Solved

Group Policy Object

Posted on 2004-10-22
224 Views
Last Modified: 2012-05-05
Hello expert,

I am trying to figure out how to disable CD ROM and other devices in the device manager. I see options on printer but I don't see any other devices in the GPO that I've set up.

Need your help
0
Question by:Phipps-IT
    22 Comments
     
    LVL 3

    Expert Comment

    by:_Jochen_
    Lauch AD Users and Computers, create a new container (OU) to place the users in on which you want this policy to be applied.
    Right click the container and select properties.
    Go to the Group Policy Tab and click on New.
    Name this policy anything you want. Click on Edit to change the Group Policy settings.

    Go to User Configuration, Administrative Templates, Windows Components, Windows Explorer.
    Look up the following policies and alter them to suite your needs.
    - Hide these specified drives in My Computer
    - Prevent access to drives from My Computer

    This way you can prevent users access to drives you specified in this policy.
    0
     

    Author Comment

    by:Phipps-IT
    I actually need to disable the devices and not to hide them. For example the USB Controller in the device manager is by default enabled. Does GPO have the capability to disable it?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent
    You can add some policies to handle USB.

    The ADM at the bottom can be used to add controls for USB Hubs and USB Storage Devices. To get to to work, save it to USBService.adm (ignoring the start and end lines). Then select Administrative Templates under Computer Configuration and import the ADM.

    To get them to appear Right Click on Administrative Templates again and go to Filtering, and remove the tick from:

    Only show policy settings that can be fully managed

    Then you should be able to see it under:

    Computer Configuration
    Administrative Templates
    System
    USB Services

    -----------------------------------------------Start-----------------------------------------------

    CLASS MACHINE

    CATEGORY "System"
         CATEGORY "USB Services"
              POLICY "Disable Access to USB Storage Devices"
                   
                   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                   #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                   #endif
             
                   #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help
                   #endif              

                   VALUENAME "Start"
                   VALUEOFF NUMERIC 3
                   VALUEON NUMERIC 4
              END POLICY

              POLICY "Disable Access to USB Hub Services"

                   KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
                   #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                   #endif

                   #if version >= 3
                        EXPLAIN !!USBHUBCFG_Help
                   #endif
         
                   VALUENAME "Start"
                   VALUEOFF NUMERIC 3
                   VALUEON NUMERIC 4
              END POLICY
         END CATEGORY
    END CATEGORY

    [Strings]

    SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

    USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

    USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

    -----------------------------------------------End-----------------------------------------------
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Drives are much much more difficult. I'm not sure how to achieve what you'd like to.

    There was a bit of a discussion on them in this thread:

    http://www.experts-exchange.com/Security/Win_Security/Q_21175235.html

    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    In the end though, if you can find a way to control what you want in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER then it can be added to Group Policy.
    0
     

    Author Comment

    by:Phipps-IT
    where is USBService.adm and Administrative Templates under Computer Configuration, are they in the GPO?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    No, you make USB Services by copying the bit i posted above (between Start and End) into a file, you can call it whatever you want really, but USBServices.adm is a pretty logical one.

    Then, right clicking on Administrative Templates and adding one will allow you to display and set those policies (remembering the part about displaying only managed policies).

    There's a lot of scope for writing customized Policies, but you need the registry values you want to change.
    0
     
    LVL 3

    Expert Comment

    by:_Jochen_
    ok, i think you cannot do this with GPOs. (Refference Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;231289)
    As i konow there are serveral third party tool which can disable USB and mass storage devices on a computer.
    jo
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Computer configuration is however in the GPO itself.
    0
     
    LVL 11

    Expert Comment

    by:WeHe
    If 3rd party software is a possibility for you, look hier: http://www.ubm-europe.com/products/centertools/drivelock/drivelock_v3.htm
    0
     

    Author Comment

    by:Phipps-IT
    Well I followed you instructions. I see the USB under the system. Are you sure this is not going to work?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent
    If you did:

    To get them to appear Right Click on Administrative Templates again and go to Filtering, and remove the tick from:

    Only show policy settings that can be fully managed

    They should be there, they definately work, lots of testing for those.

    There's another option discovered by Chuckbuchan which allows you to make USB Storage Read only. This is the related question, which has a slightly different ADM to use - same overall principle though:

    http://www.experts-exchange.com/Networking/Q_21177813.html

    0
     

    Author Comment

    by:Phipps-IT
    When I right click on Administrative Templates, I don't see the Filtering in the menu???
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Ahh try View (from the menu bar) then Filtering... - again with the Administrative Templates folder selected.

    It should let you through that way around.
    0
     

    Author Comment

    by:Phipps-IT
    I have the Administrative Templates selected and the view menu contains only Show Policies Only, Show Configured Policies Only and customize??
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Which version of Windows are you running on? I assumed Windows XP?

    Mainly for the version of the GPEdit.msc snap in.
    0
     

    Author Comment

    by:Phipps-IT
    2000 Server
    0
     

    Author Comment

    by:Phipps-IT
    Ok,

    I am able to view to options now. Desable access to USB storage devis and disable access to USB hub services.

    Could this be done for all other services and drives?
    0
     
    LVL 70

    Expert Comment

    by:Chris Dent

    Not sure, depends where the service is controlled, Group Policy can only control items set in HKEY_Local_Machine and HKEY_Current_User.

    Disabling access to drives was always a bit of a tricky one, while not the CD Rom specifically applications and services still need access to the Hard Disk.

    I know new bits are always being added (more specific policy functions rather than changing how services run) but I'm not sure it'll achieve all you want.
    0
     

    Author Comment

    by:Phipps-IT
    Thank you
    0
     

    Author Comment

    by:Phipps-IT
    If I find the location of the CD ROM in the registry, can I use the USB code and create another template?
    0
     
    LVL 70

    Accepted Solution

    by:

    In essence yes. There's a mini-guide to scripting ADM files here:

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q225087

    And the full guide here:

    http://download.microsoft.com/download/1/7/2/1725520f-1228-4dff-9c5d-594042475844/regpolicy.doc

    Have fun ;)
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    You need passwords for many websites and you know that it's unwise to use the same password everywhere.  You have also heard that it's important to use "strong" passwords -- but they can be hard to remember.  This article describes several options t…
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now