>

I think it may have something to do with rights that are established elsewhere.  I opened up the registry under that user and tried to modify it manually and got an error, so I'm going to go back through the rest of the policy and see if I've disallowed rights to modify the registry.  Thanks for all your help everyone.  Like I said a couple of days ago, I'm new to this, so I'll probably stumble over something dumb I should have noticed. 

On 8/22/06, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

And, actually I just tried it on a local GPO here and it works fine for me. 

Darren

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia

Sent: Tuesday, August 22, 2006 10:11 AM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: ADM problem

I don't see anything wrong in that ADM that would explain why the value is not getting properly enabled. Also, just because its a preference does not mean that you can't switch it from enabled to disabled without it getting picked up by the client. I suspect Doug is thinking of IE Maintenance preferences, where that is the case.

Darren

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman

Sent: Tuesday, August 22, 2006 8:51 AM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: ADM problem

So if I have

VALUEON NUMERICAL 1

VALUEOFF NUMERICAL 0

Having it enabled should have put 1 into the value, but it didn't, and the key didn't exist before the GPO was created.

But, more importantly, what you're telling me is that if I switch the policy between enabled and disabled, it's not going to update the key to the appropriate value?  If that's the case, I might as well just write a script that imports the appropriate registry value during logon. 

On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote: 

If the value does not exist (previously) it should work.  This is considered a "user preference" and a GPO will only apply it once.  It will not be "managed".

Doug Delaney

GM Desktop Engineering

Global Client Engineering GM

1075 W. Entrance Dr., MS 2B, Cube 2130

Auburn Hills, MI 48326

Lab: 248-365-9187

Tel: 248-754-7917

Pg: 248-870-0306 pager

Mail: Doug.Delaney@xxxxxxx 

Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited.

From: gptalk-bounce@xxxxxxxxxxxxx [mailto: gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman

Sent: Tuesday, August 22, 2006 11:18 AM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: ADM problem

The thing is that if I create the key/dword and put in the value 1 in manually, it works fine, write access to USB devices is disallowed.  If I use the ADM, though, it creates the key and dword, but doesn't put the correct value in, it stays 0. 

On 8/22/06, Tim Bolton <jsclmedave@xxxxxxxxx> wrote: 

We tried this numerous times, but certain USB sticks were still able

to load and were accessible.

hopefully Darren has the magic bullet for this.  I have heard of shops

actually putting epoxy in the ports...

We use a product that took care of this.  If you want info on it

please email me direct.

I am very curious to see if there is a workable solution in GP...

TB

On 8/22/06, Gray Troutman < jgraytroutman@xxxxxxxxx> wrote:

> Hey folks,

> I've implemented a few custom ADMs without any difficulty.  I have one,

> however, that doesn't seem to want to work properly.  It's one I found it

> over at thelazyadmin.com .  The ADM is supposed to disable write access to

> USB devices.  When I manually create the key and dword, everything works

> fine, but when I try to implement it through a GPO, it creates the key and 

> dword, but doesn't place the appropriate value (1) into the registry.  Here

> are the contents of the ADM:

>

> CLASS MACHINE

> CATEGORY "Removeable Storage Write Access"

>  POLICY "USB Write Access" 

>   KEYNAME

> "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"

>    VALUENAME "WriteProtect"

>    VALUEON NUMERIC 1

>    VALUEOFF NUMERIC 0

>  END POLICY

> END CATEGORY;

>

> As an additional note, I'll mention that this is the only machine specific

> policy I'm trying to enforce within this GPO, everything else is on the user

> side.  I had thought that maybe I had instituted a policy that was keeping 

> the key from being generated, but everything show up except for the

> appropriate value.

>

> Thanks in advance,

> Gray

>

--

Genius may have its limitations, but stupidity is not thus 

handicapped. - Elbert Hubbard

***********************

You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/

************************