Restric Local Drive Access in RDSH RemoteApp

When using Microsoft RSDH RemoteApp programs (or even full hosted virtual desktops), you will want to disable/hide certain things so that the end user does not cause issues with the shared environment. Some of the things you will want to disable/hide are the favorites, libraries, and server drive access.

Removing Favorites and Libraries

Restrictions will disable Libraries and Favorites and will hide or restrict users or a group of users from accessing and viewing any drives on the RD Session Host server. Users will be provided with an error message even if they use the UNC path to access the drives.

The primary reason to remove Favorites and Libraries and access to drives is because they contain mostly accessed locations on a system, so in the case of the RD Session Host server, this includes the desktop, downloads, recent places, etc. It is recommended that a user not save any documents to these locations.

Using the Registry (applies to all users including the administrators)

1. For Favorites, the key is:

[HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder]
“Attributes”=dword:a0900100
Changing a0900100 to a9400100 will hide Favorites from the navigation pane.

2. For Libraries, the key is:

[HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]
“Attributes”=dword:b080010d
Changing b080010d to b090010d will hide Libraries from the navigation pane.

Hiding/Preventing Access to Drives

You can use Group Policy settings to hide and restrict access to drives on the RD Session Host server. By enabling these settings you can ensure that users do not inadvertently access data stored on other drives, or delete or damage programs or other critical system files on drive C.

The following settings are located in the Group Policy Management Console under User Configuration\Policies\Administrative Templates\Windows Components\Windows Explorer:

Hide these specified drives in My Computer. You can remove the icons for specified drives from a user’s My Computer folder by enabling this setting and using the drop-down list to select the drives you would like to hide. However, this setting does not restrict access to these drives.
Prevent access to drives from My Computer. Enable this setting to prevent users from accessing the chosen combination of drives. Use this setting to lock down the RD Session Host server for users accessing it for their primary desktop.
Applies to:

Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Other Group Policy Settings for Additional Security

Continue at source…

Technorati : , ,
Del.icio.us : , ,

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top