Solved

modify the registry through group policy

Posted on 2004-10-21
351 Views
Last Modified: 2010-04-10
I have read this article below, And I want to modify the registry through group policy for all users.
Thanks


http://www.sanx.org/tipShow.asp?articleRef=252
0
Question by:Chuckbuchan
    33 Comments
     
    LVL 11

    Expert Comment

    by:NetoMeter Screencasts
    The easiest way to do this is to modify the registry of one machine with regedit, export the registry key for StorageDevicePolicies to a *.reg file. Then create a logon script which starts this *.reg file and apply this script through a group policy.

    NetoMeter
    0
     

    Author Comment

    by:Chuckbuchan
    in WXP regedit I couldn't find :HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control \StorageDevicePolicies.
    as for your comment, do you think I should export the modified system registry to a file. Then, I write a script that ovewrwrites other users machine registries, and put that script in logon setting of GPO?
    how should I do that , if you could explain this in steps.?
    thanks
    0
     
    LVL 11

    Expert Comment

    by:NetoMeter Screencasts
    Well,
    1. I checked about this key and I could not find it too.
    It is a good idea to create it and check whether it works fine. Do not forget that you have to reboot the machine after creating the key.

    2. About the GPO
    2.1 You have to create an OU in ADUC (Active Directory Users and Computers )and move the computers that you want to be affected in that OU.
    2.2 Right click the properties of that OU, choose Tab Group Policy, click the button New (to create a new policy for that OU), then click Edit to modify it, choose Computer settings/Scripts.

    NetoMeter
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Copy this into a file named USBOptions.ADM (ignoring the Start and End lines).

    -----------------------------------------------Start-----------------------------------------------

    CLASS MACHINE

    CATEGORY "System"
         CATEGORY "USB Services"
              POLICY "Load USB Storage as Read Only"
                   
                   KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
                   #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                   #endif
             
                   #if version >= 3
                        EXPLAIN !!WriteProtectCfg_Help
                   #endif              

                   VALUENAME "WriteProtect"
                   VALUEOFF NUMERIC 0
                   VALUEON NUMERIC 1
              END POLICY
         END CATEGORY
    END CATEGORY

    [Strings]

    SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

    USBStorageCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

    -----------------------------------------------End-----------------------------------------------

    Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USBOptions.adm file.

    Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

    Only show policy settings that can be fully managed

    This will give you:

    Computer Configuration
    Administrative Templates
    USB Services

    And an option there to Write Protect (make read only) the storage device.

    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Ack... typo in the file:

    This is a fixed version, again omit the Start and End lines:

    -----------------------------------------------Start-----------------------------------------------

    CLASS MACHINE

    CATEGORY "System"
         CATEGORY "USB Services"
              POLICY "Load USB Storage as Read Only"
                   
                   KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
                   #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                   #endif
             
                   #if version >= 3
                        EXPLAIN !!WriteProtectCfg_Help
                   #endif              

                   VALUENAME "WriteProtect"
                   VALUEOFF NUMERIC 0
                   VALUEON NUMERIC 1
              END POLICY
         END CATEGORY
    END CATEGORY

    [Strings]

    SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

    WriteProtectCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

    -----------------------------------------------End-----------------------------------------------
    0
     

    Author Comment

    by:Chuckbuchan
    To Chris-Dent: I did what you suggested

    I can see USB Services folder under :
    computer configuration
    administrative template
    system

    But I couldn't add an option  to Write Protect (make read only) the storage device.  as you mentioned above,how can I do that?
    thanks
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    You did this?

    Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

    Only show policy settings that can be fully managed
    0
     

    Author Comment

    by:Chuckbuchan
    Well, I did this and it showed the setting  "Load USB Storage as Read only" I enable this policy and restarted my computer.
    I plugged a USB hard drive to my computer, but still I am able to copy from my C: hard drive to the USB hard drive.

    My goal is to prevent any USB device to be recognized by the system.

    0
     

    Author Comment

    by:Chuckbuchan
    I meant I want the USB devices to be just Read Only.
    0
     

    Author Comment

    by:Chuckbuchan
    USB Devices shouldn't write to the computer(Drives) and the computer(drives) shouldn't write to the USB devices.
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Ahhh I just took the information from the registry set you posted. I didn't have the opportunity to test it out fully.

    If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Curious though, that article you first posted referred to XP Service Pack 2, is that the version of Windows you're testing on?
    0
     

    Author Comment

    by:Chuckbuchan
    I don't understand what you meant by :If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
    0
     

    Author Comment

    by:Chuckbuchan
    good thinking.........I don't have SP2 on my machine yet.
    I will try to dowload it though
    0
     

    Author Comment

    by:Chuckbuchan
    I have heard that XP SP2, is not recommended to download, do you have any idea why?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Well all Group Policy does it alters Registry settings.

    Computer Configuration alters settings in HKEY_LOCAL_MACHINE.
    User Configuration alters settings in HKEY_CURRENT_USER.

    This is great for a lot of things because it gives a lot of scope for writing customized policies.

    If you take the script above for example:

    This first class statement tells us which Registry Hive we're going to alter, you get the choice of HKEY_LOCAL_MACHINE with Class Machine or HKEY_CURRENT_USER with the Class User.

    CLASS MACHINE

    Then this bit says where you want it to appear inside the Group Policy itself. It'll always be under Administrative Templates, but you get choices after that.

    For USB Settings System seemed like a nice logical place:

    CATEGORY "System"

    Then to keep it seperate from the rest we may as well add a USB Services folder to put it into:

    CATEGORY "USB Services"

    Next comes the Policy itself, this is the bit where we tell it what we want it to do.

    First of course we have a name, something descriptive is always good, and we want to set USB to Read Only. So that works for a Policy Name:

    POLICY "Load USB Storage as Read Only"
                   
    Now we have the Policy Name we need to say where the Registry Key we're changing actually is. We already told it the HKEY_Local_Machine part, but it needs the rest:

    KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"

    These next few bits are basically fluff. Things to make it look pretty or keep it well explained. Unfortunately not all versions of GPEdit support it, so we only run it if the version is correct:

    #if version >= 4
        SUPPORTED !!SUPPORTED_Windows2000
    #endif
             
    #if version >= 3
        EXPLAIN !!WriteProtectCfg_Help
    #endif              

    Those !! things in there just tell it to get whatever is written there from the [Strings] Section. Just to prevent it all becoming too long.

    Now the really important bit. The Registry Value Name we want to change, and what we want to change it to:

    VALUENAME "WriteProtect"

    ValueOn and ValueOff are what happens when the Policy is Enabled or Disabled:

    VALUEOFF NUMERIC 0
    VALUEON NUMERIC 1

    For that setting it said to make it write protected it should be set to 1, I assumed that 0 would remove the configuration and allow you to use it all again, so I set Policy Disabled to 0.

    Then you need to tell it you've finished the Policy with:

    END POLICY

    And that you've finished writing to the folders in GP Edit (one for USB Services and one for System):

    END CATEGORY
    END CATEGORY

    This is the Strings bit, just used in the Policy above, but down here so it doesn't look too messy.

    [Strings]

    SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

    USBStorageCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

    And that's it really. You can make them a lot more complicated with drag down boxes and lots of extra options. But for things like this it's best to keep it all simple.
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    We've been running XP SP2 on the IT Department at work.

    It works, but you may get some application compatibility problems. You will also have another 700 odd policies to check out. A new firewall to deal with and all kinds of other bits.

    So, no big problems (for me) but apply with care, and make sure you have a copy of everything you need off your machine.

    I don't think making the USB Device read only will work with anything other than SP2. I can post an updated ADM file that changes the Supported Text to make that clear if you like ;)
    0
     

    Author Comment

    by:Chuckbuchan
    I am gonna get back with you in a little while..I have to do something else.
    Thanks
    0
     
    LVL 70

    Accepted Solution

    by:

    Just for accuracy, here is the updated ADM file for when you get back:

    -----------------------------------------------Start-----------------------------------------------

    CLASS MACHINE

    CATEGORY "System"
         CATEGORY "USB Services"
              POLICY "Load USB Storage as Read Only"
                   
                   KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
                   #if version >= 4
                        SUPPORTED !!SUPPORTED_XPSP2
                   #endif
             
                   #if version >= 3
                        EXPLAIN !!WriteProtectCfg_Help
                   #endif              

                   VALUENAME "WriteProtect"
                   VALUEOFF NUMERIC 0
                   VALUEON NUMERIC 1
              END POLICY
         END CATEGORY
    END CATEGORY

    [Strings]

    SUPPORTED_WindowsXPSP2="Windows XP Service Pack 2"

    WriteProtectCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

    -----------------------------------------------End-----------------------------------------------
    0
     

    Author Comment

    by:Chuckbuchan
    Hi Chris, I am back and it looks like your approach is working after I tried it on my machine. Do you know how I can deploy it for al users through Group policy?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Just apply the policy to an OU with the computers you'd like it to effect.

    Problem is that one will only work for Windows XP Service Pack 2. It won't have any effect on anything else.
    0
     

    Author Comment

    by:Chuckbuchan
    Actually my machine doesn't have WXP SP2, but the policy affected it. I mean it worked good.

    well for the OU that is going to be affected with the USB settings, how does it work?
    0
     

    Author Comment

    by:Chuckbuchan
    I know how to set a policy for the OU.
    I just want to now how to import the existing mmc console that has the setting about USB. instead of edit a new policy for the OU.
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Ahh that's good news.

    Not sure about moving your current Policy to a more global one.

    Personally I'd recommend the Group Policy Management Console:

    http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

    This gives you a really easy way to see where and what your policies effect. The Organizational Unit you apply it to should contain the Computer Accounts for the people you want it to affect.

    Simply create a new policy linked to the right OU, import the ADM File again (don't forget to turn off the "Only display fully managed policies" filter), set the policy and you're all set.
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Ahh sorry.. missed the last bit. Not sure about how to save your existing Policy so you can attach it to an OU.

    It would only take a few moments to make a new policy with the same settings.
    0
     

    Author Comment

    by:Chuckbuchan
    I will be gone in a moment , talk to you later.
    thanks
    0
     

    Author Comment

    by:Chuckbuchan
    Well  Chris , I created an OU on the server named USB Restriction and moved into it  02 computers , and followed all the steps then rebooted the server as well as the 02 computers and tested the policy by plugging a USB removable drive into the 02 computers and it worked just perfect. and me being curious I went to device manager I found a yellow exclamation marks on the left side Where it says USB Root Hub, but not on the left side where it says Standard Universal PCI to USB Host Controller.
    What do you think that means?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    The registry makes a change to how the driver works, we got those when we set Hubs and Storage to disabled, did you apply the policy from the other thread as well?

    It could be this change also alters the driver state, so probably not much to worry about.

    Just remember that with these policies you'll have to set it to Disabled before setting it to Not Configured again to restore the original settings.
    0
     

    Author Comment

    by:Chuckbuchan
    what do you mean by other thread?

    I am just wondering if there is any other USB Device that could be plugged in and could be used and not affected with this policy.

    0
     

    Author Comment

    by:Chuckbuchan
    As of my understanding this policy will be good for USB storage devices and Hubs( I don't know what type of hubs, USB maybe if ther is any)
    0
     

    Author Comment

    by:Chuckbuchan
    well, it looks like it affects also USB Mouse and USB Print device.
    0
     

    Author Comment

    by:Chuckbuchan
    By the way what language is that code written with?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Does it have a bad effect on the other devices?

    The code is a type only used for writing Group Policy templates. I never used it before learning it for writing those.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    How would you tell what computer was using up all of your Internet bandwidth ? If you cannot answer this question, this article is for you.   The solutions below should work with just about anything using established standards rather than prop…
    I imagine hoaxes have been around since people learned to speak, scams since bartering, chain letters since Pony Express, spam and embedded viruses since email was invented in 1971. Still all those things are alive and well today despite many techno…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now