Problem Definition:

You are unable to map a network drive for a user because the “Map Network Drive” button is missing from Windows Explorer. The button is missing for non-administrative users, however it remains visible in the support account as shown below:

Cause:

When deploying a Citrix XenApp Server or Remote Desktop Session Host with the setting "Restrict Non Administrator Users from Accessing System Components and Controls," the "Map a Network Drive" button is suppressed in Windows Explorer for non-administrator users. Mapping network drives can introduce a security vulnerability with certain forms of malware/ransomware, namely CryptoWALL.  The button has been removed to prevent end users from mapping network drives, exposing network shared data to threats such as CryptoWALL.  CryptoWALL's accessibility to encrypting shared network data may be mitigated by setting limited explicit NTFS permissions to the shared data location.

Resolution:

This restriction does not disable drive mapping, rather it prevents end users from mapping drives themselves.  You may still use Active Directory Group Policy Management and create a policy to map network drives.  When sharing data which is accessible through mapped network drives, never give end users "full control" NTFS permissions to that data.  However, you may also restore the “Map Network Drive” button in Windows Explorer, by using the following procedure:


Using your “support” account, access the CloudConnect Desktop Host where you would like to re-enable the “Map Network Drive” button.


Access the Local Group Policy Object Editor Non-Administrators Policy. Refer to Knowledgebase Article CCT-201410097 for instructions on how to Access and Edit the Non-Administrators Policy on a Desktop Host.


Locate the following node in the Console Root:

User Configuration\Administrative Templates\Windows Components\Windows Explorer\


In the Results Pane, Locate “Remove Map Network Drive” and “Disconnect Network Drive” setting.

 

Right Click this Setting and Choose “Edit.” Set the Policy to “Disabled” and Apply the change.

 

 

Note: While this is a User-Level Policy, we have determined in Testing that sometimes it is necessary to restart the Desktop Host for this change to take effect, and for the “Map Network Drive” button to re-appear.

Additional Information:

If you use “gpedit.msc” shortcut to access the Local Group Policy Object Editor, it will not bind to the non-administrators group and expose the setting above, which needs to be modified. 

Applies To:

Microsoft Windows Desktop Server 2008 R2, 2012 R2, and 2016

Citrix XenApp 6.5, Citrix XenApp 7.X





 To learn more about how the CloudConnect Platform enables an incredible DaaS experience, download our latest White Paper!