Windows: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

Since a few months I'm having an annoying problem with my Windows 10 installation. I can't simply open drives (either HDD or USB ones) labelled with the letters J: and K: from the File Explorer. When I try to do that, the infamous "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator." message is appearing.

However I'm the system administrator and, moreover, I can access drives characterized by those labels simply using the Command Prompt.

Command Prompt

So, when I use a USB drive, first of all I need to change its label to just another one and then I'm able to gain access to it. Any hints about how to solve this issue?

UPDATE: I've created a new administrator account and it doesn't seem to have this issue. I can access to a drive having J: or K: labels.


Solution 1:

The only way you would receive this error is because of the Prevent access to drives from My Computer group policy.

enter image description here

The solution is to set User Configuration\Administrative Templates\Windows Components\File Explorer\Prevent access to drives from My Computer to be Enabled and set the option value to Do not restrict drives from within the Local Group Policy Editor.

enter image description here

enter image description here

If you enable this policy, users cannot view the contents of the selected drives in My Computer and Windows Explorer. Also, they cannot use the Run dialog box, the Map Network Drive dialog box, or the Dir command to view the directories on these drives.

The group policy in question is suppose to prevent the contents of the directory from being listed even in a command prompt. In my testing before writing this answer, even when I specifically set the option to Restrict all drives, I was given the contents of the drive on Windows 10 within a non-elevated command prompt.

Prevent access to drives from My Computer

Additionally

The default values are not the only values that you can use. By editing the System.adm file, you can add your own custom values. This is the portion of the System.adm to be modified

So going under the assumption that, somebody modified System.adm itself, and specifically added a custom numerical value of ‭1536 which is a 26-bit binary value of 00000000000000011000000000 this would explain the error message you are getting on the drives in question.

The default location of the System.adm file for a default domain policy is:

%SystemRoot%\Sysvol\Sysvol\YourDomainName\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\System.adm The contents of these folders are replicated throughout a domain by the File Replication service (FRS). Note that the Adm folder and its contents are not populated until the default domain policy is loaded for the first time.

Using Group Policy Objects to hide specified drives

The physical location of these templates might be different depending on the version of Windows your DC is using

Solution 2:

If you have not configured Group Policy on your PC, try clearing the cached settings in the registry.

These are located here:

HKEY_CURRENT_USER\Software\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies

If you have deliberately configured Group Policy try accessing the local Group Policy editor by running gpedit.msc. Choose All Settings and filter by the enabled settings to try to determine the settings causing this.

If the PC is connected to a domain, try removing it from the domain and clearing the cached settings as described above.