XenApp 6.5 Hide Local Drives

XenApp 6.5 Hide Local Drives

There are several methods to hide local hard drives in XenApp or Terminal Services for your end users, but I feel only one is superior, group policy loopback processing combined with the new Group Policy preferences item-level targeting available in Server 2008. Instead of modifying all of your users individual GPO’s or configuring registry hacks or writing a bunch of bandaid scripts, you need only modify one GPO which is applied to your Citrix servers. Therefore this cuts down on administration and increases simplicity (KISS). Since I haven’t seen many articles explaining this method, here is my first post of March 2013.

Essentially what Group Policy loopback processing does is allow you to completely override or merge user or computer level policies on computers where it is enabled. For clarity I should point out now that this will not prevent users from reading/writing to the drive, as this is a procedure to HIDE the drive letter from the explorer.exe shell. This will help eliminate end user confusion as many people mistake C:\ in an ICA/RDP session to be their local C:\ on their desktop or laptop. In this post, I will hide the drive C:\ for all XenApp users who are not members of Domain Admins.

Create a GPO and link it to the OU where your XenApp/TS server is located. Edit and navigate to Computer Configuration > Policies > Administrative Templates > System > Group Policy and enable ‘User Group Policy loopback processing mode’ with the mode set to Merge. Setting it to merge instead of replace will ensure that all of your existing user policies will remain applied.

In the same GPO, navigate to User Configuration > Preferences > Windows Settings > Drive Maps. Right click in the white area New > Mapped Drive. Select the drive you wish to hide and set Hide this drive.

Go to the Common tab and select Item-level targeting. New Item > Security Group. Item Options > Is Not. Select your Domain Admins group or a group you wish this policy to not apply, such as your technical support team.

If you have any questions, leave a comment below and be sure to share this on your favorite social media platform to help support my ad-free website.

Thank you,
-TR

12 thoughts on “XenApp 6.5 Hide Local Drives”

    1. Yea, group policy preferences has improved the common administrative tasks. But I’ve run into a problem by hiding the drives. When a user opens a file, say a PDF file opens in Adobe Reader, then when they try to save the file, the Save As dialog comes up but displays an error because it’s trying to default to the users temp directory which is on a drive that is hidden T.T

  1. if you are running an enterprise system, you will no doubt be packaging important applications. repackage your app so that it saves files by default to your chosen shared location. this is standard fare.

  2. I have 4 XenApp 6.5 servers and I’ve followed the instructions to the letter. I create a new GPO entitled HideLocalDrives. Linked it to the OU where the 4 Citrix Servers are located. Enabled userloopback and disabled the C drive via preferences. I still see the C drive.
    I ran Group Policy Modeling for my account on one of the Citrix servers to see if the new policy was applied and it doesnt even list the new policy. Neither applied or denied, its just not there. I’ve waited for 30 minutes so I know AD has replicated by now. Since there are no computer policies configured on this HideLocalDrives policy, only user settings, would it show up if linked to an OU with only servers in it? I am confused as to why the policy is not showing up at all.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge