Advertisement

05.14.2008 at 10:19AM PDT, ID: 23402303
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.8

Problems with group policy ADM template

Zones: Active Directory, Windows Networking, Windows XP Operating System
Tags: Group Policy, Autorun, Autorun.inf, disable autorun, ADM, Custom GP template
First a little back story... our network security guy has asked that we create a group policy that disables the processing of the autorun.inf files found on many CD's and other media.  He still wants the autoplay feature to work (music, movies, etc).

He found this http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-AutoRun-attacks and sent it to me referencing the REG script below

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Now my task is to adapt that into an ADM file and create a GPO to configure the (Default) value in the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

I have created the ADM file (shown below) and am able to import it with no problems, however when I try to apply the policy (gpupdate /force) I get the following two event messages

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1020
Date:            5/14/2008
Time:            1:03:59 PM
User:            NT AUTHORITY\SYSTEM
Computer:      
Description:
Windows cannot create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf. (The parameter is incorrect. ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1096
Date:            5/14/2008
Time:            1:03:59 PM
User:            NT AUTHORITY\SYSTEM
Computer:      
Description:
Windows cannot access the registry policy file, \\***.net\SysVol\daiglobal.net\Policies\{D28A0160-BE9F-478B-B4B6-BC4790ABDA02}\Machine\registry.pol. (The parameter is incorrect. ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I'm assuming that this is because the VALUEON keyword in the ADM file is expecting a numeric value and I am giving it a text string.  So basicaly what I need to know is how to get the (Default) value set to "@SYS:DoesNotExist"



1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:

CLASS MACHINE
 
CATEGORY "Auto Run"
	KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
	POLICY "Disable autorun.inf"
		EXPLAIN !!AutoRun
		VALUENAME ""
		VALUEON "@SYS:DoesNotExist" 		
	END POLICY 
END CATEGORY
 
[strings]
AutoRun="Sets the value of (Default) to "@SYS:DoesNotExist" to disable processing the autorun.inf files."
Start your free trial to view this solution
Question Stats
Zone: OS
Question Asked By: ebjers
Solution Provided By: ebjers
Participating Experts: 2
Solution Grade: A
Views: 90
Translate:
Loading Advertisement...
05.14.2008 at 10:38AM PDT, ID: 21566681

Rank: Guru

Pber:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.14.2008 at 11:01AM PDT, ID: 21566922
darkjedi213:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.14.2008 at 11:04AM PDT, ID: 21566957
ebjers:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.14.2008 at 12:19PM PDT, ID: 21567738
ebjers:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.14.2008 at 12:26PM PDT, ID: 21567802
darkjedi213:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.14.2008 at 12:30PM PDT, ID: 21567845

Rank: Guru

Pber:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.14.2008 at 12:36PM PDT, ID: 21567896
ebjers:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
05.22.2008 at 04:28AM PDT, ID: 21622749
ebjers:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
05.14.2008 at 10:38AM PDT, ID: 21566681

Rank: Guru

Pber:
Try this:

Set the DEFAULT value.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:

CLASS MACHINE
 
CATEGORY "Auto Run"
	KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
	POLICY "Disable autorun.inf"
		EXPLAIN !!AutoRun
                  DEFAULT "@SYS:DoesNotExist"
                  VALUENAME ""
	END POLICY 
END CATEGORY
 
[strings]
AutoRun="Sets the value of (Default) to "@SYS:DoesNotExist" to disable processing the autorun.inf files."
Open in New Window
Assisted Solution
 
05.14.2008 at 11:01AM PDT, ID: 21566922
darkjedi213:
You could also create a group policy that sets a Computer startup script. Have it run the following command (or put it in a batch file):
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /d @SYS:DoesNotExist /f

Assisted Solution
 
05.14.2008 at 11:04AM PDT, ID: 21566957
ebjers:
I suggested scripts but they don't want to do the script (unable to provide me with a good reason) I will keep pushing for using a script if I can't get the ADM to work.

eb
 
05.14.2008 at 12:19PM PDT, ID: 21567738
ebjers:
Pber, no good, first DEFAULT has to be under VALUENAME (an easy fix), second it still tells me peramiter incorrect so I think it may not like the VALUENAME ""

darkjedi, we don't want to do the script because it will run everytime some one logs in and it only creates a registry entry that the user can go and remove.  We want to be able to enable/ disable it in the GP and have the setting propagate through out our network.

If nothing comes up by Friday I'm just going to tell the security guy that we have to just completely disable autorun all together.  

eb
 
05.14.2008 at 12:26PM PDT, ID: 21567802
darkjedi213:
In the same group policy where you specify the startup script, set permissions for that registry entry so Users cannot delete or modify it (Windows Settings, Security Settings, Registry).

Philosophically and logically, a group policy using the startup script setting is no different than any other group policy. A GPO runs each time a computer starts up, no difference between a GPO containing a setting and a GPO containing a 1kb batch file. And a computer login script will only run each time the computer starts up, not each time a user logs in. Since this registry entry is in HKLM, it can be set using a Computer startup script (GPO -> Computer Configuration, Windows Settings, Scripts, Startup). You could also specify it as a shutdown script, then it will run when a user shuts down and goes home at night!
 
05.14.2008 at 12:30PM PDT, ID: 21567845

Rank: Guru

Pber:
Try this:

I converted your reg file with NUTS: http://www.sharewareplaza.com/NUTS-download_35711.html


1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:

CLASS MACHINE
 
CATEGORY "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
 
 POLICY Default
  PART Default
  EDITTEXT
  DEFAULT "@SYS:DoesNotExist"
  VALUENAME ""
  END PART
 END POLICY
 
END CATEGORY
Open in New Window
 
05.14.2008 at 12:36PM PDT, ID: 21567896
ebjers:
darkjedi,
I see what you are saying, but myself and the other sysadmins don't want to do this with a script.  Plus when I tried it on our test OU it did not work.  If I ran the script myself the value was created, but it was not created when the GP ran the script.

Pber,
I tried that already and it did not work either.

eb
 
05.22.2008 at 04:28AM PDT, ID: 21622749
ebjers:
None of this worked so I'm going to close the question and split the points.
Accepted Solution
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628