Solved

GPO & Batch edit

Posted on 2011-02-27
4
789 Views
Last Modified: 2012-05-11
Gurus

We're looking for a GPO solution which will provide the following functionality:
1 .When standard user will login - the USB mass storage drives and CD will be disabled.
2. When an Admin user will login - both USB mass storage drives and CD will appear.

Now, we've found a way to do it with multiple logon and logoff's, but it's a bit sluggish for us.

We thought of the following idea, and would like your guidance or an example file how to perform it:
Whenever a std. user or an Admin user will login, the associated Login script will query the relevant registry entry in order to see if the CD\USB is enabled or disabled.

In the case that the Std. user will login (which teh CD\USB SHOULD be disabled), and the batch will find out that the current drives state is disabled, all is good - and the login process will continue as usual. But if the USB\CD's are currently enabled (due to previous Admin login), the batch should disable it by changing the corresponding reg key, and should perform a silent log-off and logon back to the domain.

The same scenario should be performed in vice verse to the Admin user (If enabled -->continue, if disabled --> enable, logoff --> logon).

Now, is it possible? If so, how?

BTW, the domain controller is 2008, and the Workstations are Win XP SP3.

Many thx
0
Comment
Question by:IT_Group1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34991188
If you have strongly standardized environment, you can restrict user access to certain drive letter(s) with Group Policy. It means that you must have a drive letter standard, for example C is for system and D is for data partition. Now you can limit standard user access to only C and D while admins will be able to use any drive letter. As C and D are already in use, any USB device will be in the denied list as well as the CD drive.
0
 

Author Comment

by:IT_Group1
ID: 34991717
I need more specific information please.

Its like this:
I need an example for batch file of logon script that do registry key query then replace the registry in case of the the value is as changed (in case of no change the logon script continue)
Example: if the value on a USB set on "start" to 4 (disabled by default) and the running batch discover that the current registry key is 3 (enabled) the batch need to change the registry key then logoff the user for relogin.

0
 
LVL 3

Expert Comment

by:thomasd04
ID: 34991828
Hi! Are you saying that you are currently using a GPO without scripts to accomplish this? And that by doing this, it's taking too long for the GPO to update the user's access? Or are you saying that you currently don't have a solution and are looking for a combination of GPO and scripts to tackle this problem? Here's an article on restricting all USB removable disks using GPO only.
http://www.petri.co.il/disable_usb_disks_with_gpo.htm



0
 
LVL 8

Accepted Solution

by:
Toxacon earned 500 total points
ID: 34992731
Umm, the way I explained does not use any scripts for allowing/denying access to drive letters.

Take a look at the following article:

http://support.microsoft.com/kb/231289

It is about hiding specified drive letters but you can also deny access by specifying another registry value in the built-in template.

For example, your fixed drives are C and D. Your CD-ROM is Z. Your Home drive is H and DFS drive is R. You allow access to C, D, H and R. The user can't access CD-ROM in Z or plugged-in USB-drive which will get next available letter E. Of course, if the user disconnects his/her home drive and then adds four USB drives, the fourth will get letter H so the solution is not failsafe but it will prevent an ordinary user from accessing any additional drives.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question