How to restrict drives on workstations

  • 10057048
  • NOVL26756
  • 21-Sep-2000
  • 11-Sep-2003

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Goal

How to restrict drives on workstations

Fact

Novell ZENworks for Desktops 3.0

Novell ZENworks for Desktops 4 - ZFD4

Novell ZENworks Desktop Management

Symptom

Cannot restrict specific drives on workstations

Unable to restrict mapped drives with Group Policies on XP

ZENworks for Desktops 2 ZAK system policy does not exist for a ZENworks for Desktops 3 user extensible policy.

Fix

How to restrict drives in Group Polices, see:

Microsoft Article #242092

Microsoft document Q220955 can be somewhat confusing, especially on how to convert binary values to the decimal value needed to revoke / enable certain drive letters. The following example is how to convert to the value needed to show all drives except drives A, D, R & T.

The MS document gives the example:

11111111111111111111111111     This represents the 26 drive letters Z-A, going from far left (Z) to far right (A)

This binary value equals the decimal value of 67108863, which could turn OFF all drives from showing

As previously explained the value of "1" will turn OFF a specific drive and "0" turns it ON  

Since the goal in this case is to shut off drives A, D, R & T  and display the rest of all possible drives, it may be  helpful to draw a chart made up of 26 zeros above which you can write zyxwvutsrqponmlkjihgfedcba to mark where each of these letters will fall.  

00000000000000000000000000    The binary value for shutting off A,D,R,T then would be  10100000000000001001  

Since the last drive to be removed is "T"  (represented by the first "1" on the far left)  anything to the left of it will remain zeros and therefore ignored or cut out of the rest of the equation.  ( "T" is the 20th letter in the alphabet counting from right to left. "R" is 18th, "D" is 4th, "A" is 1st ) hence the value 10100000000000001001

After the chart is created

1. Run the Windows calculator, and select "View" and choose the "Scientific" option.
2. Click on the "Bin" circle and enter in 10100000000000001001
3. Then click in the "Dec" circle and it will convert it to the number (655369) which will be used in the new value to be entered into  ZAKWINNT.ADM  (located in the path .ConsoleOne\1.2\BIN\ZEN\ADMFILES\   )

4. Once the decimal value is known, edit ZAKWINNT.ADM and search for the following section:

--------------------------------------------------------------------
CATEGORY !!Drives
        CATEGORY !!Restrictions
                        
                POLICY !!HideDrives

--------------------------------------------------------------------

Once you have found this section go down a bit further until  you see the following:

KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

                        PART !!HideDrivesOptions        DROPDOWNLIST
                        VALUENAME "NoDrives"                
                        ITEMLIST
                                Name !!HideDrives_all                VALUE NUMERIC 67108863
                                NAME !!HideDrives_C                VALUE NUMERIC 67108859 ; (67108863 - 4)
                                NAME !!HideDrives_U                VALUE NUMERIC 66060287
                                NAME !!HideDrives_CU                VALUE NUMERIC 66060283
                                NAME !!HideDrives_COU        VALUE NUMERIC 66043899
                                NAME !!HideDrives_W                VALUE NUMERIC 62914559         
                                NAME !!HideDrives_WC                VALUE NUMERIC 62914555         
                                NAME !!HideDrives_PW                VALUE NUMERIC 62881791        
                                NAME !!HideDrives_MN                VALUE NUMERIC 12288        

                        END ITEMLIST


Somewhere between ITEMLIST and END ITEMLIST  add the following:

                                NAME !!HideDrives_ADRT        VALUE NUMERIC 655369


5. Once you have done this, the last part is to find the [strings] section in ZAKWINNT.ADM which is near the bottom.  Under the [strings] heading, search until you see the following lines:
-----------------------------------------------------------------------
Drives="Drives"
Restrictions="Restrictions"
HideDrives="Show only selected drives"
HideDrivesOptions="Choose Drives that will be shown:"
HideDrives_all="Don't show any drives"
HideDrives_A="Only A:"
HideDrives_C="Only C:"
HideDrives_ADRT="Show all but A: D: R: and T:"
HideDrives_U="Only U:"
HideDrives_W="Only W:"
HideDrives_WC="Show ONLY W: and C:"
HideDrives_CU="Both C: and U:"
HideDrives_COU="Both C: O: and U:"
HideDrives_PW="Show ONLY P: and W:"
HideDrives_MN="Show all BUT M: and N:"
--------------------------------------------------------------------------

Add the following Line somewhere in the "Drives" section:

HideDrives_ADRT="Show all BUT A: D: R: and T:"

6. Once the file has been saved you can go into Console One, under the "User Extensible Policies" open the ZAKWINNT policy, choose ZAK Policies \ Windows NT \ Drives \ Restrictions.       Enable the "Show only selected drives" option. In the drop-down box below you can select "Show all BUT A: D: R: and T:"
.

Note

Notes:
With ZEN3 , system policies are not longer supported and it is necessary to use User extensible policies for a User package, However the same formatted function that existed in ZEN2 is not available in ZEN3 user extensible policies.

ZENworks 2 has the ability to Enable  95 User System policies and within the User System policies, there is setting under ZAK Policies/Windows 95/Drives/Restrictions to 'Show only selected drives'. This setting is formatted to show a Visible drives box and a Hidden Drives box and the ability to Add or Remove any of the 26 drive letters from A-Z.

ZENworks 3 no longer allows for a User system policy to be created and all functionality that was previously done in System policies is now administered with User Extensible policies and the only available Microsoft adm file that restricts being able to see selected drives is the ZAKWINNT.ADM
File. The ZAKwinnt.adm file however  by default does not display the settings like that of the ZEN2 ZAK system policy. To open the ZAKWINNT.adm file, launch ConsoleOne.exe and create a user package and then enable the User extensible policy.  Browse to the adm file and then select  ZAK policies/Windows NT/Drives/Restrictions/Show only selected drives.

At this point  notice that the options are differently formatted than with the 95 user system policy however the functionality should be the same.You can choose drives that will be shown however by default the setting does not list all of the drive letters as in the ZEN2 system policy. You can select those listed and if you need a specific drive displayed, it will be necessary to refer to Q document Q220955 from Microsoft on how to modify the ZAKWINNT.ADM file from Microsoft to add or remove the desired drives that you need to add or remove or be able to be seen.

In summary, if you have set the Hide drives setting within a ZEN2 ZAK policy within a 95 user system policy and then migrate this policy from ZEN2 to ZEN3, the system policy does get migrated and is applied to the new ZEN3 migrated policy however you will not be able to modify this system policy as a system policy. The customer will need to create a ZEN3 user extensible policy and then use the ZAKWINNT.ADM file to reverse the changes or make modifications.

Even though the ZAKWINNT.ADM file is classified as a NT platform adm file, the file can be opened , configured and pushed to a Win98/98 desktop platform. Remember though the adm file may need to be edited within a text editor according to the above Microsoft Q document in order to hide or view selected drives.