Just for kicks, being as it's one word and no spaces, try removing the " 's from WriteProtect Ya never know.. John "Gray Troutman" <jgraytroutman@gm ail.com> To Sent by: gptalk@xxxxxxxxxxxxx gptalk-bounce@fre cc elists.org Subject [gptalk] Re: ADM problem 08/22/2006 11:09 AM Please respond to gptalk@freelists. org sorry about that, I misstyped, it's NUMERIC. I've tried running gpupdate /force and it didn't work. I was just wondering if there was naything obviously wrong in my ADM that would keep the value from being presented properly. I'll just keep at it. On 8/22/06, jpsalemi@xxxxxxxxxxxxxxxxxxx <jpsalemi@xxxxxxxxxxxxxxxxxxx > wrote: Gary, you're not using NUMERICAL are you? The policy says NUMERIC ? It should be NUMERIC It wouldn't apply during a policy refresh, but a reboot, policy change, or a gpupdate /force it should. You can try "always run registry policy settings too" although that can cause some performance issues upon policy re-application. The idea being if someone has admin rights, and deletes the key, it won't automagically come back. John "Gray Troutman" < jgraytroutman@gm ail.com> To Sent by: gptalk@xxxxxxxxxxxxx gptalk-bounce@fre cc elists.org Subject [gptalk] Re: ADM problem 08/22/2006 10:51 AM Please respond to gptalk@freelists. org So if I have VALUEON NUMERICAL 1 VALUEOFF NUMERICAL 0 Having it enabled should have put 1 into the value, but it didn't, and the key didn't exist before the GPO was created. But, more importantly, what you're telling me is that if I switch the policy between enabled and disabled, it's not going to update the key to the appropriate value? If that's the case, I might as well just write a script that imports the appropriate registry value during logon. On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote: If the value does not exist (previously) it should work. This is considered a "user preference" and a GPO will only apply it once. It will not be "managed". Doug Delaney GM Desktop Engineering Global Client Engineering GM 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 Lab: 248-365-9187 Tel: 248-754-7917 Pg: 248-870-0306 pager Mail: Doug.Delaney@xxxxxxx Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited. From: gptalk-bounce@xxxxxxxxxxxxx [mailto: gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman Sent: Tuesday, August 22, 2006 11:18 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: ADM problem The thing is that if I create the key/dword and put in the value 1 in manually, it works fine, write access to USB devices is disallowed. If I use the ADM, though, it creates the key and dword, but doesn't put the correct value in, it stays 0. On 8/22/06, Tim Bolton < jsclmedave@xxxxxxxxx> wrote: We tried this numerous times, but certain USB sticks were still able to load and were accessible. hopefully Darren has the magic bullet for this. I have heard of shops actually putting epoxy in the ports... We use a product that took care of this. If you want info on it please email me direct. I am very curious to see if there is a workable solution in GP... TB On 8/22/06, Gray Troutman < jgraytroutman@xxxxxxxxx> wrote: > Hey folks, > I've implemented a few custom ADMs without any difficulty. I have one, > however, that doesn't seem to want to work properly. It's one I found it > over at thelazyadmin.com . The ADM is supposed to disable write access to > USB devices. When I manually create the key and dword, everything works > fine, but when I try to implement it through a GPO, it creates the key and > dword, but doesn't place the appropriate value (1) into the registry. Here > are the contents of the ADM: > > CLASS MACHINE > CATEGORY "Removeable Storage Write Access" > POLICY "USB Write Access" > KEYNAME > "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies" > VALUENAME "WriteProtect" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > END CATEGORY; > > As an additional note, I'll mention that this is the only machine specific > policy I'm trying to enforce within this GPO, everything else is on the user > side. I had thought that maybe I had instituted a policy that was keeping > the key from being generated, but everything show up except for the > appropriate value. > > Thanks in advance, > Gray > -- Genius may have its limitations, but stupidity is not thus handicapped. - Elbert Hubbard *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************