GPO to Hide Specified Drives

With Group Policy Objects in Windows, there is a “Hide these specified drives in My Computer” option that lets you hide specific drives. However, it may be necessary to hide only certain drive, but retain access to others.

There are seven default options for restricting access to drives. You can add other restrictions by modifying the System.adm file for the default domain policy or any custom Group Policy Object (GPO). The seven default selections are:

  • Restrict A, B, C and D drives only
  • Restrict A, B and C drives only
  • Restrict A and B drives only
  • Restrict all drives
  • Restrict C drive only
  • Restrict D drive only
  • Do not restrict drives

Microsoft does not recommend to change the System.adm file, but instead to create a new .adm file and import this .adm into the GPO. The reason is that if you apply changes to the system.adm file, these changes might get overwritten if Microsoft releases a new version of the system.adm file in a Service Pack.

The default location of the System.adm file for a default domain policy is:

The contents of these folders are replicated throughout a domain by the File Replication Service (FRS). Note that the Adm folder and its contents are not populated until the default domain policy is loaded for the first time.

  1. Open the following sections: User ConfigurationAdministrative TemplatesWindows Components, and Windows Explorer.
  2. Click Hide these specified drives in My Computer.
  3. Click to select the Hide these specified drives in My Computer check box.
  4. Click the appropriate option in the drop-down box.

These settings remove the icons representing the selected hard disks from My Computer, Windows Explorer, and My Network Places. Also, these drives do not appear in the Open dialog box of any programs.
This policy is designed to protect certain drives, including the floppy disk drive, from misuse. It can also be used to direct users to save their work to certain drives.

Other Group Policy Settings for Additional Security

You can also enable the following Group Policy settings at User Configuration\Administrative Templates\Windows Components\Windows Explorer:

  • Hides the Manage item on the Windows Explorer context menu — Enabled
  • Remove Hardware tab — Enabled
  • Remove “Map Network Drive” and “Disconnect Network Drive” — Enabled
  • Remove the Search button from Windows Explorer — Enabled
  • Disable Windows Explorer’s default context menu — Enabled
  • Remove Run menu from Start Menu — Enabled