Chuckbuchan
asked on
modify the registry through group policy
I have read this article below, And I want to modify the registry through group policy for all users.
Thanks
http://www.sanx.org/tipShow.asp?articleRef=252
Thanks
http://www.sanx.org/tipShow.asp?articleRef=252
ASKER
in WXP regedit I couldn't find :HKEY_LOCAL_MACHINE\System
as for your comment, do you think I should export the modified system registry to a file. Then, I write a script that ovewrwrites other users machine registries, and put that script in logon setting of GPO?
how should I do that , if you could explain this in steps.?
thanks
as for your comment, do you think I should export the modified system registry to a file. Then, I write a script that ovewrwrites other users machine registries, and put that script in logon setting of GPO?
how should I do that , if you could explain this in steps.?
thanks
Well,
1. I checked about this key and I could not find it too.
It is a good idea to create it and check whether it works fine. Do not forget that you have to reboot the machine after creating the key.
2. About the GPO
2.1 You have to create an OU in ADUC (Active Directory Users and Computers )and move the computers that you want to be affected in that OU.
2.2 Right click the properties of that OU, choose Tab Group Policy, click the button New (to create a new policy for that OU), then click Edit to modify it, choose Computer settings/Scripts.
NetoMeter
1. I checked about this key and I could not find it too.
It is a good idea to create it and check whether it works fine. Do not forget that you have to reboot the machine after creating the key.
2. About the GPO
2.1 You have to create an OU in ADUC (Active Directory Users and Computers )and move the computers that you want to be affected in that OU.
2.2 Right click the properties of that OU, choose Tab Group Policy, click the button New (to create a new policy for that OU), then click Edit to modify it, choose Computer settings/Scripts.
NetoMeter
Copy this into a file named USBOptions.ADM (ignoring the Start and End lines).
--------------------------
CLASS MACHINE
CATEGORY "System"
CATEGORY "USB Services"
POLICY "Load USB Storage as Read Only"
KEYNAME "System\CurrentControlSet\
#if version >= 4
SUPPORTED !!SUPPORTED_Windows2000
#endif
#if version >= 3
EXPLAIN !!WriteProtectCfg_Help
#endif
VALUENAME "WriteProtect"
VALUEOFF NUMERIC 0
VALUEON NUMERIC 1
END POLICY
END CATEGORY
END CATEGORY
[Strings]
SUPPORTED_Windows2000="Win
USBStorageCfg_Help="Settin
--------------------------
Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USBOptions.adm file.
Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:
Only show policy settings that can be fully managed
This will give you:
Computer Configuration
Administrative Templates
USB Services
And an option there to Write Protect (make read only) the storage device.
Ack... typo in the file:
This is a fixed version, again omit the Start and End lines:
--------------------------
CLASS MACHINE
CATEGORY "System"
CATEGORY "USB Services"
POLICY "Load USB Storage as Read Only"
KEYNAME "System\CurrentControlSet\
#if version >= 4
SUPPORTED !!SUPPORTED_Windows2000
#endif
#if version >= 3
EXPLAIN !!WriteProtectCfg_Help
#endif
VALUENAME "WriteProtect"
VALUEOFF NUMERIC 0
VALUEON NUMERIC 1
END POLICY
END CATEGORY
END CATEGORY
[Strings]
SUPPORTED_Windows2000="Win
WriteProtectCfg_Help="Sett
--------------------------
ASKER
To Chris-Dent: I did what you suggested
I can see USB Services folder under :
computer configuration
administrative template
system
But I couldn't add an option to Write Protect (make read only) the storage device. as you mentioned above,how can I do that?
thanks
I can see USB Services folder under :
computer configuration
administrative template
system
But I couldn't add an option to Write Protect (make read only) the storage device. as you mentioned above,how can I do that?
thanks
You did this?
Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:
Only show policy settings that can be fully managed
ASKER
Well, I did this and it showed the setting "Load USB Storage as Read only" I enable this policy and restarted my computer.
I plugged a USB hard drive to my computer, but still I am able to copy from my C: hard drive to the USB hard drive.
My goal is to prevent any USB device to be recognized by the system.
I plugged a USB hard drive to my computer, but still I am able to copy from my C: hard drive to the USB hard drive.
My goal is to prevent any USB device to be recognized by the system.
ASKER
I meant I want the USB devices to be just Read Only.
ASKER
USB Devices shouldn't write to the computer(Drives) and the computer(drives) shouldn't write to the USB devices.
Ahhh I just took the information from the registry set you posted. I didn't have the opportunity to test it out fully.
If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
Curious though, that article you first posted referred to XP Service Pack 2, is that the version of Windows you're testing on?
ASKER
I don't understand what you meant by :If there's a working registry entry and it sits in either HKey_Local_Machine or HKey_Current_User it can very easily be scripted and added to Group Policy.
ASKER
good thinking.........I don't have SP2 on my machine yet.
I will try to dowload it though
I will try to dowload it though
ASKER
I have heard that XP SP2, is not recommended to download, do you have any idea why?
Well all Group Policy does it alters Registry settings.
Computer Configuration alters settings in HKEY_LOCAL_MACHINE.
User Configuration alters settings in HKEY_CURRENT_USER.
This is great for a lot of things because it gives a lot of scope for writing customized policies.
If you take the script above for example:
This first class statement tells us which Registry Hive we're going to alter, you get the choice of HKEY_LOCAL_MACHINE with Class Machine or HKEY_CURRENT_USER with the Class User.
CLASS MACHINE
Then this bit says where you want it to appear inside the Group Policy itself. It'll always be under Administrative Templates, but you get choices after that.
For USB Settings System seemed like a nice logical place:
CATEGORY "System"
Then to keep it seperate from the rest we may as well add a USB Services folder to put it into:
CATEGORY "USB Services"
Next comes the Policy itself, this is the bit where we tell it what we want it to do.
First of course we have a name, something descriptive is always good, and we want to set USB to Read Only. So that works for a Policy Name:
POLICY "Load USB Storage as Read Only"
Now we have the Policy Name we need to say where the Registry Key we're changing actually is. We already told it the HKEY_Local_Machine part, but it needs the rest:
KEYNAME "System\CurrentControlSet\
These next few bits are basically fluff. Things to make it look pretty or keep it well explained. Unfortunately not all versions of GPEdit support it, so we only run it if the version is correct:
#if version >= 4
SUPPORTED !!SUPPORTED_Windows2000
#endif
#if version >= 3
EXPLAIN !!WriteProtectCfg_Help
#endif
Those !! things in there just tell it to get whatever is written there from the [Strings] Section. Just to prevent it all becoming too long.
Now the really important bit. The Registry Value Name we want to change, and what we want to change it to:
VALUENAME "WriteProtect"
ValueOn and ValueOff are what happens when the Policy is Enabled or Disabled:
VALUEOFF NUMERIC 0
VALUEON NUMERIC 1
For that setting it said to make it write protected it should be set to 1, I assumed that 0 would remove the configuration and allow you to use it all again, so I set Policy Disabled to 0.
Then you need to tell it you've finished the Policy with:
END POLICY
And that you've finished writing to the folders in GP Edit (one for USB Services and one for System):
END CATEGORY
END CATEGORY
This is the Strings bit, just used in the Policy above, but down here so it doesn't look too messy.
[Strings]
SUPPORTED_Windows2000="Win
USBStorageCfg_Help="Settin
And that's it really. You can make them a lot more complicated with drag down boxes and lots of extra options. But for things like this it's best to keep it all simple.
We've been running XP SP2 on the IT Department at work.
It works, but you may get some application compatibility problems. You will also have another 700 odd policies to check out. A new firewall to deal with and all kinds of other bits.
So, no big problems (for me) but apply with care, and make sure you have a copy of everything you need off your machine.
I don't think making the USB Device read only will work with anything other than SP2. I can post an updated ADM file that changes the Supported Text to make that clear if you like ;)
ASKER
I am gonna get back with you in a little while..I have to do something else.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Chris, I am back and it looks like your approach is working after I tried it on my machine. Do you know how I can deploy it for al users through Group policy?
Just apply the policy to an OU with the computers you'd like it to effect.
Problem is that one will only work for Windows XP Service Pack 2. It won't have any effect on anything else.
ASKER
Actually my machine doesn't have WXP SP2, but the policy affected it. I mean it worked good.
well for the OU that is going to be affected with the USB settings, how does it work?
well for the OU that is going to be affected with the USB settings, how does it work?
ASKER
I know how to set a policy for the OU.
I just want to now how to import the existing mmc console that has the setting about USB. instead of edit a new policy for the OU.
I just want to now how to import the existing mmc console that has the setting about USB. instead of edit a new policy for the OU.
Ahh that's good news.
Not sure about moving your current Policy to a more global one.
Personally I'd recommend the Group Policy Management Console:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
This gives you a really easy way to see where and what your policies effect. The Organizational Unit you apply it to should contain the Computer Accounts for the people you want it to affect.
Simply create a new policy linked to the right OU, import the ADM File again (don't forget to turn off the "Only display fully managed policies" filter), set the policy and you're all set.
Ahh sorry.. missed the last bit. Not sure about how to save your existing Policy so you can attach it to an OU.
It would only take a few moments to make a new policy with the same settings.
ASKER
I will be gone in a moment , talk to you later.
thanks
thanks
ASKER
Well Chris , I created an OU on the server named USB Restriction and moved into it 02 computers , and followed all the steps then rebooted the server as well as the 02 computers and tested the policy by plugging a USB removable drive into the 02 computers and it worked just perfect. and me being curious I went to device manager I found a yellow exclamation marks on the left side Where it says USB Root Hub, but not on the left side where it says Standard Universal PCI to USB Host Controller.
What do you think that means?
What do you think that means?
The registry makes a change to how the driver works, we got those when we set Hubs and Storage to disabled, did you apply the policy from the other thread as well?
It could be this change also alters the driver state, so probably not much to worry about.
Just remember that with these policies you'll have to set it to Disabled before setting it to Not Configured again to restore the original settings.
ASKER
what do you mean by other thread?
I am just wondering if there is any other USB Device that could be plugged in and could be used and not affected with this policy.
I am just wondering if there is any other USB Device that could be plugged in and could be used and not affected with this policy.
ASKER
As of my understanding this policy will be good for USB storage devices and Hubs( I don't know what type of hubs, USB maybe if ther is any)
ASKER
well, it looks like it affects also USB Mouse and USB Print device.
ASKER
By the way what language is that code written with?
Does it have a bad effect on the other devices?
The code is a type only used for writing Group Policy templates. I never used it before learning it for writing those.
NetoMeter