Explorer, etc. It does not prevent programmatic access to those drives for SQL, Exchange, etc. – joeqwerty Jan 25 '19 at 17:39
  • Unfortunately, they need to have access to some of the drives.This is what makes it difficult. – Rickson Jan 25 '19 at 17:41
  • 2
    What about ACLs? Allow the users to read/write to the places they need to have access to and prevent access to everything else.... – Sven Jan 25 '19 at 17:50
  • I think it can only be done by this [hack](https://support.microsoft.com/en-us/help/231289/using-group-policy-objects-to-hide-specified-drives) proposed by Microsoft but on the same site they are saying _Microsoft does not recommend to change the System.adm file, but instead to create a new .adm file and import this .adm into the GPO. The reason is that if you apply changes to the system.adm file, these changes might get overwritten if Microsoft releases a new version of the system.adm file in a Service Pack._ Anyway, how can a OS missing native support for such a basic feature? – Rickson Jan 26 '19 at 10:14

1 Answers1

0

This registry setting helped us to hide the drive letters: https://ss64.com/nt/syntax-nodrives.html

Rickson
  • 145
  • 1
  • 6