Advertisement

05.14.2008 at 10:19AM PDT, ID: 23402303
[x]
Attachment Details

Problems with group policy ADM template

Asked by ebjers in Active Directory, Windows Networking, Windows XP Operating System

Tags: Group Policy, Autorun, Autorun.inf, disable autorun, ADM, Custom GP template

First a little back story... our network security guy has asked that we create a group policy that disables the processing of the autorun.inf files found on many CD's and other media.  He still wants the autoplay feature to work (music, movies, etc).

He found this http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-AutoRun-attacks and sent it to me referencing the REG script below

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Now my task is to adapt that into an ADM file and create a GPO to configure the (Default) value in the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

I have created the ADM file (shown below) and am able to import it with no problems, however when I try to apply the policy (gpupdate /force) I get the following two event messages

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1020
Date:            5/14/2008
Time:            1:03:59 PM
User:            NT AUTHORITY\SYSTEM
Computer:      
Description:
Windows cannot create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf. (The parameter is incorrect. ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1096
Date:            5/14/2008
Time:            1:03:59 PM
User:            NT AUTHORITY\SYSTEM
Computer:      
Description:
Windows cannot access the registry policy file, \\***.net\SysVol\daiglobal.net\Policies\{D28A0160-BE9F-478B-B4B6-BC4790ABDA02}\Machine\registry.pol. (The parameter is incorrect. ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I'm assuming that this is because the VALUEON keyword in the ADM file is expecting a numeric value and I am giving it a text string.  So basicaly what I need to know is how to get the (Default) value set to "@SYS:DoesNotExist"



Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:

CLASS MACHINE
 
CATEGORY "Auto Run"
	KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
	POLICY "Disable autorun.inf"
		EXPLAIN !!AutoRun
		VALUENAME ""
		VALUEON "@SYS:DoesNotExist" 		
	END POLICY 
END CATEGORY
 
[strings]
AutoRun="Sets the value of (Default) to "@SYS:DoesNotExist" to disable processing the autorun.inf files."
[+][-]05.14.2008 at 10:38AM PDT, ID: 21566681

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]05.14.2008 at 11:01AM PDT, ID: 21566922

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]05.14.2008 at 11:04AM PDT, ID: 21566957

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.14.2008 at 12:19PM PDT, ID: 21567738

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.14.2008 at 12:26PM PDT, ID: 21567802

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.14.2008 at 12:30PM PDT, ID: 21567845

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.14.2008 at 12:36PM PDT, ID: 21567896

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.22.2008 at 04:28AM PDT, ID: 21622749

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Active Directory, Windows Networking, Windows XP Operating System
Tags: Group Policy, Autorun, Autorun.inf, disable autorun, ADM, Custom GP template
Sign Up Now!
Solution Provided By: ebjers
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628