[gptalk] Re: ADM problem

  • From: <jpsalemi@xxxxxxxxxxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Tue, 22 Aug 2006 12:16:34 -0500

Just for kicks, being as it's one word and no spaces, try removing the " 's
from WriteProtect

Ya never know..

John



                                                                           
             "Gray Troutman"                                               
             <jgraytroutman@gm                                             
             ail.com>                                                   To 
             Sent by:                  gptalk@xxxxxxxxxxxxx                
             gptalk-bounce@fre                                          cc 
             elists.org                                                    
                                                                   Subject 
                                       [gptalk] Re: ADM problem            
             08/22/2006 11:09                                              
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
             gptalk@freelists.                                             
                    org                                                    
                                                                           
                                                                           




sorry about that, I misstyped, it's NUMERIC.  I've tried running gpupdate
/force and it didn't work.  I was just wondering if there was naything
obviously wrong in my ADM that would keep the value from being presented
properly.  I'll just keep at it.

On 8/22/06, jpsalemi@xxxxxxxxxxxxxxxxxxx <jpsalemi@xxxxxxxxxxxxxxxxxxx >
wrote:
  Gary, you're not using NUMERICAL are you?  The policy says NUMERIC ?

  It should be NUMERIC

  It wouldn't apply during a policy refresh, but a reboot, policy change,
  or
  a gpupdate /force it should.  You can try "always run registry policy
  settings too" although that can cause some performance issues upon policy

  re-application.

  The idea being if someone has admin rights, and deletes the key, it won't
  automagically come back.

  John






               "Gray Troutman"
               < jgraytroutman@gm
               ail.com>
  To
               Sent by:                  gptalk@xxxxxxxxxxxxx
               gptalk-bounce@fre
  cc
               elists.org

  Subject
                                         [gptalk] Re: ADM problem
               08/22/2006 10:51
               AM


               Please respond to
               gptalk@freelists.
                      org






  So if I have

  VALUEON NUMERICAL 1
  VALUEOFF NUMERICAL 0

  Having it enabled should have put 1 into the value, but it didn't, and
  the
  key didn't exist before the GPO was created.

  But, more importantly, what you're telling me is that if I switch the
  policy between enabled and disabled, it's not going to update the key to
  the appropriate value?  If that's the case, I might as well just write a
  script that imports the appropriate registry value during logon.





  On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote:
    If the value does not exist (previously) it should work.  This is
    considered a "user preference" and a GPO will only apply it once.  It
    will not be "managed".



    Doug Delaney
    GM Desktop Engineering
    Global Client Engineering GM
    1075 W. Entrance Dr., MS 2B, Cube 2130
    Auburn Hills, MI 48326
    Lab: 248-365-9187
    Tel: 248-754-7917
    Pg: 248-870-0306 pager
    Mail: Doug.Delaney@xxxxxxx


    Note: The information in this email is intended solely for the
  addressee.
    Access to this email by anyone else is unauthorized. If you are not the
    intended recipient, any disclosure, copying, distribution or any action
    taken or omitted to be taken in reliance on it is prohibited.




          From: gptalk-bounce@xxxxxxxxxxxxx [mailto:
          gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman
          Sent: Tuesday, August 22, 2006 11:18 AM
          To: gptalk@xxxxxxxxxxxxx
          Subject: [gptalk] Re: ADM problem

    The thing is that if I create the key/dword and put in the value 1 in
    manually, it works fine, write access to USB devices is disallowed.  If
  I
    use the ADM, though, it creates the key and dword, but doesn't put the
    correct value in, it stays 0.



    On 8/22/06, Tim Bolton < jsclmedave@xxxxxxxxx> wrote:
     We tried this numerous times, but certain USB sticks were still able
     to load and were accessible.

     hopefully Darren has the magic bullet for this.  I have heard of shops

     actually putting epoxy in the ports...

     We use a product that took care of this.  If you want info on it
     please email me direct.

     I am very curious to see if there is a workable solution in GP...

     TB

     On 8/22/06, Gray Troutman < jgraytroutman@xxxxxxxxx> wrote:
     > Hey folks,
     > I've implemented a few custom ADMs without any difficulty.  I have
     one,
     > however, that doesn't seem to want to work properly.  It's one I
  found
     it
     > over at thelazyadmin.com .  The ADM is supposed to disable write
     access to
     > USB devices.  When I manually create the key and dword, everything
     works
     > fine, but when I try to implement it through a GPO, it creates the
  key
     and
     > dword, but doesn't place the appropriate value (1) into the
  registry.
     Here
     > are the contents of the ADM:
     >
     > CLASS MACHINE
     > CATEGORY "Removeable Storage Write Access"
     >  POLICY "USB Write Access"
     >   KEYNAME
     > "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
     >    VALUENAME "WriteProtect"
     >    VALUEON NUMERIC 1
     >    VALUEOFF NUMERIC 0
     >  END POLICY
     > END CATEGORY;
     >
     > As an additional note, I'll mention that this is the only machine
     specific
     > policy I'm trying to enforce within this GPO, everything else is on
     the user
     > side.  I had thought that maybe I had instituted a policy that was
     keeping
     > the key from being generated, but everything show up except for the
     > appropriate value.
     >
     > Thanks in advance,
     > Gray
     >


     --
     Genius may have its limitations, but stupidity is not thus
     handicapped. - Elbert Hubbard
     ***********************
     You can unsubscribe from gptalk by sending email to
     gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
  OR
     by logging into the freelists.org Web interface. Archives for the list
     are available at http://www.freelists.org/archives/gptalk/
     ************************



  ***********************
  You can unsubscribe from gptalk by sending email to
  gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
  by logging into the freelists.org Web interface. Archives for the list
  are available at http://www.freelists.org/archives/gptalk/
  ************************


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: