Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to use Group Policy to turn off Autorun and Autoplay on PCs

Posted on 2009-04-01
5
1,994 Views
Last Modified: 2013-11-25
We are running Active Directory on Windows Server 2003.  I would like to use Group Policy to turn off AutoRun and AutoPlay on our computers.  The policy would be applied to an Organizational Unit containing user accounts.  

In a Group Policy, I have tried going to Computer Configuration\Administrative Templates\System and setting the value for "Turn off Autoplay" to Enabled for all drives.  This did not seem to keep Autoplay from working, and it did not stop Autorun from running Setup.exe on a CD inserted into the CD-ROM.

I have a couple of registry edits that will do what I want, but I'm not sure how to use Group Policy to edit the registry.  We want to use Group Policy so that if someone changes the registry to enable Autorun, it will be turned off again the next time they log on.

Any help would be appreciated.  Thanks!
I forgot to mention that most of our PCs are running Windows XP.
These are the two registry changes I would like to make, unless there is another way to use Group Policy to accomplish the same thing:
1.  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
Add new String Value: Autorun.inf, value = @SYS:DoesNotExist
2.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom
Set value of AutoRun to 0.

Open in new window

0
Comment
Question by:SerendipityToo
  • 3
5 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 200 total points
ID: 24045690
The Computer Configuration\Administrative Templates\System Turn off Autoplay option is in COMPUTER CONFIGURATION - not user configuration - so only applies to COMPUTERS in the OU to which it is linked - not to USERS.
For registry - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22997398.html
0
 

Author Comment

by:SerendipityToo
ID: 24045844
KCTS, thank you very much!  You explained why my attempt at using Group Policy didn't work on the computer.  Our computers are not in the OUs with the users.  I will take a look at all the information in your link and try it out tomorrow.  I will let you know how it works out tomorrow!
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 300 total points
ID: 24046691
Here's a great ADM template you can use that  covers all possible drives

http://www.edugeek.net/forums/windows/25714-advanced-autorun-autoplay-settings-adm-file.html

; Advanced Autorun settings (AdvancedAutorun.adm)
; See http://support.microsoft.com/kb/953252 for details
 
CLASS MACHINE
 
CATEGORY !!AdvancedAutorun
	POLICY !!AutorunAdvanced
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 
		PART !!Autorun_Box          DROPDOWNLIST REQUIRED
			VALUENAME "NoDriveTypeAutorun"
			ITEMLIST
				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91
				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95
				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99
				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D
				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1
				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5
				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9
				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF
			END ITEMLIST
		END PART
		PART !!Autorun_Text1	TEXT
		END PART
		PART !!Autorun_Text2	TEXT
		END PART
	END POLICY
END CATEGORY
 
CLASS USER
 
CATEGORY !!AdvancedAutorun
	POLICY !!AutorunAdvanced
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 
		PART !!Autorun_Box          DROPDOWNLIST REQUIRED
			VALUENAME "NoDriveTypeAutorun"
			ITEMLIST
				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91
				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95
				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99
				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D
				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1
				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5
				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9
				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF
			END ITEMLIST
		END PART
		PART !!Autorun_Text1	TEXT
		END PART
		PART !!Autorun_Text2	TEXT
		END PART
	END POLICY
END CATEGORY
 
[strings]
AdvancedAutorun="Advanced Autorun Settings"
Autorun_Box="Turn off Autoplay on:"
Autorun_Default="No drives (XP/Vista default)"
Autorun_NoRemovable="Removable drives"
Autorun_NoFixed="Fixed drives"
Autorun_NoRemovableFixed="Removable, Fixed drives"
Autorun_NoCD="CD-ROM drives"
Autorun_NoRemovableCD="CD-ROM, Removable drives"
Autorun_NoFixedCD="CD-ROM, Fixed drives"
Autorun_None="All drives (including RAM drives)"
AutorunAdvanced="Turn off Autoplay (advanced)"
Autorun_Text1="Windows XP and Vista disable Network and Unknown drives by default"
Autorun_Text2="Windows 2000 and Server 2K3 also disable Removable drives by default"

Open in new window

0
 

Author Comment

by:SerendipityToo
ID: 24056675
KCTS:  I tried Pete Long's solution from your link, adding the registry settings I want to the Group Policy from the local registry, but when I logged on to a computer nothing changed in the registry.  Both the computer and the user account I used were in the OU that had my Group Policy linked.  I don't know what I did wrong.  I spent a lot of time trying to get PolicyMaker, but Microsoft has made it pretty impossible to download it anymore.

dstewartjr:  I added your administrative template to the Administrative Templates in my test Group Policy.   Again, nothing happened when I logged onto my test computer to test it out.  The policy should have been applied to both the computer and the user account.  This template did work for me when I added it directly to a local group policy on a computer that had the admin tools installed, though, but that isn't what I need.

What did work, partially, was to add a logon script in the User Configuration part of a group policy, using a batch file containing the registry edits that dstewartjr's file creates for the Windows Explorer policy.  I also included a registry edit that blocks the autorun.inf file from being accessed, but that didn't get added to the registry because I was using the Current User, not the Local Machine.  

I would prefer not to use a logon script.  I liked the idea of adding the registry edits through the Windows Security, Registry part of the group policy.  Would like to get that working.

I'm sorry if I'm missing something in your instructions.  I don't have experience with scripting or Group Policy.
0
 

Author Comment

by:SerendipityToo
ID: 24083025
Well, I finally did some proper testing, and dstewartjr"s administrative template file is working for me now.  I created an OU in Active Directory just for test workstations, and moved my test computer account into it.  I applied my group policy that uses the template to the test workstation OU.  It looks like dstewart's template increases the security gained by just turning off AutoPlay from the standard system administrative template.  Thank you!

I also want to give points to KCTS, for steering me in the right direction about Local_User vs. Local_Machine registry edits in a group policy.  The link in KCTS' comment gave me information on how to push out a registry edit using Group Policy without using a template or a script.  I still have not been able to successfully push out a registry edit that I want to use in addition to the template, one that nullifies the autorun.inf file.  It looks good on the policy configuration screen, but the registry key doesn't change when I log onto the test workstation.  I'm not familiar with how to turn a .reg file into a .adm file, or I would add it to the administrative template that is working so well.

Anyway, I want to thank both KCTS and dstewartjr very much for your assistance.  You were very informative and saved me a lot of time!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Home Folder Permissions in Active Directory 2 31
Powershell to query AD 3 35
Domain Logon scripts 14 48
Delete Disconnected Site from Active Directory 3 21
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question