Solved

sbs 2008 and desable use and cd rom GPOs

Posted on 2010-09-22
9
1,056 Views
Last Modified: 2012-05-28
first of all i would like to thank you all for the great effort , help and tips you provide and  i would like to ask a question about GPOs

i have sbs 2008 and few xp clients and vista clients and i tried to apply a gpo to remove cd rom and usb access but i failed because its different from win server 2003 and i did converted the adm file to admx file and imported it to a new gpo called disabled usb and cd rom and link that gpo to the ou that contains computer accounts and users accounts and created a security group and join the PCs i want to block cd rom and usb as a security filter but same thing
so plz help
 
thanks a lot :)
0
Comment
Question by:Engamt
  • 4
  • 4
9 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 33736661
http://blogs.techrepublic.com.com/datacenter/?p=452  Disable removable media through Windows Server 2008's Group Policy configuration
 
0
 

Author Comment

by:Engamt
ID: 33740870
thank you MR.CrisHanna MVP for your replay but i still need a clarification about the link you gave me
i understand from the link that i can apply these configuration to  the computer configuration or to the user configuration all i have to do is create a security group and join my PCs or users accounts to it and link the GPO i created with computer or user configuration to the OU that contain computer accounts or user accounts and filter that GPO by the security group i created by the security filter in scope section which i already did but i will check again and this is for vista but what about xp  ?
i tried to convert a adm file to admx file since server 2008 does not support adm files instead it support admx , i found the adm file on the internet and i already tested it on server 2003 and it was working fine on xp clients but i failed on sbs2008 so plz help

thanks
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 500 total points
ID: 33740913
Actually the ADMX already ready exists in SBS 2008...
Start the Group Policy Management Console > Navigate to the Windows SBS Client - Windows XP Policy > Right Click > Edit  
Computer Configuration > Administrative Templates >System > Removeable Storage Access   Then configure the setting you want
Repeat the same thing for the Windows SBS Client - Windows Vista Policy
When you're done  open an elevated command prompt  and type gpupdate /force
Setting should take effect at next logon...but it make take a couple of reboots
0
 

Author Comment

by:Engamt
ID: 33741023
i was thinking about creating a new GPO and configure it with only the disabling configuration since the  Windows SBS Client - Windows XP Policy Windows SBS Client - Windows vista Policy have some predefined configurations on them by microsoft and if i modify those GPOs and use them with security filters i will fail to apply other configuration that was predefined in those GPOs to all clients and i want to control who will have access to cd , dvd , usb other predefined configurations will be applied by default to all client

Thanks
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 33741042
You can do it how ever it fits your organization.  You know where it is now...
0
 

Author Comment

by:Engamt
ID: 33741523
i did what  you said and it worked in 3 computers  but the 4the one didn't applied to it i dont know why so i decide to remove all the PCs from the security group i created to filter which PCs will apply the GPO and nothing happen every thing is still disabled , i did restart the clients couple times
run gpupdate /force but still nothing i even restarted my server but still same thing even when i loging as a local administrator to the clients the policy is still aplayed and i cant update the drivers for the devices i disabled earlier  . if i went to user configuration>policies>administrative tempelates policy definitions admx files > system > removal storage access and configure those options instead of the computer configuration you guided me to and use a security filter by a security group with user accounts instead of a computer accounts do you think it will be applied ?

Thanks


0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 33745077
GPO's can sometimes take a while to apply and be removed...since I'm not looking at your system or the way you've instituted the information I put here.  I can't say one way or the other.   It should in theory work.
 
0
 

Author Comment

by:Engamt
ID: 33749851
ok i will try to descripe the scenario  
i have 4 xp clients called xp1 xp2 xp3 xp4 and i created a domain called sg.local and i created a gpo called usb and cd rom disabled
and created a security group called PCs denied usb and cd rom access , then i joined the computer accounts to the security group and then linked the usb and cd rom disabled gpo to the sbs computers ou under my business ou and configure the gpo scope to be applied to the  PCs denied usb and cd rom access security group and went to the delegation tape and gave authenticated users read permission under advanced options and confirmed that the PCs denied usb and cd rom access security group have read and apply permission  
i hope i am not missing some thing
i even was suspecting my server have something wrong with it so i created a gpo for software restriction and did the same thing with the sbs computers ou and it worked just fine once i remove a computer account from the security group i created as a security filter the removed pc will not apply the gpo so nothing wrong with my server and it takes one reboot to apply the changes

i hope you got the idea

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now