Solved

GPO & Batch edit

Posted on 2011-02-27
4
787 Views
Last Modified: 2012-05-11
Gurus

We're looking for a GPO solution which will provide the following functionality:
1 .When standard user will login - the USB mass storage drives and CD will be disabled.
2. When an Admin user will login - both USB mass storage drives and CD will appear.

Now, we've found a way to do it with multiple logon and logoff's, but it's a bit sluggish for us.

We thought of the following idea, and would like your guidance or an example file how to perform it:
Whenever a std. user or an Admin user will login, the associated Login script will query the relevant registry entry in order to see if the CD\USB is enabled or disabled.

In the case that the Std. user will login (which teh CD\USB SHOULD be disabled), and the batch will find out that the current drives state is disabled, all is good - and the login process will continue as usual. But if the USB\CD's are currently enabled (due to previous Admin login), the batch should disable it by changing the corresponding reg key, and should perform a silent log-off and logon back to the domain.

The same scenario should be performed in vice verse to the Admin user (If enabled -->continue, if disabled --> enable, logoff --> logon).

Now, is it possible? If so, how?

BTW, the domain controller is 2008, and the Workstations are Win XP SP3.

Many thx
0
Comment
Question by:IT_Group1
  • 2
4 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34991188
If you have strongly standardized environment, you can restrict user access to certain drive letter(s) with Group Policy. It means that you must have a drive letter standard, for example C is for system and D is for data partition. Now you can limit standard user access to only C and D while admins will be able to use any drive letter. As C and D are already in use, any USB device will be in the denied list as well as the CD drive.
0
 

Author Comment

by:IT_Group1
ID: 34991717
I need more specific information please.

Its like this:
I need an example for batch file of logon script that do registry key query then replace the registry in case of the the value is as changed (in case of no change the logon script continue)
Example: if the value on a USB set on "start" to 4 (disabled by default) and the running batch discover that the current registry key is 3 (enabled) the batch need to change the registry key then logoff the user for relogin.

0
 
LVL 3

Expert Comment

by:thomasd04
ID: 34991828
Hi! Are you saying that you are currently using a GPO without scripts to accomplish this? And that by doing this, it's taking too long for the GPO to update the user's access? Or are you saying that you currently don't have a solution and are looking for a combination of GPO and scripts to tackle this problem? Here's an article on restricting all USB removable disks using GPO only.
http://www.petri.co.il/disable_usb_disks_with_gpo.htm



0
 
LVL 8

Accepted Solution

by:
Toxacon earned 500 total points
ID: 34992731
Umm, the way I explained does not use any scripts for allowing/denying access to drive letters.

Take a look at the following article:

http://support.microsoft.com/kb/231289

It is about hiding specified drive letters but you can also deny access by specifying another registry value in the built-in template.

For example, your fixed drives are C and D. Your CD-ROM is Z. Your Home drive is H and DFS drive is R. You allow access to C, D, H and R. The user can't access CD-ROM in Z or plugged-in USB-drive which will get next available letter E. Of course, if the user disconnects his/her home drive and then adds four USB drives, the fourth will get letter H so the solution is not failsafe but it will prevent an ordinary user from accessing any additional drives.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question