Solved

GPO & Batch edit

Posted on 2011-02-27
4
785 Views
Last Modified: 2012-05-11
Gurus

We're looking for a GPO solution which will provide the following functionality:
1 .When standard user will login - the USB mass storage drives and CD will be disabled.
2. When an Admin user will login - both USB mass storage drives and CD will appear.

Now, we've found a way to do it with multiple logon and logoff's, but it's a bit sluggish for us.

We thought of the following idea, and would like your guidance or an example file how to perform it:
Whenever a std. user or an Admin user will login, the associated Login script will query the relevant registry entry in order to see if the CD\USB is enabled or disabled.

In the case that the Std. user will login (which teh CD\USB SHOULD be disabled), and the batch will find out that the current drives state is disabled, all is good - and the login process will continue as usual. But if the USB\CD's are currently enabled (due to previous Admin login), the batch should disable it by changing the corresponding reg key, and should perform a silent log-off and logon back to the domain.

The same scenario should be performed in vice verse to the Admin user (If enabled -->continue, if disabled --> enable, logoff --> logon).

Now, is it possible? If so, how?

BTW, the domain controller is 2008, and the Workstations are Win XP SP3.

Many thx
0
Comment
Question by:IT_Group1
  • 2
4 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34991188
If you have strongly standardized environment, you can restrict user access to certain drive letter(s) with Group Policy. It means that you must have a drive letter standard, for example C is for system and D is for data partition. Now you can limit standard user access to only C and D while admins will be able to use any drive letter. As C and D are already in use, any USB device will be in the denied list as well as the CD drive.
0
 

Author Comment

by:IT_Group1
ID: 34991717
I need more specific information please.

Its like this:
I need an example for batch file of logon script that do registry key query then replace the registry in case of the the value is as changed (in case of no change the logon script continue)
Example: if the value on a USB set on "start" to 4 (disabled by default) and the running batch discover that the current registry key is 3 (enabled) the batch need to change the registry key then logoff the user for relogin.

0
 
LVL 3

Expert Comment

by:thomasd04
ID: 34991828
Hi! Are you saying that you are currently using a GPO without scripts to accomplish this? And that by doing this, it's taking too long for the GPO to update the user's access? Or are you saying that you currently don't have a solution and are looking for a combination of GPO and scripts to tackle this problem? Here's an article on restricting all USB removable disks using GPO only.
http://www.petri.co.il/disable_usb_disks_with_gpo.htm



0
 
LVL 8

Accepted Solution

by:
Toxacon earned 500 total points
ID: 34992731
Umm, the way I explained does not use any scripts for allowing/denying access to drive letters.

Take a look at the following article:

http://support.microsoft.com/kb/231289

It is about hiding specified drive letters but you can also deny access by specifying another registry value in the built-in template.

For example, your fixed drives are C and D. Your CD-ROM is Z. Your Home drive is H and DFS drive is R. You allow access to C, D, H and R. The user can't access CD-ROM in Z or plugged-in USB-drive which will get next available letter E. Of course, if the user disconnects his/her home drive and then adds four USB drives, the fourth will get letter H so the solution is not failsafe but it will prevent an ordinary user from accessing any additional drives.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now