Question : Can't get GPO to hide drives

Hello All,

I'm new to GPO..
I'm trying to hide the drives on our terminal servers and I can't seem to make the GPO work.

In the GPMC, I have created a new policy object called "Hide Drives"
I edit the GPO... User Configuration - Administrative Templates - Windows Components - Windows Explorer - Hide these specified drives in My Computer (Enabled - Restrict A, B, C and D drives only)

Then in the GPMC, I right-click on the Terminal Servers OU (which is under the Information Systems OU... which is under the domain)   and choose "Link an Existing GPO"... then picked out "Hide Drives"

When I login to a server that is under the Terminal Server OU, I can still see all the drives.
I would like this policy applied to anyone logging into one of these terminal servers.... I would also like to block it for domain and enterprise admins.

The other issue is when I try to create my own .ADM file to hide drives A-F
Here is what the ADM file looks like.

      CLASS USER

      CATEGORY !!WindowsExplorer
            #if version >= 4
            EXPLAIN !!WindowsExplorer_Help
            #endif


            KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"


            POLICY !!NoDrives
                  #if version >= 4
                  SUPPORTED !!SUPPORTED_Win2k
                  #endif

                  EXPLAIN !!NoDrives_Help
                  PART !!NoDrivesDropdown      DROPDOWNLIST NOSORT REQUIRED
                        VALUENAME "NoDrives"
                        ITEMLIST
                              NAME !!ABOnly           VALUE NUMERIC      3
                              NAME !!COnly            VALUE NUMERIC      4
                              NAME !!DOnly            VALUE NUMERIC       8
                              NAME !!ABConly          VALUE NUMERIC       7
                              NAME !!ABCDOnly         VALUE NUMERIC      15
                              NAME !!ABCDEFOnly       VALUE NUMERIC      63
                              NAME !!ALLDrives        VALUE NUMERIC      67108863 DEFAULT
                              ; low 26 bits on (1 bit per drive)
                              NAME !!RestNoDrives     VALUE NUMERIC      0
                        END ITEMLIST
                  END PART
            END POLICY
      END CATEGORY

[strings]
RestNoDrives="Restrict No drives"
ALLDrives="Restrict All drives"
ABCDEFOnly="Restrict A, B, C, D, E and F drives only"
ABCDOnly="Restrict A, B, C and D drives only"
ABConly="Restrict A, B and C drives only"
DOnly="Restrict D drive only"
COnly="Restrict C drive only"
ABOnly="Restrict A and B drives only"
NoDrives="Hide these specified drives in My Computer"
NoDrives_Help="Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.\n\nTo use this setting, select a drive or combination of drives in the drop-down list. To display all drives, disable this setting or select the "Do not restrict drives" option in the drop-down list.\n\nNote: This setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window.\n\nAlso, this setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics.\n\nAlso, see the "Prevent access to drives from My Computer" setting.\n\nNote: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting."
WindowsExplorer="Windows Explorer"
WindowsExplorer_Help="Manages Windows Explorer settings. These include shell properties, folder options, file menus, and available drives."
SUPPORTED_Win2k="At least Microsoft Windows 2000"
NoDrivesDropdown="Pick one of the following combinations"

If I go into gpedit.msc and add the template to the User Configuration - Administrative Templates
When I look at User Configuration - Administrative Templates - Windows Components - Windows Explorer
I only see the Hide these drives setting... no other settings appear...  is this normal?

First problem is why can't I get the Hide Drives to apply ?
Second problem is how to I expand this setting to hide A-F instead of just A-D ?

TIA,
Die-Tech

Answer : Can't get GPO to hide drives

Ok... I've got that working....

I can hide drives A-D on the terminal servers....

Above I mentioned I wrote a .ADM file to import that gives more options so I can hide drives A-F
When I add the template above, I only see the "Hide these drives setting" under
User Configuration - Administrative Templates - Windows Components - Windows Explorer

What is the trick to keeping all the settings?

I also tried to copy the system.adm file, make my changes and then import the changed file... when I do this, I get the following error messages.
---------------------------
Administrative Templates
---------------------------
The following error occurred in C:\WINDOWS\System32\GroupPolicy\Adm\system.adm on line 62:
Error 64  Help string specified more than once
The file can not be loaded.
---------------------------

---------------------------
Administrative Templates
---------------------------
The following error occurred in C:\WINDOWS\System32\GroupPolicy\Adm\system.adm on line 6603:
Error 64  Help string specified more than once
The file can not be loaded.
---------------------------

I was thinking of removing the system.adm template... and then importing the edited template as system.adm... but I'm not sure if that's a good idea.

Random Solutions  
 
programming4us programming4us