19

I need to hide the D: drive for specified users on Windows 7. How can I do that?

nhinkle
  • 37,198
  • 36
  • 140
  • 177
J.Olufsen
  • 3,492
  • 14
  • 43
  • 59
  • .. disables access to what? – Blorgbeard Jan 26 '11 at 20:48
  • ...disabled access to drive D and after reboot it suppose to hide drive D for all users. But I need to hide and disable access only for specified users – J.Olufsen Jan 26 '11 at 21:32
  • Why is disabling access to the drive not good enough? What is the reason for *needing* to hide it? – Keltari Apr 28 '13 at 05:13
  • Why is disabling access to the drive not good enough? What is the reason for *needing* to hide it? Necro comment, but I am curious. – Keltari Apr 28 '13 at 05:31

5 Answers5

34

There is a group policy setting to disable access to certain drives, and another to hide access. You need Windows 7 Professional, Ultimate or Enterprise to do this. For other versions, scroll down to my alternate solution.

If you only want to apply the policy to certain users, not every user, you need to configure it individually. You cannot do this by just opening gpedit.msc; you need to add the group policy editor from the MMC:

  1. Run mmc.exe with administrative privileges
  2. Click File > Add or Remove Snapin
  3. Select "Group Policy Object Editor" and click Add >
  4. A wizard will appear. Click Browse, click the Users tab, and select a user or user group. Individual users are shown, as well as two generic groups; "Administrators" and "Non-Administrators".
  5. Click OK, then click Finish in the wizard.
  6. Click OK in the "Add Snapin" dialog.
  7. Enter User Configuration > Administrative Templates > Windows Components > Windows Explorer.
  8. Find Hide these specified drives in My Computer if you want to just hide the drives but still allow direct access (e.g. from run prompt, etc.) to the drives. Find Prevent access to drives from My Computer to hide the drive and prevent access to it.
  9. In whichever settings dialog, choose the Enabled radio button and choose the drive(s) you want to restrict. As of Windows 7, the only options are:
    • A and B drives only
    • C drive only
    • D drive only
    • A, B and C drives only
    • A, B, C and D drives only
    • Restrict all drives
    • Do not restrict drives
  10. Click OK

The next time the user(s) log in, they will not be able to see/access the drive This should work as you specifically asked for disabling the D: drive.

If you want to disable a drive other than A, B, C, or D, or if you have a version of Windows 7 which doesn't support the group policy editor, you will need to make the changes manually in the registry.

The first step is to load the registry hive of the user you are removing the drives from. The user must be logged out for this to work; in fact, it's better to do a fresh restart before doing this process.

  1. Open the registry editor with administrative privileges
  2. Select HKEY_USERS
  3. Choose Load Hive from the File menu
  4. Navigate to that user's profile folder, usually C:\users\username
  5. Enter NTUSER.DAT in the File name box. This file is a system-hidden file, so it won't show up in the file selection window. You have to type it in. Be sure not to select ntuser.dat.log by accident.
  6. Click ok, then enter a name for the key. We'll call it Foo.
  7. Go to HKEY_USERS\Foo\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  8. Create a new 32-bit DWORD value and name it NoDrives to hide the drives, or NoViewOnDrive to completely disable access.
  9. The value you enter depends on the drive(s) you want to restrict, and is a bit tricky. Each letter, starting with Z and going down to A, is represented by a 1 (disabled) or 0 (enabled). Make this binary number, then convert it to hexidecimal. This is the number you put in the box. For example, D is the fourth drive letter from the right, and everything to the left of it is a 0, so the number will be b1000, which is x08000000, so you would enter 08000000 as the value. To disable C and D, you would use b1100, or x0c000000. If this confused you, post in the comments for help.
  10. Once you've saved this value, navigate back up to HKEY_USERS, select the key you loaded, and then click File > Unload Hive. This step is ABSOLUTELY CRITICAL!! If you don't unload the hive, the user will be unable to login properly.
  11. Close the registry editor, then restart the computer. The new settings should have taken effect.
Community
  • 1
nhinkle
  • 37,198
  • 36
  • 140
  • 177
  • 2
    Ok. Followed this instruction but it hid and disabled access for drive D for ALL USERS, including me. I need to hide and disable access only for specified users. Is there a way to do it? – J.Olufsen Feb 19 '11 at 14:28
  • Are you sure you did the registry key or group policy snapin for the right user? If you follow the instructions exactly as above, it should only do it for the users you specify, not all of them. – nhinkle Feb 19 '11 at 22:13
  • I would be very careful with a change like this. It seems simple on the surface, follow the directions to accomplish your goal. However, I see the potential for some really painful troubleshooting of potential issues that could arise. If you do this, you need to be extremely careful that there is never a need that these users will ever need user level access to the hidden/disabled drives. – Keltari Apr 28 '13 at 05:18
  • @nhinkle, In your step 3, there is no "Group Policy Object Editor" to select.... See http://i.stack.imgur.com/x1ySa.png – Pacerier Nov 16 '14 at 00:13
  • 1
    @Pacerier are you running a Pro, Business, Ultimate, or Enterprise version of Windows? – nhinkle Nov 16 '14 at 03:15
  • @nhinkle, Nope, Windows XP Home Edition SP3. – Pacerier Nov 16 '14 at 03:45
  • @Pacerier "You need Windows 7 Professional, Ultimate or Enterprise to do this. For other versions, scroll down to my alternate solution." – nhinkle Nov 16 '14 at 13:44
  • Sorry to bump an old answer, but how would you hide drive X and Y in this scenario? Regedit only allows a certain amount of characters before it hits a limit. – Dooley_labs Mar 11 '18 at 03:24
  • People have difficulty understanding (the second) step 9.  In fact, I believe that it's wrong.  I have written an alternative (better) version [here](https://superuser.com/q/645857/150988#647302 "How do I find the hex values that I need to use to hide a drive letter?"). – Scott - Слава Україні Nov 25 '18 at 04:12
  • `b1000, which is x08000000` - huh? Binary 1000 is just 8 in hex (or 0x8, or 0x00000008). – this Dec 07 '22 at 13:03
3

Right-click on said drive in Computer, choose Properties → Security. Update access as needed: remove "Users", add "Parents", etc.

If your version of Windows doesn't have a Security tab, use icacls from command line:

icacls F:\ /grant Parents:(oi)(ci)F
icacls F:\ /remove Users
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Tried this method by removing the Users group. It enumerators through all files on the HDD to add the security policy. In the end my Administrator account still had the "Access denied message" when it finished even though Administrators group still had Full Access. – ShawnFeatherly May 15 '16 at 09:30
  • I still had access to edit the security policy. It worked great after adding my individual account. – ShawnFeatherly May 15 '16 at 09:38
2

You can hide any drives using Group Policy. This will set restrictions for any users on the machine.

  • Click on Start > Run and type gpedit.msc, and hit enter.
  • Then navigate through: User Configuration, Administrative Templates, Windows Components, and Windows Explorer.
  • Click Hide these specified drives in My Computer.
  • Click to select the Hide these specified drives in My Computer check box.
  • Click on Enabled in the top right and select the appropriate option in the drop-down box.

Hope this helps! :)

deanpcmad
  • 677
  • 1
  • 7
  • 16
1

Taken from this link (a bit too lazy to type it out myself):

  • Right-Click on My Computer [Computer in Windows Vista and Windows 7]
  • Click on Manage
  • From the list of options Click on Disk Management that will be located in the left-bottom section
  • All your hard disk and its partitions will be show in the right hand side
  • Right-Click on the partition that you want to hide and select "Change Drive Letters and Path"
  • Click on "Remove" and click "Yes"
  • Your drive will now be hidden in my computer
ChristopheD
  • 6,232
  • 2
  • 15
  • 10
  • My hard drive devided into 2 logical discs: C and D. If I create new user -> it can access drive D. What do I need to do in order to deny and hide my disc D for specified user? – J.Olufsen Jan 26 '11 at 22:04
  • Without drive letters or mount points, a drive is still accessible as its volume name. Even though most programs do not support `\\?\Volume{guid}` syntax, all it takes is a `DefineDosDevice(1, "x:", "\\??\\Volume{guid}")` to assign a session-local drive letter to it. *(Btw, these are two different prefixes. Not a typo.)* – u1686_grawity Jan 26 '11 at 22:26
1

You're looking for a type of Access Based Enumeration.
Enabling a user to only see drives / folders that they have the permissions for is supported in domains but not in stand alone installations as far as I'm aware.
You used to be able to do this in Windows XP by using Windows SteadyState but this tool has been discontinued.

Joe Taylor
  • 13,347
  • 7
  • 49
  • 70