Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

modify the registry through group policy

Posted on 2004-10-21
33
Medium Priority
?
361 Views
Last Modified: 2010-04-10
I have read this article below, And I want to modify the registry through group policy for all users.
Thanks


http://www.sanx.org/tipShow.asp?articleRef=252
0
Comment
Question by:Chuckbuchan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 13
  • 2
33 Comments
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 12374323
The easiest way to do this is to modify the registry of one machine with regedit, export the registry key for StorageDevicePolicies to a *.reg file. Then create a logon script which starts this *.reg file and apply this script through a group policy.

NetoMeter
0
 

Author Comment

by:Chuckbuchan
ID: 12375398
in WXP regedit I couldn't find :HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control \StorageDevicePolicies.
as for your comment, do you think I should export the modified system registry to a file. Then, I write a script that ovewrwrites other users machine registries, and put that script in logon setting of GPO?
how should I do that , if you could explain this in steps.?
thanks
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 12376068
Well,
1. I checked about this key and I could not find it too.
It is a good idea to create it and check whether it works fine. Do not forget that you have to reboot the machine after creating the key.

2. About the GPO
2.1 You have to create an OU in ADUC (Active Directory Users and Computers )and move the computers that you want to be affected in that OU.
2.2 Right click the properties of that OU, choose Tab Group Policy, click the button New (to create a new policy for that OU), then click Edit to modify it, choose Computer settings/Scripts.

NetoMeter
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 12379194

Copy this into a file named USBOptions.ADM (ignoring the Start and End lines).

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Load USB Storage as Read Only"
               
               KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!WriteProtectCfg_Help
               #endif              

               VALUENAME "WriteProtect"
               VALUEOFF NUMERIC 0
               VALUEON NUMERIC 1
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

-----------------------------------------------End-----------------------------------------------

Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USBOptions.adm file.

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed

This will give you:

Computer Configuration
Administrative Templates
USB Services

And an option there to Write Protect (make read only) the storage device.

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12379198

Ack... typo in the file:

This is a fixed version, again omit the Start and End lines:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Load USB Storage as Read Only"
               
               KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!WriteProtectCfg_Help
               #endif              

               VALUENAME "WriteProtect"
               VALUEOFF NUMERIC 0
               VALUEON NUMERIC 1
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

WriteProtectCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

-----------------------------------------------End-----------------------------------------------
0
 

Author Comment

by:Chuckbuchan
ID: 12382482
To Chris-Dent: I did what you suggested

I can see USB Services folder under :
computer configuration
administrative template
system

But I couldn't add an option  to Write Protect (make read only) the storage device.  as you mentioned above,how can I do that?
thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12382857

You did this?

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed
0
 

Author Comment

by:Chuckbuchan
ID: 12383134
Well, I did this and it showed the setting  "Load USB Storage as Read only" I enable this policy and restarted my computer.
I plugged a USB hard drive to my computer, but still I am able to copy from my C: hard drive to the USB hard drive.

My goal is to prevent any USB device to be recognized by the system.

0
 

Author Comment

by:Chuckbuchan
ID: 12383143
I meant I want the USB devices to be just Read Only.
0
 

Author Comment

by:Chuckbuchan
ID: 12383161
USB Devices shouldn't write to the computer(Drives) and the computer(drives) shouldn't write to the USB devices.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12383170

Ahhh I just took the information from the registry set you posted. I didn't have the opportunity to test it out fully.

If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12383181

Curious though, that article you first posted referred to XP Service Pack 2, is that the version of Windows you're testing on?
0
 

Author Comment

by:Chuckbuchan
ID: 12383184
I don't understand what you meant by :If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
0
 

Author Comment

by:Chuckbuchan
ID: 12383203
good thinking.........I don't have SP2 on my machine yet.
I will try to dowload it though
0
 

Author Comment

by:Chuckbuchan
ID: 12383260
I have heard that XP SP2, is not recommended to download, do you have any idea why?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12383304

Well all Group Policy does it alters Registry settings.

Computer Configuration alters settings in HKEY_LOCAL_MACHINE.
User Configuration alters settings in HKEY_CURRENT_USER.

This is great for a lot of things because it gives a lot of scope for writing customized policies.

If you take the script above for example:

This first class statement tells us which Registry Hive we're going to alter, you get the choice of HKEY_LOCAL_MACHINE with Class Machine or HKEY_CURRENT_USER with the Class User.

CLASS MACHINE

Then this bit says where you want it to appear inside the Group Policy itself. It'll always be under Administrative Templates, but you get choices after that.

For USB Settings System seemed like a nice logical place:

CATEGORY "System"

Then to keep it seperate from the rest we may as well add a USB Services folder to put it into:

CATEGORY "USB Services"

Next comes the Policy itself, this is the bit where we tell it what we want it to do.

First of course we have a name, something descriptive is always good, and we want to set USB to Read Only. So that works for a Policy Name:

POLICY "Load USB Storage as Read Only"
               
Now we have the Policy Name we need to say where the Registry Key we're changing actually is. We already told it the HKEY_Local_Machine part, but it needs the rest:

KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"

These next few bits are basically fluff. Things to make it look pretty or keep it well explained. Unfortunately not all versions of GPEdit support it, so we only run it if the version is correct:

#if version >= 4
    SUPPORTED !!SUPPORTED_Windows2000
#endif
         
#if version >= 3
    EXPLAIN !!WriteProtectCfg_Help
#endif              

Those !! things in there just tell it to get whatever is written there from the [Strings] Section. Just to prevent it all becoming too long.

Now the really important bit. The Registry Value Name we want to change, and what we want to change it to:

VALUENAME "WriteProtect"

ValueOn and ValueOff are what happens when the Policy is Enabled or Disabled:

VALUEOFF NUMERIC 0
VALUEON NUMERIC 1

For that setting it said to make it write protected it should be set to 1, I assumed that 0 would remove the configuration and allow you to use it all again, so I set Policy Disabled to 0.

Then you need to tell it you've finished the Policy with:

END POLICY

And that you've finished writing to the folders in GP Edit (one for USB Services and one for System):

END CATEGORY
END CATEGORY

This is the Strings bit, just used in the Policy above, but down here so it doesn't look too messy.

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

And that's it really. You can make them a lot more complicated with drag down boxes and lots of extra options. But for things like this it's best to keep it all simple.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12383339

We've been running XP SP2 on the IT Department at work.

It works, but you may get some application compatibility problems. You will also have another 700 odd policies to check out. A new firewall to deal with and all kinds of other bits.

So, no big problems (for me) but apply with care, and make sure you have a copy of everything you need off your machine.

I don't think making the USB Device read only will work with anything other than SP2. I can post an updated ADM file that changes the Supported Text to make that clear if you like ;)
0
 

Author Comment

by:Chuckbuchan
ID: 12383362
I am gonna get back with you in a little while..I have to do something else.
Thanks
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 12383389

Just for accuracy, here is the updated ADM file for when you get back:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Load USB Storage as Read Only"
               
               KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_XPSP2
               #endif
         
               #if version >= 3
                    EXPLAIN !!WriteProtectCfg_Help
               #endif              

               VALUENAME "WriteProtect"
               VALUEOFF NUMERIC 0
               VALUEON NUMERIC 1
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_WindowsXPSP2="Windows XP Service Pack 2"

WriteProtectCfg_Help="Setting this policy to Enabled forces USB Devices to load in Write Protected (Read Only) mode.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state. To restore the original value reverse the policy."

-----------------------------------------------End-----------------------------------------------
0
 

Author Comment

by:Chuckbuchan
ID: 12385371
Hi Chris, I am back and it looks like your approach is working after I tried it on my machine. Do you know how I can deploy it for al users through Group policy?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385403

Just apply the policy to an OU with the computers you'd like it to effect.

Problem is that one will only work for Windows XP Service Pack 2. It won't have any effect on anything else.
0
 

Author Comment

by:Chuckbuchan
ID: 12385486
Actually my machine doesn't have WXP SP2, but the policy affected it. I mean it worked good.

well for the OU that is going to be affected with the USB settings, how does it work?
0
 

Author Comment

by:Chuckbuchan
ID: 12385501
I know how to set a policy for the OU.
I just want to now how to import the existing mmc console that has the setting about USB. instead of edit a new policy for the OU.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385519

Ahh that's good news.

Not sure about moving your current Policy to a more global one.

Personally I'd recommend the Group Policy Management Console:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

This gives you a really easy way to see where and what your policies effect. The Organizational Unit you apply it to should contain the Computer Accounts for the people you want it to affect.

Simply create a new policy linked to the right OU, import the ADM File again (don't forget to turn off the "Only display fully managed policies" filter), set the policy and you're all set.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385530

Ahh sorry.. missed the last bit. Not sure about how to save your existing Policy so you can attach it to an OU.

It would only take a few moments to make a new policy with the same settings.
0
 

Author Comment

by:Chuckbuchan
ID: 12385541
I will be gone in a moment , talk to you later.
thanks
0
 

Author Comment

by:Chuckbuchan
ID: 12388071
Well  Chris , I created an OU on the server named USB Restriction and moved into it  02 computers , and followed all the steps then rebooted the server as well as the 02 computers and tested the policy by plugging a USB removable drive into the 02 computers and it worked just perfect. and me being curious I went to device manager I found a yellow exclamation marks on the left side Where it says USB Root Hub, but not on the left side where it says Standard Universal PCI to USB Host Controller.
What do you think that means?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12388278

The registry makes a change to how the driver works, we got those when we set Hubs and Storage to disabled, did you apply the policy from the other thread as well?

It could be this change also alters the driver state, so probably not much to worry about.

Just remember that with these policies you'll have to set it to Disabled before setting it to Not Configured again to restore the original settings.
0
 

Author Comment

by:Chuckbuchan
ID: 12388342
what do you mean by other thread?

I am just wondering if there is any other USB Device that could be plugged in and could be used and not affected with this policy.

0
 

Author Comment

by:Chuckbuchan
ID: 12388396
As of my understanding this policy will be good for USB storage devices and Hubs( I don't know what type of hubs, USB maybe if ther is any)
0
 

Author Comment

by:Chuckbuchan
ID: 12388791
well, it looks like it affects also USB Mouse and USB Print device.
0
 

Author Comment

by:Chuckbuchan
ID: 12388792
By the way what language is that code written with?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12392381

Does it have a bad effect on the other devices?

The code is a type only used for writing Group Policy templates. I never used it before learning it for writing those.
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question