XenApp 6.5 Hide Local Drives

Citrix-Logo-2There are several methods to hide local hard drives in XenApp or Terminal Services for your end users, but I feel only one is superior, group policy loopback processing combined with the new Group Policy preferences item-level targeting available in Server 2008. Instead of modifying all of your users individual GPO’s or configuring registry hacks or writing a bunch of bandaid scripts, you need only modify one GPO which is applied to your Citrix servers. Therefore this cuts down on administration and increases simplicity (KISS). Since I haven’t seen many articles explaining this method, here is my first post of March 2013.

Essentially what Group Policy loopback processing does is allow you to completely override or merge user or computer level policies on computers where it is enabled. For clarity I should point out now that this will not prevent users from reading/writing to the drive, as this is a procedure to HIDE the drive letter from the explorer.exe shell. This will help eliminate end user confusion as many people mistake C:\ in an ICA/RDP session to be their local C:\ on their desktop or laptop. In this post, I will hide the drive C:\ for all XenApp users who are not members of Domain Admins.

Create a GPO and link it to the OU where your XenApp/TS server is located. Edit and navigate to Computer Configuration > Policies > Administrative Templates > System > Group Policy and enable ‘User Group Policy loopback processing mode’ with the mode set to Merge. Setting it to merge instead of replace will ensure that all of your existing user policies will remain applied.

gploopback

In the same GPO, navigate to User Configuration > Preferences > Windows Settings > Drive Maps. Right click in the white area New > Mapped Drive. Select the drive you wish to hide and set Hide this drive.

hidedrive

Go to the Common tab and select Item-level targeting. New Item > Security Group. Item Options > Is Not. Select your Domain Admins group or a group you wish this policy to not apply, such as your technical support team.

gp-itemleveltargeting

If you have any questions, leave a comment below and be sure to share this on your favorite social media platform to help support my ad-free website.

Thank you,
-TR

  • Casey

    That was awesomely simple. Much easier than the way that I did it!

    • http://www.travisrunyard.com Travis

      Yea, group policy preferences has improved the common administrative tasks. But I’ve run into a problem by hiding the drives. When a user opens a file, say a PDF file opens in Adobe Reader, then when they try to save the file, the Save As dialog comes up but displays an error because it’s trying to default to the users temp directory which is on a drive that is hidden T.T

      • http://www.slideshare.net/techstur/web-interfacecustomizationservices Emma

        Hey Travis,
        My system is also displaying the Error message while saving the PDF file. Please tell me the solution.

        • http://www.travisrunyard.com Travis

          Hi Emma,
          I didn’t find a solution. I had to unhide the drive unfortunately. Pretty ridiculous. If you find a way, please let me know.

  • graystoke

    if you are running an enterprise system, you will no doubt be packaging important applications. repackage your app so that it saves files by default to your chosen shared location. this is standard fare.

    • http://www.travisrunyard.com Travis

      How would I repackage Adobe Acrobat Reader to save files to a destination I specify?

  • http://www.teamas.co.uk Ben Owens

    Hi,

    Found the article very helpful. Thank you.

    Ben

    • http://www.travisrunyard.com Travis

      Thanks Ben, appreciate it.

  • Karthik

    Hi, I somehow could not find this path in the Local Group Policy Editor. User Configuration > Preferences > Windows Settings > Drive Maps. Please assist.

    • http://www.travisrunyard.com Travis

      Are you sure you’re running R2 or with win 7 RSAT?

  • JJ

    Found the same info on this website. Not sure if the poster is the same person.

    http://lovinglysam.blogspot.com/2013/06/xenapp-6-hide-local-server-drives-to.html

    Thanks

    • http://www.travisrunyard.com Travis

      I feel so special for someone to steal something I made :)

  • Mike M

    I have 4 XenApp 6.5 servers and I’ve followed the instructions to the letter. I create a new GPO entitled HideLocalDrives. Linked it to the OU where the 4 Citrix Servers are located. Enabled userloopback and disabled the C drive via preferences. I still see the C drive.
    I ran Group Policy Modeling for my account on one of the Citrix servers to see if the new policy was applied and it doesnt even list the new policy. Neither applied or denied, its just not there. I’ve waited for 30 minutes so I know AD has replicated by now. Since there are no computer policies configured on this HideLocalDrives policy, only user settings, would it show up if linked to an OU with only servers in it? I am confused as to why the policy is not showing up at all.

    • http://pQYNV89zroiO Gabriel

      forgot to add this into the equation.Users can print to the HP1020, users CANNOT print to the HP2200.My ptenrir at home which I am testing out is a Canon IP4700, it follow the exact same printing issues as what the HP2200 is experiencing. Should i manually add these drivers onto the server? I have been relying on them to auto-create so far, which all other computers have been doing. If i manually add the driver in the system looks for the ptenrir, yet it is not attached to the network, because it’s on the remote side how should this be setup?

    • http://www.travisrunyard.com Travis

      No computer policies? Did you mean except for the loopback policy? Where are you running the modeling from? Make sure the GPO has replicated to the DC you’re doing the modeling from first. I’m on a big road trip right now, I’ll respond back as soon as I can if you have a reply.