Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2214
  • Last Modified:

How to use Group Policy to turn off Autorun and Autoplay on PCs

We are running Active Directory on Windows Server 2003.  I would like to use Group Policy to turn off AutoRun and AutoPlay on our computers.  The policy would be applied to an Organizational Unit containing user accounts.  

In a Group Policy, I have tried going to Computer Configuration\Administrative Templates\System and setting the value for "Turn off Autoplay" to Enabled for all drives.  This did not seem to keep Autoplay from working, and it did not stop Autorun from running Setup.exe on a CD inserted into the CD-ROM.

I have a couple of registry edits that will do what I want, but I'm not sure how to use Group Policy to edit the registry.  We want to use Group Policy so that if someone changes the registry to enable Autorun, it will be turned off again the next time they log on.

Any help would be appreciated.  Thanks!
I forgot to mention that most of our PCs are running Windows XP.
These are the two registry changes I would like to make, unless there is another way to use Group Policy to accomplish the same thing:
1.  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
Add new String Value: Autorun.inf, value = @SYS:DoesNotExist
2.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom
Set value of AutoRun to 0.

Open in new window

0
SerendipityToo
Asked:
SerendipityToo
  • 3
2 Solutions
 
KCTSCommented:
The Computer Configuration\Administrative Templates\System Turn off Autoplay option is in COMPUTER CONFIGURATION - not user configuration - so only applies to COMPUTERS in the OU to which it is linked - not to USERS.
For registry - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22997398.html
0
 
SerendipityTooAuthor Commented:
KCTS, thank you very much!  You explained why my attempt at using Group Policy didn't work on the computer.  Our computers are not in the OUs with the users.  I will take a look at all the information in your link and try it out tomorrow.  I will let you know how it works out tomorrow!
0
 
Donald StewartNetwork AdministratorCommented:
Here's a great ADM template you can use that  covers all possible drives

http://www.edugeek.net/forums/windows/25714-advanced-autorun-autoplay-settings-adm-file.html

; Advanced Autorun settings (AdvancedAutorun.adm)
; See http://support.microsoft.com/kb/953252 for details
 
CLASS MACHINE
 
CATEGORY !!AdvancedAutorun
	POLICY !!AutorunAdvanced
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 
		PART !!Autorun_Box          DROPDOWNLIST REQUIRED
			VALUENAME "NoDriveTypeAutorun"
			ITEMLIST
				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91
				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95
				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99
				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D
				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1
				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5
				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9
				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF
			END ITEMLIST
		END PART
		PART !!Autorun_Text1	TEXT
		END PART
		PART !!Autorun_Text2	TEXT
		END PART
	END POLICY
END CATEGORY
 
CLASS USER
 
CATEGORY !!AdvancedAutorun
	POLICY !!AutorunAdvanced
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 
		PART !!Autorun_Box          DROPDOWNLIST REQUIRED
			VALUENAME "NoDriveTypeAutorun"
			ITEMLIST
				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91
				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95
				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99
				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D
				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1
				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5
				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9
				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF
			END ITEMLIST
		END PART
		PART !!Autorun_Text1	TEXT
		END PART
		PART !!Autorun_Text2	TEXT
		END PART
	END POLICY
END CATEGORY
 
[strings]
AdvancedAutorun="Advanced Autorun Settings"
Autorun_Box="Turn off Autoplay on:"
Autorun_Default="No drives (XP/Vista default)"
Autorun_NoRemovable="Removable drives"
Autorun_NoFixed="Fixed drives"
Autorun_NoRemovableFixed="Removable, Fixed drives"
Autorun_NoCD="CD-ROM drives"
Autorun_NoRemovableCD="CD-ROM, Removable drives"
Autorun_NoFixedCD="CD-ROM, Fixed drives"
Autorun_None="All drives (including RAM drives)"
AutorunAdvanced="Turn off Autoplay (advanced)"
Autorun_Text1="Windows XP and Vista disable Network and Unknown drives by default"
Autorun_Text2="Windows 2000 and Server 2K3 also disable Removable drives by default"

Open in new window

0
 
SerendipityTooAuthor Commented:
KCTS:  I tried Pete Long's solution from your link, adding the registry settings I want to the Group Policy from the local registry, but when I logged on to a computer nothing changed in the registry.  Both the computer and the user account I used were in the OU that had my Group Policy linked.  I don't know what I did wrong.  I spent a lot of time trying to get PolicyMaker, but Microsoft has made it pretty impossible to download it anymore.

dstewartjr:  I added your administrative template to the Administrative Templates in my test Group Policy.   Again, nothing happened when I logged onto my test computer to test it out.  The policy should have been applied to both the computer and the user account.  This template did work for me when I added it directly to a local group policy on a computer that had the admin tools installed, though, but that isn't what I need.

What did work, partially, was to add a logon script in the User Configuration part of a group policy, using a batch file containing the registry edits that dstewartjr's file creates for the Windows Explorer policy.  I also included a registry edit that blocks the autorun.inf file from being accessed, but that didn't get added to the registry because I was using the Current User, not the Local Machine.  

I would prefer not to use a logon script.  I liked the idea of adding the registry edits through the Windows Security, Registry part of the group policy.  Would like to get that working.

I'm sorry if I'm missing something in your instructions.  I don't have experience with scripting or Group Policy.
0
 
SerendipityTooAuthor Commented:
Well, I finally did some proper testing, and dstewartjr"s administrative template file is working for me now.  I created an OU in Active Directory just for test workstations, and moved my test computer account into it.  I applied my group policy that uses the template to the test workstation OU.  It looks like dstewart's template increases the security gained by just turning off AutoPlay from the standard system administrative template.  Thank you!

I also want to give points to KCTS, for steering me in the right direction about Local_User vs. Local_Machine registry edits in a group policy.  The link in KCTS' comment gave me information on how to push out a registry edit using Group Policy without using a template or a script.  I still have not been able to successfully push out a registry edit that I want to use in addition to the template, one that nullifies the autorun.inf file.  It looks good on the policy configuration screen, but the registry key doesn't change when I log onto the test workstation.  I'm not familiar with how to turn a .reg file into a .adm file, or I would add it to the administrative template that is working so well.

Anyway, I want to thank both KCTS and dstewartjr very much for your assistance.  You were very informative and saved me a lot of time!
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now