Case Study: Local C drive not being mapped in a Citrix Session

Case study: local C drive is not being mapped in a Citrix Session

There are many reasons why this may happen. See this article for some Citrix reasons and troubleshooting. But there is one reason that has nothing to do with Citrix but affects a Citrix session. It is a Group Policy in AD that prevents access to any drive you want to specify, including the C drive.

One method of checking the issue is to:
Click Start, and then click Run.
In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
Click Add.
Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.
Select Domain Group Policy. Navigate to the OU level where the computer or the user group affected is located. This is the location:
Local Computer Policy – Computer Configuration – Administrative Templates – Windows Components – Windows Explorer.

Find Hide these specified drives in My Computer if you want to just hide the drives but still allow direct access (e.g. from run prompt, etc.) to the drives. Find Prevent access to drives from My Computer to hide the drive and prevent access to it.
You can choose the Enabled radio button and choose the drive(s) you want to restrict. As of Windows 7, the options are:

A and B drives only
C drive only
D drive only
A, B and C drives only
A, B, C and D drives only
Restrict all drives
Do not restrict drives

Check this article with some nice screenshots and explanation on how to do it on a Windows 7 machine; The idea is the same but instead of a workstation local group policy you change the settings on a OU that the contains the servers and workstation affected by this policy

Enter User Configuration > Administrative Templates >

Open the registry editor with administrative privileges
Choose Load Hive from the File menu
Navigate to that user’s profile folder, usually C:\users\username
Enter NTUSER.DAT in the File name box. This file is a system-hidden file, so it won’t show up in the file selection window. You have to type it in. Be sure not to select ntuser.dat.log by accident.
Click ok, then enter a name for the key. We’ll call it Foo.
Go to HKEY_USERS\Foo\CurrentVersion\Policies\Explorer
Create a new 32-bit DWORD value and name it NoDrives to hide the drives, or NoViewOnDrive to completely disable access.
The value you enter depends on the drive(s) you want to restrict, and is a bit tricky. Each letter, starting with Z and going down to A, is represented by a 1 (disabled) or 0 (enabled). Make this binary number, then convert it to hexidecimal. This is the number you put in the box. For example, D is the fourth drive letter from the right, and everything to the left of it is a 0, so the number will be b1000, which is x08000000, so you would enter 08000000 as the value. To disable C and D, you would use b1100, or x0c000000. If this confused you, post in the comments for help.
Once you’ve saved this value, navigate back up to HKEY_USERS, select the key you loaded, and then click File > Unload Hive. This step is ABSOLUTELY CRITICAL!! If you don’t unload the hive, the user will be unable to login properly.
Close the registry editor, then restart the computer. The new settings should have taken effect.

To disable the user from accessing computer drives, please follow the steps below:
1. Create an OU and put the user in this OU.
2. Create and link a GPO to this OU.
3. Right click this GPO and select Edit.
4. Expand User Configuration->Policies->Administrative Templates->Windows Components->Windows Explorer.
5. In the right pane, double click “Hide these specified drives in My Computer”.
6. Select Enabled and set to “Restrict all drives”.
7. Double click “Prevent access to drives from My Computer”.
8. Select Enabled and set to “Restrict all drives”.
More here

Other good links:
Locking Down Terminal Server


and this:
Excerpt here:

…”To enable logging for drive mapping, you can enable Configure Drive Maps preference logging and tracing under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and tracing
Collect User.log file from the problematic Windows 7 computer, the log file is located in the folloiwng folder.

Enabling Group Policy Preferences Debug Logging using the RSAT”
Applies for Windows 7 and windows Server 2008 R2


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: