Anth..
I was faced with this same problem last year.. scripting to set the DWORD
value will indeed disable the device, however, if an alternative stick is to
be used, this doesn't apply….
Using subinacl, to set the USBSTOR registry permissions to DENY for the
SYSTEM "group" should sort out your problem. Download subinacl.exe to a
share and add the following line to your existing script:
"\\*your server*\*your shared folder*\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system
My scenario was a little different as I wanted standard users to be denied
and for Administrators to be allowed – I controlled this simply via the
login scripts.
Hope this helps…
Ray
------------------------------
*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Ananth Rajagopal
*Sent:* 10 March 2007 14:08
*To:* gptalk@xxxxxxxxxxxxx
*Subject:* [gptalk] Script not applicable for local admin
Hi all,
I got 3 questions....
1. we have a script which disables removable usb drive access. but it
doesn't work for local admin logon's . how do i make it applicable for them
too..basically what the script does is it modifies the USBSTOR value from 3
to 4, thus disabling it, but guys who have local admin rights just opens
device manager, removes the usb drives and reinstalls them! thus enabling
it!
2. how can i disable device manager access, even if the user has local
admin rights?
3. we have a scripts which copies some 10mb of data every time users logs
in, even if the files are already in the destination folder it is again
copied, how can i make it a incremental or diferential copy? we do this via
a batch file.
a BIG thanks to all who regularly contribute to this very helpful list!!
:-)
best regards
anth :-)
