modify the registry through group policy

I have read this article below, And I want to modify the registry through group policy for all users.
Thanks


http://www.sanx.org/tipShow.asp?articleRef=252
ChuckbuchanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetoMeter ScreencastsCommented:
The easiest way to do this is to modify the registry of one machine with regedit, export the registry key for StorageDevicePolicies to a *.reg file. Then create a logon script which starts this *.reg file and apply this script through a group policy.

NetoMeter
0
ChuckbuchanAuthor Commented:
in WXP regedit I couldn't find :HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control \StorageDevicePolicies.
as for your comment, do you think I should export the modified system registry to a file. Then, I write a script that ovewrwrites other users machine registries, and put that script in logon setting of GPO?
how should I do that , if you could explain this in steps.?
thanks
0
NetoMeter ScreencastsCommented:
Well,
1. I checked about this key and I could not find it too.
It is a good idea to create it and check whether it works fine. Do not forget that you have to reboot the machine after creating the key.

2. About the GPO
2.1 You have to create an OU in ADUC (Active Directory Users and Computers )and move the computers that you want to be affected in that OU.
2.2 Right click the properties of that OU, choose Tab Group Policy, click the button New (to create a new policy for that OU), then click Edit to modify it, choose Computer settings/Scripts.

NetoMeter
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Chris DentPowerShell DeveloperCommented:

Copy this into a file named USBOptions.ADM (ignoring the Start and End lines).

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Load USB Storage as Read Only"
               
               KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!WriteProtectCfg_Help
               #endif              

               VALUENAME "WriteProtect"
               VALUEOFF NUMERIC 0
               VALUEON NUMERIC 1
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

-----------------------------------------------End-----------------------------------------------

Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USBOptions.adm file.

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed

This will give you:

Computer Configuration
Administrative Templates
USB Services

And an option there to Write Protect (make read only) the storage device.

0
Chris DentPowerShell DeveloperCommented:

Ack... typo in the file:

This is a fixed version, again omit the Start and End lines:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Load USB Storage as Read Only"
               
               KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!WriteProtectCfg_Help
               #endif              

               VALUENAME "WriteProtect"
               VALUEOFF NUMERIC 0
               VALUEON NUMERIC 1
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

WriteProtectCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

-----------------------------------------------End-----------------------------------------------
0
ChuckbuchanAuthor Commented:
To Chris-Dent: I did what you suggested

I can see USB Services folder under :
computer configuration
administrative template
system

But I couldn't add an option  to Write Protect (make read only) the storage device.  as you mentioned above,how can I do that?
thanks
0
Chris DentPowerShell DeveloperCommented:

You did this?

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed
0
ChuckbuchanAuthor Commented:
Well, I did this and it showed the setting  "Load USB Storage as Read only" I enable this policy and restarted my computer.
I plugged a USB hard drive to my computer, but still I am able to copy from my C: hard drive to the USB hard drive.

My goal is to prevent any USB device to be recognized by the system.

0
ChuckbuchanAuthor Commented:
I meant I want the USB devices to be just Read Only.
0
ChuckbuchanAuthor Commented:
USB Devices shouldn't write to the computer(Drives) and the computer(drives) shouldn't write to the USB devices.
0
Chris DentPowerShell DeveloperCommented:

Ahhh I just took the information from the registry set you posted. I didn't have the opportunity to test it out fully.

If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
0
Chris DentPowerShell DeveloperCommented:

Curious though, that article you first posted referred to XP Service Pack 2, is that the version of Windows you're testing on?
0
ChuckbuchanAuthor Commented:
I don't understand what you meant by :If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
0
ChuckbuchanAuthor Commented:
good thinking.........I don't have SP2 on my machine yet.
I will try to dowload it though
0
ChuckbuchanAuthor Commented:
I have heard that XP SP2, is not recommended to download, do you have any idea why?
0
Chris DentPowerShell DeveloperCommented:

Well all Group Policy does it alters Registry settings.

Computer Configuration alters settings in HKEY_LOCAL_MACHINE.
User Configuration alters settings in HKEY_CURRENT_USER.

This is great for a lot of things because it gives a lot of scope for writing customized policies.

If you take the script above for example:

This first class statement tells us which Registry Hive we're going to alter, you get the choice of HKEY_LOCAL_MACHINE with Class Machine or HKEY_CURRENT_USER with the Class User.

CLASS MACHINE

Then this bit says where you want it to appear inside the Group Policy itself. It'll always be under Administrative Templates, but you get choices after that.

For USB Settings System seemed like a nice logical place:

CATEGORY "System"

Then to keep it seperate from the rest we may as well add a USB Services folder to put it into:

CATEGORY "USB Services"

Next comes the Policy itself, this is the bit where we tell it what we want it to do.

First of course we have a name, something descriptive is always good, and we want to set USB to Read Only. So that works for a Policy Name:

POLICY "Load USB Storage as Read Only"
               
Now we have the Policy Name we need to say where the Registry Key we're changing actually is. We already told it the HKEY_Local_Machine part, but it needs the rest:

KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"

These next few bits are basically fluff. Things to make it look pretty or keep it well explained. Unfortunately not all versions of GPEdit support it, so we only run it if the version is correct:

#if version >= 4
    SUPPORTED !!SUPPORTED_Windows2000
#endif
         
#if version >= 3
    EXPLAIN !!WriteProtectCfg_Help
#endif              

Those !! things in there just tell it to get whatever is written there from the [Strings] Section. Just to prevent it all becoming too long.

Now the really important bit. The Registry Value Name we want to change, and what we want to change it to:

VALUENAME "WriteProtect"

ValueOn and ValueOff are what happens when the Policy is Enabled or Disabled:

VALUEOFF NUMERIC 0
VALUEON NUMERIC 1

For that setting it said to make it write protected it should be set to 1, I assumed that 0 would remove the configuration and allow you to use it all again, so I set Policy Disabled to 0.

Then you need to tell it you've finished the Policy with:

END POLICY

And that you've finished writing to the folders in GP Edit (one for USB Services and one for System):

END CATEGORY
END CATEGORY

This is the Strings bit, just used in the Policy above, but down here so it doesn't look too messy.

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

And that's it really. You can make them a lot more complicated with drag down boxes and lots of extra options. But for things like this it's best to keep it all simple.
0
Chris DentPowerShell DeveloperCommented:

We've been running XP SP2 on the IT Department at work.

It works, but you may get some application compatibility problems. You will also have another 700 odd policies to check out. A new firewall to deal with and all kinds of other bits.

So, no big problems (for me) but apply with care, and make sure you have a copy of everything you need off your machine.

I don't think making the USB Device read only will work with anything other than SP2. I can post an updated ADM file that changes the Supported Text to make that clear if you like ;)
0
ChuckbuchanAuthor Commented:
I am gonna get back with you in a little while..I have to do something else.
Thanks
0
Chris DentPowerShell DeveloperCommented:

Just for accuracy, here is the updated ADM file for when you get back:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Load USB Storage as Read Only"
               
               KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_XPSP2
               #endif
         
               #if version >= 3
                    EXPLAIN !!WriteProtectCfg_Help
               #endif              

               VALUENAME "WriteProtect"
               VALUEOFF NUMERIC 0
               VALUEON NUMERIC 1
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_WindowsXPSP2="Windows XP Service Pack 2"

WriteProtectCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

-----------------------------------------------End-----------------------------------------------
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChuckbuchanAuthor Commented:
Hi Chris, I am back and it looks like your approach is working after I tried it on my machine. Do you know how I can deploy it for al users through Group policy?
0
Chris DentPowerShell DeveloperCommented:

Just apply the policy to an OU with the computers you'd like it to effect.

Problem is that one will only work for Windows XP Service Pack 2. It won't have any effect on anything else.
0
ChuckbuchanAuthor Commented:
Actually my machine doesn't have WXP SP2, but the policy affected it. I mean it worked good.

well for the OU that is going to be affected with the USB settings, how does it work?
0
ChuckbuchanAuthor Commented:
I know how to set a policy for the OU.
I just want to now how to import the existing mmc console that has the setting about USB. instead of edit a new policy for the OU.
0
Chris DentPowerShell DeveloperCommented:

Ahh that's good news.

Not sure about moving your current Policy to a more global one.

Personally I'd recommend the Group Policy Management Console:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

This gives you a really easy way to see where and what your policies effect. The Organizational Unit you apply it to should contain the Computer Accounts for the people you want it to affect.

Simply create a new policy linked to the right OU, import the ADM File again (don't forget to turn off the "Only display fully managed policies" filter), set the policy and you're all set.
0
Chris DentPowerShell DeveloperCommented:

Ahh sorry.. missed the last bit. Not sure about how to save your existing Policy so you can attach it to an OU.

It would only take a few moments to make a new policy with the same settings.
0
ChuckbuchanAuthor Commented:
I will be gone in a moment , talk to you later.
thanks
0
ChuckbuchanAuthor Commented:
Well  Chris , I created an OU on the server named USB Restriction and moved into it  02 computers , and followed all the steps then rebooted the server as well as the 02 computers and tested the policy by plugging a USB removable drive into the 02 computers and it worked just perfect. and me being curious I went to device manager I found a yellow exclamation marks on the left side Where it says USB Root Hub, but not on the left side where it says Standard Universal PCI to USB Host Controller.
What do you think that means?
0
Chris DentPowerShell DeveloperCommented:

The registry makes a change to how the driver works, we got those when we set Hubs and Storage to disabled, did you apply the policy from the other thread as well?

It could be this change also alters the driver state, so probably not much to worry about.

Just remember that with these policies you'll have to set it to Disabled before setting it to Not Configured again to restore the original settings.
0
ChuckbuchanAuthor Commented:
what do you mean by other thread?

I am just wondering if there is any other USB Device that could be plugged in and could be used and not affected with this policy.

0
ChuckbuchanAuthor Commented:
As of my understanding this policy will be good for USB storage devices and Hubs( I don't know what type of hubs, USB maybe if ther is any)
0
ChuckbuchanAuthor Commented:
well, it looks like it affects also USB Mouse and USB Print device.
0
ChuckbuchanAuthor Commented:
By the way what language is that code written with?
0
Chris DentPowerShell DeveloperCommented:

Does it have a bad effect on the other devices?

The code is a type only used for writing Group Policy templates. I never used it before learning it for writing those.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.