Solved

How to use Group Policy to turn off Autorun and Autoplay on PCs

Posted on 2009-04-01
5
1,931 Views
Last Modified: 2013-11-25
We are running Active Directory on Windows Server 2003.  I would like to use Group Policy to turn off AutoRun and AutoPlay on our computers.  The policy would be applied to an Organizational Unit containing user accounts.  

In a Group Policy, I have tried going to Computer Configuration\Administrative Templates\System and setting the value for "Turn off Autoplay" to Enabled for all drives.  This did not seem to keep Autoplay from working, and it did not stop Autorun from running Setup.exe on a CD inserted into the CD-ROM.

I have a couple of registry edits that will do what I want, but I'm not sure how to use Group Policy to edit the registry.  We want to use Group Policy so that if someone changes the registry to enable Autorun, it will be turned off again the next time they log on.

Any help would be appreciated.  Thanks!
I forgot to mention that most of our PCs are running Windows XP.

These are the two registry changes I would like to make, unless there is another way to use Group Policy to accomplish the same thing:

1.  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping

Add new String Value: Autorun.inf, value = @SYS:DoesNotExist

2.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom

Set value of AutoRun to 0.

Open in new window

0
Comment
Question by:SerendipityToo
  • 3
5 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 200 total points
ID: 24045690
The Computer Configuration\Administrative Templates\System Turn off Autoplay option is in COMPUTER CONFIGURATION - not user configuration - so only applies to COMPUTERS in the OU to which it is linked - not to USERS.
For registry - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22997398.html
0
 

Author Comment

by:SerendipityToo
ID: 24045844
KCTS, thank you very much!  You explained why my attempt at using Group Policy didn't work on the computer.  Our computers are not in the OUs with the users.  I will take a look at all the information in your link and try it out tomorrow.  I will let you know how it works out tomorrow!
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 300 total points
ID: 24046691
Here's a great ADM template you can use that  covers all possible drives

http://www.edugeek.net/forums/windows/25714-advanced-autorun-autoplay-settings-adm-file.html

; Advanced Autorun settings (AdvancedAutorun.adm)

; See http://support.microsoft.com/kb/953252 for details
 

CLASS MACHINE
 

CATEGORY !!AdvancedAutorun

	POLICY !!AutorunAdvanced

		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 

		PART !!Autorun_Box          DROPDOWNLIST REQUIRED

			VALUENAME "NoDriveTypeAutorun"

			ITEMLIST

				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91

				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95

				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99

				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D

				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1

				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5

				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9

				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF

			END ITEMLIST

		END PART

		PART !!Autorun_Text1	TEXT

		END PART

		PART !!Autorun_Text2	TEXT

		END PART

	END POLICY

END CATEGORY
 

CLASS USER
 

CATEGORY !!AdvancedAutorun

	POLICY !!AutorunAdvanced

		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 

		PART !!Autorun_Box          DROPDOWNLIST REQUIRED

			VALUENAME "NoDriveTypeAutorun"

			ITEMLIST

				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91

				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95

				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99

				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D

				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1

				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5

				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9

				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF

			END ITEMLIST

		END PART

		PART !!Autorun_Text1	TEXT

		END PART

		PART !!Autorun_Text2	TEXT

		END PART

	END POLICY

END CATEGORY
 

[strings]

AdvancedAutorun="Advanced Autorun Settings"

Autorun_Box="Turn off Autoplay on:"

Autorun_Default="No drives (XP/Vista default)"

Autorun_NoRemovable="Removable drives"

Autorun_NoFixed="Fixed drives"

Autorun_NoRemovableFixed="Removable, Fixed drives"

Autorun_NoCD="CD-ROM drives"

Autorun_NoRemovableCD="CD-ROM, Removable drives"

Autorun_NoFixedCD="CD-ROM, Fixed drives"

Autorun_None="All drives (including RAM drives)"

AutorunAdvanced="Turn off Autoplay (advanced)"

Autorun_Text1="Windows XP and Vista disable Network and Unknown drives by default"

Autorun_Text2="Windows 2000 and Server 2K3 also disable Removable drives by default"

Open in new window

0
 

Author Comment

by:SerendipityToo
ID: 24056675
KCTS:  I tried Pete Long's solution from your link, adding the registry settings I want to the Group Policy from the local registry, but when I logged on to a computer nothing changed in the registry.  Both the computer and the user account I used were in the OU that had my Group Policy linked.  I don't know what I did wrong.  I spent a lot of time trying to get PolicyMaker, but Microsoft has made it pretty impossible to download it anymore.

dstewartjr:  I added your administrative template to the Administrative Templates in my test Group Policy.   Again, nothing happened when I logged onto my test computer to test it out.  The policy should have been applied to both the computer and the user account.  This template did work for me when I added it directly to a local group policy on a computer that had the admin tools installed, though, but that isn't what I need.

What did work, partially, was to add a logon script in the User Configuration part of a group policy, using a batch file containing the registry edits that dstewartjr's file creates for the Windows Explorer policy.  I also included a registry edit that blocks the autorun.inf file from being accessed, but that didn't get added to the registry because I was using the Current User, not the Local Machine.  

I would prefer not to use a logon script.  I liked the idea of adding the registry edits through the Windows Security, Registry part of the group policy.  Would like to get that working.

I'm sorry if I'm missing something in your instructions.  I don't have experience with scripting or Group Policy.
0
 

Author Comment

by:SerendipityToo
ID: 24083025
Well, I finally did some proper testing, and dstewartjr"s administrative template file is working for me now.  I created an OU in Active Directory just for test workstations, and moved my test computer account into it.  I applied my group policy that uses the template to the test workstation OU.  It looks like dstewart's template increases the security gained by just turning off AutoPlay from the standard system administrative template.  Thank you!

I also want to give points to KCTS, for steering me in the right direction about Local_User vs. Local_Machine registry edits in a group policy.  The link in KCTS' comment gave me information on how to push out a registry edit using Group Policy without using a template or a script.  I still have not been able to successfully push out a registry edit that I want to use in addition to the template, one that nullifies the autorun.inf file.  It looks good on the policy configuration screen, but the registry key doesn't change when I log onto the test workstation.  I'm not familiar with how to turn a .reg file into a .adm file, or I would add it to the administrative template that is working so well.

Anyway, I want to thank both KCTS and dstewartjr very much for your assistance.  You were very informative and saved me a lot of time!
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Event ID: 5719 / Source: NETLOGON 9 60
How to transfer FSMO roles 2 46
AD Replications issues 12 46
ACTIVE DIRECTORY 17 18
Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now