Change Windows Drive Map Naming

Have you ever found the default drive map naming convention to be annoying? In the example below, the W: drive mapping description is: “downloads on ‘Domain Controller (dc1)’ (W:)”

People generally don’t care about a server description or server name, they just care about their W: drive. Sometimes an application drop down list isn’t wide enough to display the entire description and truncates what we are all looking for, a drive letter. To modify this behavior, there is a registry key that can change the network drive description.

Now look at the same drive mappings below and notice that the drive letter (important stuff) is now first, it’s easier to read, and we no longer care if text at the end of the long description is truncated.

This is done by applying the following registry key to the end workstation, you can read more in Microsoft KB:330193 (note that I had to use wordwrap at \CurrentVersion in the code below)

ShowDriveLetterFirst.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Explorer]
“ShowDriveLettersFirst”=dword:00000004

I then use a logon script to deploy this registry key to the workstations, the new settings will take place on the following login. My logon script of choice is KiXtart, and if you have not used it, I highly recommend checking it out.  KiXtart was first included in the Windows NT resource kit, so it has been around for some time. Here is the code that I used (note that I had to use wordwrap at \CurrentVersion the code below):

logon.bat (partial)
 ;#####################################
;##### ADD REGISTRY KEY #############
;#####################################
; Add Registry Key to display drive letter before description
; If the value is 0, default settings
; If the value is 1, the drive letter is displayed first for remote drives
; If the value is 2, drive letters are not displayed
; If the value is 4, the drive letter is displayed first for all drives
$v_showdrv=ReadValue(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Explorer”,”ShowDriveLettersFirst”)
If $v_ShowDrv <> 4
WriteValue(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      \CurrentVersion\Explorer”,”ShowDriveLettersFirst”,”4″,”REG_DWORD”)
Endif
;####################################

Active Directory Delegation of Administration

As a best practice, the SANS Institute recommends securing your network by implementing the principle of least privilege as a measure to protect your network. As a consultant I find it very common for organizations to simply add administrators to the Domain Admins security group in Active Directory. This is an acceptable practice for small organizations, or where a central administration model is used. However, in larger organizations this can lead to chaos, a lack of accountability, and a security risk.

The Active Directory Users and Computers management console includes a Delegation of Control Wizard and has been around since Windows 2000. The delegation wizard assists you in granting an ordinary user (without super powers) to perform administrative tasks such as resetting passwords or managing security group membership. So rather than adding a user to the Domain Admins group, you can grant users the bare minimum security privilege they need to accomplish a specific administrative task.

Delegating administration is quite simple, open Active Directory Users and Computers, right click on an OU and select Delegate Control. A great TechNet article to follow is a Step-by-Step Guide to Using the Delegation of Control Wizard.

The Big Disappoinment

Walking through this wizard the first time, you may be think wow, this is great. Immediately you realize this would be great for my workstation technicians, I could allow them to manage Active Directory computer accounts. So you create your security group “Workstation Techs” and start the wizard a second time only to realize there are only 11 tasks to delegate, none of which include computer accounts. Upgrading from Windows Server 2003 to a Windows Server 2008 domain doesn’t add any additional functionality in this area. The delegation wizard now begins to look like a half baked solution.

Finding a Solution

But wait, there is hope after all. The Delegation of Control Wizard is actually derived from a text file located in C:\Windows\Inf\delegwiz.inf and can be customized. So, if you replace the contents or your delegwiz.inf file with the contents in this article,  Active Directory Delegation Wizard File you will end up with 70 tasks that can be delegated. The Delegation of Control Wizard now becomes a very powerful and useful tool.