[gptalk] Re: Script not applicable for local admin
- From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Wed, 26 Mar 2008 11:24:20 +0530
Thanks Darren... We couldn't figure it out!
What we did is, we have a vbs script to change the usbstor value to 4. and
this bat file to set deny permission to SYSTEM. whenever a new stick is
used, the value changes and user can use the stick!
now how can we set it to work the way we want..
Kindly advice.
regards
Ananth.
On Wed, Mar 26, 2008 at 10:35 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
> I see what the problem is. Start is a reg. value, not a key. You can't
> permission values. You can only permission keys!
>
>
>
>
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* Tuesday, March 25, 2008 9:59 PM
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Script not applicable for local admin
>
>
>
> Hi Darren,
>
> We had set the script at computer configuration only! anyway we will take
> a closer look.
>
> regards
> Ananth.
>
> On Wed, Mar 26, 2008 at 9:47 AM, Darren Mar-Elia <darren@xxxxxxxxxx>
> wrote:
>
> Ananth-
>
> The error you're getting is an access denied error. You can't repermission
> an HKLM reg key like that from a logon script because logon scripts run in
> the context of the user, who does not have permission to modify reg key
> permissions by default.
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* Tuesday, March 25, 2008 3:08 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Script not applicable for local admin
>
>
>
>
>
> Hi Ray,
>
>
> Its been a long time, but I have some doubts regarding the USB storage
> device blocking script. Hope you can help out.
>
> We could never implemented the script yet, as there was a policy change
> and USB devices were allowed for all. Now we are planning to implement and
> we are in the process testing out policies. And in this regard we have some
> queries.
>
> The script is as follows...
>
> Dim WshShell,Retvalue
> Set WshShell = CreateObject("Wscript.Shell")
> WshShell.RegWrite"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",3,"REG_DWORD"
> Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls
> %windir%\inf\usbstor.inf /D everyone /T /Y",0,False)
> Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls
> %windir%\inf\usbstor.pnf /D everyone /T /Y",0,False)
> \\tai2dserver\SYSVOL\Tai2D.ent\scripts\subinacl.exe" /keyreg
> \system\currentcontrolset\services\usbstor /deny=system
> Set WshShell = Nothing
> Wscript.Quit
>
> You had suggested to add the following line to the script, we created a
> bat file and implemented this. Subinacl.exe was copied to
> \\Server\sysvol\scripts folder
>
> "\\Server\sysvol\scripts\subinacl.exe" /keyreg
> \system\currentcontrolset\services\usbstor /deny=system
>
>
> Two policies were created one for the usb blocking vbs file and the second
> one, the batch file to implement the subinacl setting.
>
> The two policies were set at the domain level and scope was set for all
> authenticated users.
>
> But now in the test machines at logon we are getting this error.
>
> Script : \\Server\sysvol\scripts\usb.vbs
> Line:3
> Char:1
> Invalid root in registry key
> :HKLM\System\CurrentControlSet\Services\USBSTOR\Start
> Code: 8007005
> Source:wshscript:regwrite
>
> What could be causing it? the script is exactly same as shown above!
> Please advice!!
>
> Thanks and regards
> Ananth.
>
>
>
>
>
>
>
>
> On 3/10/07, *Ray Lewis* < razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Anth..
>
>
>
> I was faced with this same problem last year.. scripting to set the DWORD
> value will indeed disable the device, however, if an alternative stick is to
> be used, this doesn't apply….
>
>
>
> Using subinacl, to set the USBSTOR registry permissions to DENY for the
> SYSTEM "group" should sort out your problem. Download subinacl.exe to a
> share and add the following line to your existing script:
>
>
>
> "\\*your server*\*your shared folder*\subinacl.exe" /keyreg
> \system\currentcontrolset\services\usbstor /deny=system
>
>
>
> My scenario was a little different as I wanted standard users to be denied
> and for Administrators to be allowed – I controlled this simply via the
> login scripts.
>
>
>
> Hope this helps…
>
>
>
> Ray
>
>
> ------------------------------
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mail to:gptalk-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Ananth Rajagopal
>
>
> *Sent:* 10 March 2007 14:08
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Script not applicable for local admin
>
>
>
> Hi all,
>
> I got 3 questions....
>
> 1. we have a script which disables removable usb drive access. but it
> doesn't work for local admin logon's . how do i make it applicable for them
> too..basically what the script does is it modifies the USBSTOR value from 3
> to 4, thus disabling it, but guys who have local admin rights just opens
> device manager, removes the usb drives and reinstalls them! thus enabling
> it!
>
> 2. how can i disable device manager access, even if the user has local
> admin rights?
>
> 3. we have a scripts which copies some 10mb of data every time users logs
> in, even if the files are already in the destination folder it is again
> copied, how can i make it a incremental or diferential copy? we do this via
> a batch file.
>
> a BIG thanks to all who regularly contribute to this very helpful list!!
> :-)
>
> best regards
> anth :-)
>
>
>
>
>
>
>
Other related posts:
