Group Policy Object

Hello expert,

I am trying to figure out how to disable CD ROM and other devices in the device manager. I see options on printer but I don't see any other devices in the GPO that I've set up.

Need your help
Phipps-ITAsked:
Who is Participating?
 
Chris DentPowerShell DeveloperCommented:

In essence yes. There's a mini-guide to scripting ADM files here:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q225087

And the full guide here:

http://download.microsoft.com/download/1/7/2/1725520f-1228-4dff-9c5d-594042475844/regpolicy.doc

Have fun ;)
0
 
_Jochen_Commented:
Lauch AD Users and Computers, create a new container (OU) to place the users in on which you want this policy to be applied.
Right click the container and select properties.
Go to the Group Policy Tab and click on New.
Name this policy anything you want. Click on Edit to change the Group Policy settings.

Go to User Configuration, Administrative Templates, Windows Components, Windows Explorer.
Look up the following policies and alter them to suite your needs.
- Hide these specified drives in My Computer
- Prevent access to drives from My Computer

This way you can prevent users access to drives you specified in this policy.
0
 
Phipps-ITAuthor Commented:
I actually need to disable the devices and not to hide them. For example the USB Controller in the device manager is by default enabled. Does GPO have the capability to disable it?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Chris DentPowerShell DeveloperCommented:
You can add some policies to handle USB.

The ADM at the bottom can be used to add controls for USB Hubs and USB Storage Devices. To get to to work, save it to USBService.adm (ignoring the start and end lines). Then select Administrative Templates under Computer Configuration and import the ADM.

To get them to appear Right Click on Administrative Templates again and go to Filtering, and remove the tick from:

Only show policy settings that can be fully managed

Then you should be able to see it under:

Computer Configuration
Administrative Templates
System
USB Services

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices"
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------
0
 
Chris DentPowerShell DeveloperCommented:

Drives are much much more difficult. I'm not sure how to achieve what you'd like to.

There was a bit of a discussion on them in this thread:

http://www.experts-exchange.com/Security/Win_Security/Q_21175235.html

0
 
Chris DentPowerShell DeveloperCommented:

In the end though, if you can find a way to control what you want in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER then it can be added to Group Policy.
0
 
Phipps-ITAuthor Commented:
where is USBService.adm and Administrative Templates under Computer Configuration, are they in the GPO?
0
 
Chris DentPowerShell DeveloperCommented:

No, you make USB Services by copying the bit i posted above (between Start and End) into a file, you can call it whatever you want really, but USBServices.adm is a pretty logical one.

Then, right clicking on Administrative Templates and adding one will allow you to display and set those policies (remembering the part about displaying only managed policies).

There's a lot of scope for writing customized Policies, but you need the registry values you want to change.
0
 
_Jochen_Commented:
ok, i think you cannot do this with GPOs. (Refference Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;231289)
As i konow there are serveral third party tool which can disable USB and mass storage devices on a computer.
jo
0
 
Chris DentPowerShell DeveloperCommented:

Computer configuration is however in the GPO itself.
0
 
WeHeCommented:
If 3rd party software is a possibility for you, look hier: http://www.ubm-europe.com/products/centertools/drivelock/drivelock_v3.htm
0
 
Phipps-ITAuthor Commented:
Well I followed you instructions. I see the USB under the system. Are you sure this is not going to work?
0
 
Chris DentPowerShell DeveloperCommented:
If you did:

To get them to appear Right Click on Administrative Templates again and go to Filtering, and remove the tick from:

Only show policy settings that can be fully managed

They should be there, they definately work, lots of testing for those.

There's another option discovered by Chuckbuchan which allows you to make USB Storage Read only. This is the related question, which has a slightly different ADM to use - same overall principle though:

http://www.experts-exchange.com/Networking/Q_21177813.html

0
 
Phipps-ITAuthor Commented:
When I right click on Administrative Templates, I don't see the Filtering in the menu???
0
 
Chris DentPowerShell DeveloperCommented:

Ahh try View (from the menu bar) then Filtering... - again with the Administrative Templates folder selected.

It should let you through that way around.
0
 
Phipps-ITAuthor Commented:
I have the Administrative Templates selected and the view menu contains only Show Policies Only, Show Configured Policies Only and customize??
0
 
Chris DentPowerShell DeveloperCommented:

Which version of Windows are you running on? I assumed Windows XP?

Mainly for the version of the GPEdit.msc snap in.
0
 
Phipps-ITAuthor Commented:
2000 Server
0
 
Phipps-ITAuthor Commented:
Ok,

I am able to view to options now. Desable access to USB storage devis and disable access to USB hub services.

Could this be done for all other services and drives?
0
 
Chris DentPowerShell DeveloperCommented:

Not sure, depends where the service is controlled, Group Policy can only control items set in HKEY_Local_Machine and HKEY_Current_User.

Disabling access to drives was always a bit of a tricky one, while not the CD Rom specifically applications and services still need access to the Hard Disk.

I know new bits are always being added (more specific policy functions rather than changing how services run) but I'm not sure it'll achieve all you want.
0
 
Phipps-ITAuthor Commented:
Thank you
0
 
Phipps-ITAuthor Commented:
If I find the location of the CD ROM in the registry, can I use the USB code and create another template?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.