[gptalk] Re: ADM problem

  • From: <jpsalemi@xxxxxxxxxxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 22 Aug 2006 11:02:25 -0500

Gary, you're not using NUMERICAL are you?  The policy says NUMERIC ?

It should be NUMERIC

It wouldn't apply during a policy refresh, but a reboot, policy change, or
a gpupdate /force it should.  You can try "always run registry policy
settings too" although that can cause some performance issues upon policy
re-application.

The idea being if someone has admin rights, and deletes the key, it won't
automagically come back.

John





                                                                           
             "Gray Troutman"                                               
             <jgraytroutman@gm                                             
             ail.com>                                                   To 
             Sent by:                  gptalk@xxxxxxxxxxxxx                
             gptalk-bounce@fre                                          cc 
             elists.org                                                    
                                                                   Subject 
                                       [gptalk] Re: ADM problem            
             08/22/2006 10:51                                              
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
             gptalk@freelists.                                             
                    org                                                    
                                                                           
                                                                           




So if I have

VALUEON NUMERICAL 1
VALUEOFF NUMERICAL 0

Having it enabled should have put 1 into the value, but it didn't, and the
key didn't exist before the GPO was created.

But, more importantly, what you're telling me is that if I switch the
policy between enabled and disabled, it's not going to update the key to
the appropriate value?  If that's the case, I might as well just write a
script that imports the appropriate registry value during logon.





On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote:
  If the value does not exist (previously) it should work.  This is
  considered a "user preference" and a GPO will only apply it once.  It
  will not be "managed".



  Doug Delaney
  GM Desktop Engineering
  Global Client Engineering GM
  1075 W. Entrance Dr., MS 2B, Cube 2130
  Auburn Hills, MI 48326
  Lab: 248-365-9187
  Tel: 248-754-7917
  Pg: 248-870-0306 pager
  Mail: Doug.Delaney@xxxxxxx


  Note: The information in this email is intended solely for the addressee.
  Access to this email by anyone else is unauthorized. If you are not the
  intended recipient, any disclosure, copying, distribution or any action
  taken or omitted to be taken in reliance on it is prohibited.




        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:
        gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman
        Sent: Tuesday, August 22, 2006 11:18 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: ADM problem

  The thing is that if I create the key/dword and put in the value 1 in
  manually, it works fine, write access to USB devices is disallowed.  If I
  use the ADM, though, it creates the key and dword, but doesn't put the
  correct value in, it stays 0.



  On 8/22/06, Tim Bolton <jsclmedave@xxxxxxxxx> wrote:
   We tried this numerous times, but certain USB sticks were still able
   to load and were accessible.

   hopefully Darren has the magic bullet for this.  I have heard of shops
   actually putting epoxy in the ports...

   We use a product that took care of this.  If you want info on it
   please email me direct.

   I am very curious to see if there is a workable solution in GP...

   TB

   On 8/22/06, Gray Troutman < jgraytroutman@xxxxxxxxx> wrote:
   > Hey folks,
   > I've implemented a few custom ADMs without any difficulty.  I have
   one,
   > however, that doesn't seem to want to work properly.  It's one I found
   it
   > over at thelazyadmin.com .  The ADM is supposed to disable write
   access to
   > USB devices.  When I manually create the key and dword, everything
   works
   > fine, but when I try to implement it through a GPO, it creates the key
   and
   > dword, but doesn't place the appropriate value (1) into the registry.
   Here
   > are the contents of the ADM:
   >
   > CLASS MACHINE
   > CATEGORY "Removeable Storage Write Access"
   >  POLICY "USB Write Access"
   >   KEYNAME
   > "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
   >    VALUENAME "WriteProtect"
   >    VALUEON NUMERIC 1
   >    VALUEOFF NUMERIC 0
   >  END POLICY
   > END CATEGORY;
   >
   > As an additional note, I'll mention that this is the only machine
   specific
   > policy I'm trying to enforce within this GPO, everything else is on
   the user
   > side.  I had thought that maybe I had instituted a policy that was
   keeping
   > the key from being generated, but everything show up except for the
   > appropriate value.
   >
   > Thanks in advance,
   > Gray
   >


   --
   Genius may have its limitations, but stupidity is not thus
   handicapped. - Elbert Hubbard
   ***********************
   You can unsubscribe from gptalk by sending email to
   gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
   by logging into the freelists.org Web interface. Archives for the list
   are available at http://www.freelists.org/archives/gptalk/
   ************************



***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: