Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

GPO & Batch edit

Posted on 2011-02-27
4
Medium Priority
?
793 Views
Last Modified: 2012-05-11
Gurus

We're looking for a GPO solution which will provide the following functionality:
1 .When standard user will login - the USB mass storage drives and CD will be disabled.
2. When an Admin user will login - both USB mass storage drives and CD will appear.

Now, we've found a way to do it with multiple logon and logoff's, but it's a bit sluggish for us.

We thought of the following idea, and would like your guidance or an example file how to perform it:
Whenever a std. user or an Admin user will login, the associated Login script will query the relevant registry entry in order to see if the CD\USB is enabled or disabled.

In the case that the Std. user will login (which teh CD\USB SHOULD be disabled), and the batch will find out that the current drives state is disabled, all is good - and the login process will continue as usual. But if the USB\CD's are currently enabled (due to previous Admin login), the batch should disable it by changing the corresponding reg key, and should perform a silent log-off and logon back to the domain.

The same scenario should be performed in vice verse to the Admin user (If enabled -->continue, if disabled --> enable, logoff --> logon).

Now, is it possible? If so, how?

BTW, the domain controller is 2008, and the Workstations are Win XP SP3.

Many thx
0
Comment
Question by:IT_Group1
  • 2
4 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34991188
If you have strongly standardized environment, you can restrict user access to certain drive letter(s) with Group Policy. It means that you must have a drive letter standard, for example C is for system and D is for data partition. Now you can limit standard user access to only C and D while admins will be able to use any drive letter. As C and D are already in use, any USB device will be in the denied list as well as the CD drive.
0
 

Author Comment

by:IT_Group1
ID: 34991717
I need more specific information please.

Its like this:
I need an example for batch file of logon script that do registry key query then replace the registry in case of the the value is as changed (in case of no change the logon script continue)
Example: if the value on a USB set on "start" to 4 (disabled by default) and the running batch discover that the current registry key is 3 (enabled) the batch need to change the registry key then logoff the user for relogin.

0
 
LVL 3

Expert Comment

by:thomasd04
ID: 34991828
Hi! Are you saying that you are currently using a GPO without scripts to accomplish this? And that by doing this, it's taking too long for the GPO to update the user's access? Or are you saying that you currently don't have a solution and are looking for a combination of GPO and scripts to tackle this problem? Here's an article on restricting all USB removable disks using GPO only.
http://www.petri.co.il/disable_usb_disks_with_gpo.htm



0
 
LVL 8

Accepted Solution

by:
Toxacon earned 2000 total points
ID: 34992731
Umm, the way I explained does not use any scripts for allowing/denying access to drive letters.

Take a look at the following article:

http://support.microsoft.com/kb/231289

It is about hiding specified drive letters but you can also deny access by specifying another registry value in the built-in template.

For example, your fixed drives are C and D. Your CD-ROM is Z. Your Home drive is H and DFS drive is R. You allow access to C, D, H and R. The user can't access CD-ROM in Z or plugged-in USB-drive which will get next available letter E. Of course, if the user disconnects his/her home drive and then adds four USB drives, the fourth will get letter H so the solution is not failsafe but it will prevent an ordinary user from accessing any additional drives.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question