[gptalk] Re: ADM problem

  • From: "Delaney, Doug" <doug.delaney@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 22 Aug 2006 13:25:39 -0400

Darren,
 
I was actually referring to the user preference settings that are not
visible by default in GPMC. In the Group Policy Object Editor | View |
Filtering, turn off the check mark in "Only show policy settings that
can be fully managed".  This typically applies to any setting that is
not in one of the "policies" areas of the registry
(HKLM\Software\Policies or
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies) and as such,
the settings are considered unmanaged.  The IE Maintenance settings are
an example of this kind of setting, the office adm templates, and any
custom ADM templates that do not store their values in the policies
areas are preferences. Those will remain if you remove the GPO, and will
be applied only once and are not enforced via refresh or reboot.
 

Doug Delaney
GM Desktop Engineering
Global Client Engineering GM
1075 W. Entrance Dr., MS 2B, Cube 2130
Auburn Hills, MI 48326
Lab: 248-365-9187
Tel: 248-754-7917
Pg: 248-870-0306 pager
Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>  

Note: The information in this email is intended solely for the
addressee. Access to this email by anyone else is unauthorized. If you
are not the intended recipient, any disclosure, copying, distribution or
any action taken or omitted to be taken in reliance on it is prohibited.

 


________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
        Sent: Tuesday, August 22, 2006 1:11 PM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: ADM problem
        
        
        I don't see anything wrong in that ADM that would explain why
the value is not getting properly enabled. Also, just because its a
preference does not mean that you can't switch it from enabled to
disabled without it getting picked up by the client. I suspect Doug is
thinking of IE Maintenance preferences, where that is the case.
         
        Darren

________________________________

        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman
        Sent: Tuesday, August 22, 2006 8:51 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: ADM problem
        
        
        So if I have
        
        VALUEON NUMERICAL 1
        VALUEOFF NUMERICAL 0
        
        Having it enabled should have put 1 into the value, but it
didn't, and the key didn't exist before the GPO was created.
        
        But, more importantly, what you're telling me is that if I
switch the policy between enabled and disabled, it's not going to update
the key to the appropriate value?  If that's the case, I might as well
just write a script that imports the appropriate registry value during
logon. 
        
        
        
        
        
        
        On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote: 

                If the value does not exist (previously) it should work.
This is considered a "user preference" and a GPO will only apply it
once.  It will not be "managed".
                 

                Doug Delaney
                GM Desktop Engineering
                Global Client Engineering GM
                1075 W. Entrance Dr., MS 2B, Cube 2130
                Auburn Hills, MI 48326
                Lab: 248-365-9187
                Tel: 248-754-7917
                Pg: 248-870-0306 pager
                Mail: Doug.Delaney@xxxxxxx <mailto:Doug.Delaney@xxxxxxx>


                Note: The information in this email is intended solely
for the addressee. Access to this email by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it is prohibited.

                 


________________________________

                        From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman
                        Sent: Tuesday, August 22, 2006 11:18 AM
                        To: gptalk@xxxxxxxxxxxxx
                        Subject: [gptalk] Re: ADM problem
                        
                        

                
                The thing is that if I create the key/dword and put in
the value 1 in manually, it works fine, write access to USB devices is
disallowed.  If I use the ADM, though, it creates the key and dword, but
doesn't put the correct value in, it stays 0. 
                
                
                
                
                On 8/22/06, Tim Bolton <jsclmedave@xxxxxxxxx> wrote: 

                        We tried this numerous times, but certain USB
sticks were still able
                        to load and were accessible.
                        
                        hopefully Darren has the magic bullet for this.
I have heard of shops
                        actually putting epoxy in the ports...
                        
                        We use a product that took care of this.  If you
want info on it
                        please email me direct.
                        
                        I am very curious to see if there is a workable
solution in GP...
                        
                        TB
                        
                        On 8/22/06, Gray Troutman <
jgraytroutman@xxxxxxxxx <mailto:jgraytroutman@xxxxxxxxx> > wrote:
                        > Hey folks,
                        > I've implemented a few custom ADMs without any
difficulty.  I have one,
                        > however, that doesn't seem to want to work
properly.  It's one I found it
                        > over at thelazyadmin.com .  The ADM is
supposed to disable write access to
                        > USB devices.  When I manually create the key
and dword, everything works
                        > fine, but when I try to implement it through a
GPO, it creates the key and 
                        > dword, but doesn't place the appropriate value
(1) into the registry.  Here
                        > are the contents of the ADM:
                        >
                        > CLASS MACHINE
                        > CATEGORY "Removeable Storage Write Access"
                        >  POLICY "USB Write Access" 
                        >   KEYNAME
                        >
"SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
                        >    VALUENAME "WriteProtect"
                        >    VALUEON NUMERIC 1
                        >    VALUEOFF NUMERIC 0
                        >  END POLICY
                        > END CATEGORY;
                        >
                        > As an additional note, I'll mention that this
is the only machine specific
                        > policy I'm trying to enforce within this GPO,
everything else is on the user
                        > side.  I had thought that maybe I had
instituted a policy that was keeping 
                        > the key from being generated, but everything
show up except for the
                        > appropriate value.
                        >
                        > Thanks in advance,
                        > Gray
                        >
                        
                        
                        --
                        Genius may have its limitations, but stupidity
is not thus 
                        handicapped. - Elbert Hubbard
                        ***********************
                        You can unsubscribe from gptalk by sending email
to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR by logging into the freelists.org Web interface. Archives for the
list are available at http://www.freelists.org/archives/gptalk/
                        ************************ 
                        



Other related posts: