Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to use Group Policy to turn off Autorun and Autoplay on PCs

Posted on 2009-04-01
5
Medium Priority
?
2,182 Views
Last Modified: 2013-11-25
We are running Active Directory on Windows Server 2003.  I would like to use Group Policy to turn off AutoRun and AutoPlay on our computers.  The policy would be applied to an Organizational Unit containing user accounts.  

In a Group Policy, I have tried going to Computer Configuration\Administrative Templates\System and setting the value for "Turn off Autoplay" to Enabled for all drives.  This did not seem to keep Autoplay from working, and it did not stop Autorun from running Setup.exe on a CD inserted into the CD-ROM.

I have a couple of registry edits that will do what I want, but I'm not sure how to use Group Policy to edit the registry.  We want to use Group Policy so that if someone changes the registry to enable Autorun, it will be turned off again the next time they log on.

Any help would be appreciated.  Thanks!
I forgot to mention that most of our PCs are running Windows XP.
These are the two registry changes I would like to make, unless there is another way to use Group Policy to accomplish the same thing:
1.  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
Add new String Value: Autorun.inf, value = @SYS:DoesNotExist
2.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom
Set value of AutoRun to 0.

Open in new window

0
Comment
Question by:SerendipityToo
  • 3
5 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 800 total points
ID: 24045690
The Computer Configuration\Administrative Templates\System Turn off Autoplay option is in COMPUTER CONFIGURATION - not user configuration - so only applies to COMPUTERS in the OU to which it is linked - not to USERS.
For registry - see http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22997398.html
0
 

Author Comment

by:SerendipityToo
ID: 24045844
KCTS, thank you very much!  You explained why my attempt at using Group Policy didn't work on the computer.  Our computers are not in the OUs with the users.  I will take a look at all the information in your link and try it out tomorrow.  I will let you know how it works out tomorrow!
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 1200 total points
ID: 24046691
Here's a great ADM template you can use that  covers all possible drives

http://www.edugeek.net/forums/windows/25714-advanced-autorun-autoplay-settings-adm-file.html

; Advanced Autorun settings (AdvancedAutorun.adm)
; See http://support.microsoft.com/kb/953252 for details
 
CLASS MACHINE
 
CATEGORY !!AdvancedAutorun
	POLICY !!AutorunAdvanced
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 
		PART !!Autorun_Box          DROPDOWNLIST REQUIRED
			VALUENAME "NoDriveTypeAutorun"
			ITEMLIST
				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91
				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95
				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99
				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D
				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1
				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5
				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9
				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF
			END ITEMLIST
		END PART
		PART !!Autorun_Text1	TEXT
		END PART
		PART !!Autorun_Text2	TEXT
		END PART
	END POLICY
END CATEGORY
 
CLASS USER
 
CATEGORY !!AdvancedAutorun
	POLICY !!AutorunAdvanced
		KEYNAME "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
 
		PART !!Autorun_Box          DROPDOWNLIST REQUIRED
			VALUENAME "NoDriveTypeAutorun"
			ITEMLIST
				NAME !!Autorun_Default		VALUE NUMERIC 145 ; 0x91
				NAME !!Autorun_NoRemovable	VALUE NUMERIC 149 ; 0x95
				NAME !!Autorun_NoFixed		VALUE NUMERIC 153 ; 0x99
				NAME !!Autorun_NoRemovableFixed	VALUE NUMERIC 157 ; 0x9D
				NAME !!Autorun_NoCD		VALUE NUMERIC 177 ; 0xB1
				NAME !!Autorun_NoRemovableCD 	VALUE NUMERIC 181 ; 0xB5
				NAME !!Autorun_NoFixedCD	VALUE NUMERIC 185 ; 0xB9
				NAME !!Autorun_None		VALUE NUMERIC 255 DEFAULT ; 0xFF
			END ITEMLIST
		END PART
		PART !!Autorun_Text1	TEXT
		END PART
		PART !!Autorun_Text2	TEXT
		END PART
	END POLICY
END CATEGORY
 
[strings]
AdvancedAutorun="Advanced Autorun Settings"
Autorun_Box="Turn off Autoplay on:"
Autorun_Default="No drives (XP/Vista default)"
Autorun_NoRemovable="Removable drives"
Autorun_NoFixed="Fixed drives"
Autorun_NoRemovableFixed="Removable, Fixed drives"
Autorun_NoCD="CD-ROM drives"
Autorun_NoRemovableCD="CD-ROM, Removable drives"
Autorun_NoFixedCD="CD-ROM, Fixed drives"
Autorun_None="All drives (including RAM drives)"
AutorunAdvanced="Turn off Autoplay (advanced)"
Autorun_Text1="Windows XP and Vista disable Network and Unknown drives by default"
Autorun_Text2="Windows 2000 and Server 2K3 also disable Removable drives by default"

Open in new window

0
 

Author Comment

by:SerendipityToo
ID: 24056675
KCTS:  I tried Pete Long's solution from your link, adding the registry settings I want to the Group Policy from the local registry, but when I logged on to a computer nothing changed in the registry.  Both the computer and the user account I used were in the OU that had my Group Policy linked.  I don't know what I did wrong.  I spent a lot of time trying to get PolicyMaker, but Microsoft has made it pretty impossible to download it anymore.

dstewartjr:  I added your administrative template to the Administrative Templates in my test Group Policy.   Again, nothing happened when I logged onto my test computer to test it out.  The policy should have been applied to both the computer and the user account.  This template did work for me when I added it directly to a local group policy on a computer that had the admin tools installed, though, but that isn't what I need.

What did work, partially, was to add a logon script in the User Configuration part of a group policy, using a batch file containing the registry edits that dstewartjr's file creates for the Windows Explorer policy.  I also included a registry edit that blocks the autorun.inf file from being accessed, but that didn't get added to the registry because I was using the Current User, not the Local Machine.  

I would prefer not to use a logon script.  I liked the idea of adding the registry edits through the Windows Security, Registry part of the group policy.  Would like to get that working.

I'm sorry if I'm missing something in your instructions.  I don't have experience with scripting or Group Policy.
0
 

Author Comment

by:SerendipityToo
ID: 24083025
Well, I finally did some proper testing, and dstewartjr"s administrative template file is working for me now.  I created an OU in Active Directory just for test workstations, and moved my test computer account into it.  I applied my group policy that uses the template to the test workstation OU.  It looks like dstewart's template increases the security gained by just turning off AutoPlay from the standard system administrative template.  Thank you!

I also want to give points to KCTS, for steering me in the right direction about Local_User vs. Local_Machine registry edits in a group policy.  The link in KCTS' comment gave me information on how to push out a registry edit using Group Policy without using a template or a script.  I still have not been able to successfully push out a registry edit that I want to use in addition to the template, one that nullifies the autorun.inf file.  It looks good on the policy configuration screen, but the registry key doesn't change when I log onto the test workstation.  I'm not familiar with how to turn a .reg file into a .adm file, or I would add it to the administrative template that is working so well.

Anyway, I want to thank both KCTS and dstewartjr very much for your assistance.  You were very informative and saved me a lot of time!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Starting up a Project
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question