Windows Server 2019, Hide or Disable file history (Shadow Copy) for users in active directory that accessing a network share

tl;dr; We need to disable or hide the file history for active directory users who access a network shared folder, so that only the IT team can restore files to previous versions.

We have a small server with Windows Server 2019. In this server we have many network shares for active directory users. The access to these folders is being controlled by Groups. The whole drive has shadow copy enabled, and the copy is stored in a secondary drive.

When you access the network folder from an users computer and right-click on it, you can see the file history and restore the files to previous versions. However we need to hide or disable this functionality to most users and either: enable this feature only for users in a group or only available directly on the server.

If you want to disable the RESTORE button in PREVIOUS VERSIONS/SHADOW COPIES using a Group Policy Object (GPO), you are smart. Humans make mistakes so IT Administrators need to set policies to protect people from themselves. Completely hiding the file history is not helpful and will drive your users to file names like _new old new2 and so on.

Someone argued with Microsoft about this when ShadowCopies came out (long time ago) and the official response was that "staff should be able to restore their own files and folders without limitation - just like they could copy a old version from a thumbdrive". Okay, fair.

Your NTFS ACL should lock down everybody to ensure that staff do not have access to folders they should not have access to (ACLs are kep in SC, too). But you may want to protect them from accidents.

The policy to disable the "restore" button is set in :

USER CONFIGURATION >  POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > FILE EXPLORER > PREVIOUS VERSIONS
set Prevent Restoring Remote Previous Versions to ENABLED