Solved

GPO & Batch edit

Posted on 2011-02-27
4
783 Views
Last Modified: 2012-05-11
Gurus

We're looking for a GPO solution which will provide the following functionality:
1 .When standard user will login - the USB mass storage drives and CD will be disabled.
2. When an Admin user will login - both USB mass storage drives and CD will appear.

Now, we've found a way to do it with multiple logon and logoff's, but it's a bit sluggish for us.

We thought of the following idea, and would like your guidance or an example file how to perform it:
Whenever a std. user or an Admin user will login, the associated Login script will query the relevant registry entry in order to see if the CD\USB is enabled or disabled.

In the case that the Std. user will login (which teh CD\USB SHOULD be disabled), and the batch will find out that the current drives state is disabled, all is good - and the login process will continue as usual. But if the USB\CD's are currently enabled (due to previous Admin login), the batch should disable it by changing the corresponding reg key, and should perform a silent log-off and logon back to the domain.

The same scenario should be performed in vice verse to the Admin user (If enabled -->continue, if disabled --> enable, logoff --> logon).

Now, is it possible? If so, how?

BTW, the domain controller is 2008, and the Workstations are Win XP SP3.

Many thx
0
Comment
Question by:IT_Group1
  • 2
4 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34991188
If you have strongly standardized environment, you can restrict user access to certain drive letter(s) with Group Policy. It means that you must have a drive letter standard, for example C is for system and D is for data partition. Now you can limit standard user access to only C and D while admins will be able to use any drive letter. As C and D are already in use, any USB device will be in the denied list as well as the CD drive.
0
 

Author Comment

by:IT_Group1
ID: 34991717
I need more specific information please.

Its like this:
I need an example for batch file of logon script that do registry key query then replace the registry in case of the the value is as changed (in case of no change the logon script continue)
Example: if the value on a USB set on "start" to 4 (disabled by default) and the running batch discover that the current registry key is 3 (enabled) the batch need to change the registry key then logoff the user for relogin.

0
 
LVL 3

Expert Comment

by:thomasd04
ID: 34991828
Hi! Are you saying that you are currently using a GPO without scripts to accomplish this? And that by doing this, it's taking too long for the GPO to update the user's access? Or are you saying that you currently don't have a solution and are looking for a combination of GPO and scripts to tackle this problem? Here's an article on restricting all USB removable disks using GPO only.
http://www.petri.co.il/disable_usb_disks_with_gpo.htm



0
 
LVL 8

Accepted Solution

by:
Toxacon earned 500 total points
ID: 34992731
Umm, the way I explained does not use any scripts for allowing/denying access to drive letters.

Take a look at the following article:

http://support.microsoft.com/kb/231289

It is about hiding specified drive letters but you can also deny access by specifying another registry value in the built-in template.

For example, your fixed drives are C and D. Your CD-ROM is Z. Your Home drive is H and DFS drive is R. You allow access to C, D, H and R. The user can't access CD-ROM in Z or plugged-in USB-drive which will get next available letter E. Of course, if the user disconnects his/her home drive and then adds four USB drives, the fourth will get letter H so the solution is not failsafe but it will prevent an ordinary user from accessing any additional drives.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now