Announcement

Collapse
No announcement yet.

Showing only C:\temp for a hidden C: drive

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Showing only C:\temp for a hidden C: drive

    Hi guys

    I have implemented group policy to restrict all drives in My Computer (so it appears completely empty in Explorer) and force a folder redirect on My Documents to a network share. So far so generic.

    However I now have a requirement to allow read/write to C:\temp ONLY. Is this possible with the model I already have in place? If not, I take it I need to unhide the C: drive; in that case, is it easy to only show the C:\temp folder or do I have to manually reset all the ACL's of every folder on every machine?? (please tell me that's not the only solution!!!)

    Many thanks in advance you guys.

    Cheers

  • #2
    Re: Showing only C:\temp for a hidden C: drive

    Hidden drives can normally still be written to by entering the path directly
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Showing only C:\temp for a hidden C: drive

      Hi Ossian

      Many thanks for your speedy reply!

      I understand the userbase can write to the c:\temp folder without being able to see it but the problem is that most (all) of the userbase aren't that techy so wouldn't know how to do this; they'll take one look at the error trying to access the C: drive and just not bother.

      I really need the C:\temp folder to be visible, but for that to be the only folder that's visible, and via GPO ideally such that administrators (me) can see the entire drive if they log on.

      Thanks again

      Comment


      • #4
        Re: Showing only C:\temp for a hidden C: drive

        Not tried, but even if C drive is hidden, can you have a shortcut to C:\Temp on the desktop?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Showing only C:\temp for a hidden C: drive

          I don't know if this helps but you can create a shortcut for all users like this:

          %windir%\explorer.exe /root, C:\Temp

          This will give them a Windows Explorer shortcut to the C:\Temp folder and restrict them from moving up or down from C:\Temp

          Comment


          • #6
            Re: Showing only C:\temp for a hidden C: drive

            Why do they need to directly access that folder?
            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Showing only C:\temp for a hidden C: drive

              Many thanks for your replies guys.

              Originally posted by Ossian View Post
              Not tried, but even if C drive is hidden, can you have a shortcut to C:\Temp on the desktop?
              If you try to address it directly it just says that a restriction is in place to prevent you doing so.

              Originally posted by joeqwerty View Post
              I don't know if this helps but you can create a shortcut for all users like this:
              %windir%\explorer.exe /root, C:\Temp
              This will give them a Windows Explorer shortcut to the C:\Temp folder and restrict them from moving up or down from C:\Temp
              Thanks Joe .. the only trouble is that that's just a shortcut; if there a way to incorporate it into the shell such that File/open and file/save as (for instance) can also address it I think I'm in business - any ideas please?

              Originally posted by Wired View Post
              Why do they need to directly access that folder?
              There is a batch process that generates files into C:\temp which need to be converted to PDF and mailed out to people, then deleted afterwards (I've incorporated del c:\temp\*.* into the logoff script) If it were an easy fix to just change it to %temp% I would but it's hardcoded.

              Comment


              • #8
                Re: Showing only C:\temp for a hidden C: drive

                Try setting the User Configuration>Administrative Templates>Windows Components>Windows Explorer>Common Open File Dialog>Items Displayed in Places Bar setting in the GPO that applies to the users.

                Comment


                • #9
                  Re: Showing only C:\temp for a hidden C: drive

                  When you allow users to go to C:\Temp then the entire c: drive will be visible in the current Explorer window for the user.

                  Therefore I'd suggest to use an available drive letter to let users enter the content of the c:\temp folder.

                  Use this driveletter with one of the following solutions,
                  - a Subst.exe command line to connect the drive to the folder,
                  - set Persistent-subst via registry entries to connect the drive to the folder,
                  - use a drive mapping to the locally shared folder (this last solution makes it more easy to give the new drive a own name)

                  The new drive letter directs the users to the content of the folder c:\temp.
                  I.e. using drive B: that'll show in Exporer as: C_TEMP (B:)

                  Make sure that all drives but the new drive letter are hidden.
                  This script can help you with that part:
                  Code:
                  ' this script can used as user logon script
                  ' (change HKCU to HKLM when running as computer startup script)
                  
                  ' HIDE DRIVES
                  
                  HideAllBut = "B"
                  
                  Set wshShell = CreateObject("WScript.Shell")
                  RegEntry = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives"
                  
                  bits = 0 : x = 0
                  For i = Asc("A") To Asc("Z")
                     If Chr(i) <> ucase(HideAllBut) then
                       bits = bits + 2^x 
                     End If
                       x = x + 1
                  Next
                  
                  On error resume next
                  
                  Dim sNoDrives
                  sNoDrives = wshShell.RegRead(RegEntry)
                  If (err.number =  0 and sNoDrives <> bits) OR _
                     (err.number <> 0 and bits <> 0) then
                  
                    ' Write registry
                    '-------------------------------------------------------------
                    err.clear
                    If bits <> 0 Then
                      wsh.echo bits
                      wshShell.RegWrite RegEntry, bits, "REG_DWORD"
                    Else
                      wshShell.RegDelete RegEntry
                    End If
                  
                  rem  If err.number = 0 then
                  rem
                  rem    ' Refresh explorer
                  rem    '-------------------------------------------------------------
                  rem    dim strComputer, objWMIService, colProcess, objProcess 
                  rem    strComputer = "."
                  rem    Set objWMIService = GetObject("winmgmts:" _
                  rem      & "{impersonationLevel=impersonate}!\\" _ 
                  rem      & strComputer & "\root\cimv2") 
                  rem
                  rem    Set colProcess = objWMIService.ExecQuery _
                  rem      ("Select * from Win32_Process Where Name = 'explorer.exe'")
                  rem    For Each objProcess in colProcess
                  rem       objProcess.Terminate()
                  rem    Next 
                  rem    
                  rem  Else
                  rem     err.clear
                  rem  End If
                  
                  End If

                  After you made that one drive visible,
                  Here's an example of using "set persistent-subst via registry enties" solution:
                  Code:
                  ' Run this script as computer startup script
                  
                  strEntry = "B:"
                  strValue = "C:\temp"
                  strLABEL = "C_TEMP"
                  
                  Set objShell = CreateObject("Shell.Application")
                  Set wshShell = CreateObject("WScript.Shell")
                  
                  ' optional....
                     ' The next statement erases the name (label) of drive C:  (!!!)
                     objShell.NameSpace("C:").Self.Name = empty
                  
                     ' ----------------------------------------------------------
                     ' When using drive substitution (unlike mapping a drive) the new
                     ' drive willl always get the same name as the drive of the target.
                     ' Only when the target's drive does not have a name, then
                     ' you're able to give a custom name to the new drive.
                     ' ----------------------------------------------------------
                  
                     ' Now you can set the name (label) to use for the new drive
                     subKey = Left(strEntry, 1)
                     strKey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\" & subKey & "\DefaultLabel\"
                     wshShell.RegWrite strKey, strLABEL, "REG_SZ"
                  
                  
                  ' Make a persistent drive substitue,  B: to C:\temp
                  strKey = "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices\"
                  strValue = "\DosDevices\" & strValue
                  wshShell.RegWrite strKey & strEntry, strValue, "REG_SZ"
                  \Rems
                  Last edited by Rems; 12th May 2010, 18:52.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: Showing only C:\temp for a hidden C: drive

                    Originally posted by Rems View Post
                    When you allow users to go to C:\Temp then the entire c: drive will be visible in the current Explorer window for the user.

                    Therefore I'd suggest to use an available drive letter to let users enter the content of the c:\temp folder.

                    Use this driveletter with one of the following solutions,
                    - a Subst.exe command line to connect the drive to the folder,
                    - set Persistent-subst via registry entries to connect the drive to the folder,
                    - use a drive mapping to the locally shared folder (this last solution makes it more easy to give the new drive a own name)

                    The new drive letter directs the users to the content of the folder c:\temp.
                    I.e. using drive B: that'll show in Exporer as: C_TEMP (B:)

                    Make sure that all drives but the new drive letter are hidden.
                    This script can help you with that part:
                    Code:
                    ' this script can used as user logon script
                    ' (change HKCU to HKLM when running as computer startup script)
                     
                    ' HIDE DRIVES
                     
                    HideAllBut = "B"
                     
                    Set wshShell = CreateObject("WScript.Shell")
                    RegEntry = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives"
                     
                    bits = 0 : x = 0
                    For i = Asc("A") To Asc("Z")
                       If Chr(i) <> ucase(HideAllBut) then
                         bits = bits + 2^x 
                       End If
                         x = x + 1
                    Next
                     
                    On error resume next
                     
                    Dim sNoDrives
                    sNoDrives = wshShell.RegRead(RegEntry)
                    If (err.number =  0 and sNoDrives <> bits) OR _
                       (err.number <> 0 and bits <> 0) then
                     
                      ' Write registry
                      '-------------------------------------------------------------
                      err.clear
                      If bits <> 0 Then
                        wshShell.RegWrite RegEntry, bits, "REG_DWORD"
                      Else
                        wshShell.RegDelete RegEntry
                      End If
                     
                    rem  If err.number = 0 then
                    rem
                    rem    ' Refresh explorer
                    rem    '-------------------------------------------------------------
                    rem    dim strComputer, objWMIService, colProcess, objProcess 
                    rem    strComputer = "."
                    rem    Set objWMIService = GetObject("winmgmts:" _
                    rem      & "{impersonationLevel=impersonate}!\\" _ 
                    rem      & strComputer & "\root\cimv2") 
                    rem
                    rem    Set colProcess = objWMIService.ExecQuery _
                    rem      ("Select * from Win32_Process Where Name = 'explorer.exe'")
                    rem    For Each objProcess in colProcess
                    rem       objProcess.Terminate()
                    rem    Next 
                    rem    
                    rem  Else
                    rem     err.clear
                    rem  End If
                     
                    End If

                    After you made that one drive visible,
                    Here's an example of using "set persistent-subst via registry enties" solution:
                    Code:
                    ' Run this script as computer startup script
                     
                    strEntry = "B:"
                    strValue = "C:\temp"
                    strLABEL = "C_TEMP"
                     
                    Set objShell = CreateObject("Shell.Application")
                    Set wshShell = CreateObject("WScript.Shell")
                     
                    ' optional....
                       ' The next statement erases the name (label) of drive C:  (!!!)
                       objShell.NameSpace("C:").Self.Name = empty
                     
                       ' ----------------------------------------------------------
                       ' When using drive substitution (unlike mapping a drive) the new
                       ' drive willl always get the same name as the drive of the target.
                       ' Only when the target's drive does not have a name, then
                       ' you're able to give a custom name to the new drive.
                       ' ----------------------------------------------------------
                     
                       ' Now you can set the name (label) to use for the new drive
                       subKey = Left(strEntry, 1)
                       strKey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\" & subKey & "\DefaultLabel\"
                       wshShell.RegWrite strKey, strLABEL, "REG_SZ"
                     
                     
                    ' Make a persistent drive substitue,  B: to C:\temp
                    strKey = "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices\"
                    strValue = "\DosDevices\" & strValue
                    wshShell.RegWrite strKey & strEntry, strValue, "REG_SZ"
                    \Rems
                    If you create a Windows Explorer shortcut like the one I posted it restricts the user to the Temp folder. No amount of clicking the up or back buttons will get them any further. We use this in our TS environment to restrict users to a particular directory.
                    Last edited by Rems; 12th May 2010, 23:57.

                    Comment

                    Working...
                    X