[gptalk] Re: Script not applicable for local admin

  • From: <razor@xxxxxxxxxxxxxxxxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx, 'Ananth Rajagopal' <ananth.rg@xxxxxxxxx>
  • Date: Wed, 26 Mar 2008 10:52:17 +0000

Any reason why you cant use a start-up script instead?

Ray


On Wed Mar 26  5:54 , "Ananth Rajagopal"  sent:

>Thanks Darren... We couldn't figure it out!
>
>What we did is, we have a vbs script to change the usbstor value to 4. and 
>this 
bat file to set deny permission to SYSTEM. whenever a new stick is used, the 
value 
changes and user can use the stick!
>
>
>now how can we set it to work the way we want..
>
>Kindly advice.
>
>regards
>Ananth.
>
>
>
>On Wed, Mar 26, 2008 at 10:35 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>I see what the problem is. Start is a reg. value, not a key. You
>can't permission values. You can only permission keys!
>
> 
>
> 
>
> 
>
>
>
>From:
>gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf
>Of Ananth Rajagopal
>
>Sent: Tuesday, March 25, 2008 9:59 PM
>
>To: gptalk@xxxxxxxxxxxxx
>
>Subject: [gptalk] Re: Script not applicable for local admin
>
>
>
> 
>
>Hi Darren,
>
>
>
>We had set the script at computer configuration only! anyway we will take a
>closer look.
>
>
>
>regards
>
>Ananth.
>
>
>
>On Wed, Mar 26, 2008 at 9:47 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
>
>
>
>
>
>Ananth-
>
>The error you're getting is an
>access denied error. You can't repermission an HKLM reg key like that from a
>logon script because logon scripts run in the context of the user, who does not
>have permission to modify reg key permissions by default.
>
>
>
>Darren
>
> 
>
>
>
>From: gptalk-bounce@xxxxxxxxxxxxx
>[mailto:gptalk-bounce@xxxxxxxxxxxxx]
>On Behalf Of Ananth Rajagopal
>
>Sent: Tuesday, March 25, 2008 3:08 AM
>
>To: gptalk@xxxxxxxxxxxxx
>
>Subject: [gptalk] Re: Script not applicable for local admin
>
>
>
>
>
>
>
> 
>
> 
>
>
>
>
>
>
>Hi Ray,
>
>
>
>
>
>
>
>Its been a long time, but I have some doubts regarding the USB storage device
>blocking script. Hope you can help out.
>
>
>
>We could never implemented the script yet, as there was a policy change and USB
>devices were allowed for all. Now we are planning to implement and we are in
>the process testing out policies. And in this regard we have some queries.
>
>
>
>The script is as follows...
>
>
>
>Dim WshShell,Retvalue
>
>Set WshShell = CreateObject("Wscript.Shell")
>
>WshShell.RegWrite
>"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",3,"REG_DWORD"
>
>Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
>%windir%\inf\usbstor.inf /D everyone /T /Y",0,False)
>
>Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
>%windir%\inf\usbstor.pnf /D everyone /T /Y",0,False)
>
>\\tai2dserver\SYSVOL\Tai2D.ent\scripts\subinacl.exe" /keyreg
>\system\currentcontrolset\services\usbstor /deny=system
>
>Set WshShell = Nothing
>
>Wscript.Quit
>
>
>
>You had suggested to add the following line to the script, we created a bat
>file and implemented this. Subinacl.exe was copied to \\Server\sysvol\scripts
>folder
>
>
>
>"\\Server\sysvol\scripts\subinacl.exe" /keyreg
>\system\currentcontrolset\services\usbstor /deny=system
>
>
>
>
>
>
>
>Two policies were created one for the usb blocking vbs file and the second one,
>the batch file to implement the subinacl setting.
>
>
>
>The two policies were set at the domain level and scope was set for all
>authenticated users.
>
>
>
>But now in the test machines at logon we are getting this error.
>
>
>
>Script : \\Server\sysvol\scripts\usb.vbs
>
>Line:3
>
>Char:1
>
>Invalid root in registry key
>:HKLM\System\CurrentControlSet\Services\USBSTOR\Start
>
>Code: 8007005
>
>Source:wshscript:regwrite
>
>
>
>What could be causing it? the script is
>exactly same as shown above! Please advice!!
>
>
>
>Thanks and regards
>
>Ananth.
>
>
>
>
>
>
>
>
>
> 
>
>
>
>
>
>
> 
>
>
>
>
>
>On 3/10/07, Ray Lewis < razor@xxxxxxxxxxxxxxxxxxxxxxxx>
>wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>Anth..
>
> 
>
>I was faced with this
>same problem last year.. scripting to set the DWORD value will indeed disable
>the device, however, if an alternative stick is to be used, this doesn't
>apply….
>
> 
>
>Using subinacl, to set
>the USBSTOR registry permissions to DENY for the SYSTEM "group"
>should sort out your problem. Download subinacl.exe to a share and add the
>following line to your existing script: 
>
> 
>
>"\\your server\your
>shared folder\subinacl.exe" /keyreg
>\system\currentcontrolset\services\usbstor /deny=system
>
> 
>
>My scenario was a
>little different as I wanted standard users to be denied and for Administrators
>to be allowed – I controlled this simply via the login scripts.
>
> 
>
>Hope this helps…
>
> 
>
>Ray
>
> 
>
>
>
>
>
>
>
>
>
>
>
>From: gptalk-bounce@xxxxxxxxxxxxx
>[mail
>to:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal
>
>
>
>
>
>Sent: 10 March 2007 14:08
>
>To: gptalk@xxxxxxxxxxxxx
>
>Subject: [gptalk] Script not applicable for local admin
>
>
>
>
>
>
>
>
>
> 
>
>Hi all,
>
>
>
>I got 3 questions....
>
>
>
>1. we have a script which disables removable usb drive access. but it doesn't
>work for local admin logon's . how do i make it applicable for them 
>too..basically
>what the script does is it modifies the USBSTOR value from 3 to 4, thus
>disabling it, but guys who have local admin rights just opens device manager,
>removes the usb drives and reinstalls them! thus enabling it! 
>
>
>
>2. how can i disable device manager access, even if the user has local admin
>rights?
>
>
>
>3. we have a scripts which copies some 10mb of data every time users logs in,
>even if the files are already in the destination folder it is again copied, how
>can i make it a incremental or diferential copy? we do this via a batch file. 
>
>
>
>a BIG thanks to all who regularly contribute to this very helpful list!! :-)
>
>
>
>best regards
>
> anth :-)
>
>
>
>
>
>
>
>
>
>
>
>
>
> 
>
>
>
>
>
> 
>
>
>
>
>
>
>
>
>
>
>
> 
>
>
>
>
>
>
>
>


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: