Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Group Policy Object

Posted on 2004-10-22
25
Medium Priority
?
238 Views
Last Modified: 2012-05-05
Hello expert,

I am trying to figure out how to disable CD ROM and other devices in the device manager. I see options on printer but I don't see any other devices in the GPO that I've set up.

Need your help
0
Comment
Question by:Phipps-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 2
  • +1
25 Comments
 
LVL 3

Expert Comment

by:_Jochen_
ID: 12384760
Lauch AD Users and Computers, create a new container (OU) to place the users in on which you want this policy to be applied.
Right click the container and select properties.
Go to the Group Policy Tab and click on New.
Name this policy anything you want. Click on Edit to change the Group Policy settings.

Go to User Configuration, Administrative Templates, Windows Components, Windows Explorer.
Look up the following policies and alter them to suite your needs.
- Hide these specified drives in My Computer
- Prevent access to drives from My Computer

This way you can prevent users access to drives you specified in this policy.
0
 

Author Comment

by:Phipps-IT
ID: 12384974
I actually need to disable the devices and not to hide them. For example the USB Controller in the device manager is by default enabled. Does GPO have the capability to disable it?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385009
You can add some policies to handle USB.

The ADM at the bottom can be used to add controls for USB Hubs and USB Storage Devices. To get to to work, save it to USBService.adm (ignoring the start and end lines). Then select Administrative Templates under Computer Configuration and import the ADM.

To get them to appear Right Click on Administrative Templates again and go to Filtering, and remove the tick from:

Only show policy settings that can be fully managed

Then you should be able to see it under:

Computer Configuration
Administrative Templates
System
USB Services

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices"
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385027

Drives are much much more difficult. I'm not sure how to achieve what you'd like to.

There was a bit of a discussion on them in this thread:

http://www.experts-exchange.com/Security/Win_Security/Q_21175235.html

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385034

In the end though, if you can find a way to control what you want in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER then it can be added to Group Policy.
0
 

Author Comment

by:Phipps-IT
ID: 12385044
where is USBService.adm and Administrative Templates under Computer Configuration, are they in the GPO?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385062

No, you make USB Services by copying the bit i posted above (between Start and End) into a file, you can call it whatever you want really, but USBServices.adm is a pretty logical one.

Then, right clicking on Administrative Templates and adding one will allow you to display and set those policies (remembering the part about displaying only managed policies).

There's a lot of scope for writing customized Policies, but you need the registry values you want to change.
0
 
LVL 3

Expert Comment

by:_Jochen_
ID: 12385063
ok, i think you cannot do this with GPOs. (Refference Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;231289)
As i konow there are serveral third party tool which can disable USB and mass storage devices on a computer.
jo
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12385067

Computer configuration is however in the GPO itself.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12385546
If 3rd party software is a possibility for you, look hier: http://www.ubm-europe.com/products/centertools/drivelock/drivelock_v3.htm
0
 

Author Comment

by:Phipps-IT
ID: 12399729
Well I followed you instructions. I see the USB under the system. Are you sure this is not going to work?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12400301
If you did:

To get them to appear Right Click on Administrative Templates again and go to Filtering, and remove the tick from:

Only show policy settings that can be fully managed

They should be there, they definately work, lots of testing for those.

There's another option discovered by Chuckbuchan which allows you to make USB Storage Read only. This is the related question, which has a slightly different ADM to use - same overall principle though:

http://www.experts-exchange.com/Networking/Q_21177813.html

0
 

Author Comment

by:Phipps-IT
ID: 12400325
When I right click on Administrative Templates, I don't see the Filtering in the menu???
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12400914

Ahh try View (from the menu bar) then Filtering... - again with the Administrative Templates folder selected.

It should let you through that way around.
0
 

Author Comment

by:Phipps-IT
ID: 12401012
I have the Administrative Templates selected and the view menu contains only Show Policies Only, Show Configured Policies Only and customize??
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12401100

Which version of Windows are you running on? I assumed Windows XP?

Mainly for the version of the GPEdit.msc snap in.
0
 

Author Comment

by:Phipps-IT
ID: 12401119
2000 Server
0
 

Author Comment

by:Phipps-IT
ID: 12403438
Ok,

I am able to view to options now. Desable access to USB storage devis and disable access to USB hub services.

Could this be done for all other services and drives?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12405100

Not sure, depends where the service is controlled, Group Policy can only control items set in HKEY_Local_Machine and HKEY_Current_User.

Disabling access to drives was always a bit of a tricky one, while not the CD Rom specifically applications and services still need access to the Hard Disk.

I know new bits are always being added (more specific policy functions rather than changing how services run) but I'm not sure it'll achieve all you want.
0
 

Author Comment

by:Phipps-IT
ID: 12410174
Thank you
0
 

Author Comment

by:Phipps-IT
ID: 12410794
If I find the location of the CD ROM in the registry, can I use the USB code and create another template?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 12411726

In essence yes. There's a mini-guide to scripting ADM files here:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q225087

And the full guide here:

http://download.microsoft.com/download/1/7/2/1725520f-1228-4dff-9c5d-594042475844/regpolicy.doc

Have fun ;)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question