[gptalk] Re: Script not applicable for local admin
- From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Thu, 12 Apr 2007 10:22:02 +0530
Hi Ray,
We have set the scripts as you have suggested. How do we check if its
working? We did try by randomly plugging in to some systems and usb devices
are disabled, but is there any other way to find out?
Also can you please share the scripts to allow administrators to use usb
devices?
warm regards
Anth.
On 3/10/07, Ray Lewis <razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Anth..
I was faced with this same problem last year.. scripting to set the DWORD
value will indeed disable the device, however, if an alternative stick is to
be used, this doesn't apply….
Using subinacl, to set the USBSTOR registry permissions to DENY for the
SYSTEM "group" should sort out your problem. Download subinacl.exe to a
share and add the following line to your existing script:
"\\*your server*\*your shared folder*\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system
My scenario was a little different as I wanted standard users to be denied
and for Administrators to be allowed – I controlled this simply via the
login scripts.
Hope this helps…
Ray
------------------------------
*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Ananth Rajagopal
*Sent:* 10 March 2007 14:08
*To:* gptalk@xxxxxxxxxxxxx
*Subject:* [gptalk] Script not applicable for local admin
Hi all,
I got 3 questions....
1. we have a script which disables removable usb drive access. but it
doesn't work for local admin logon's . how do i make it applicable for them
too..basically what the script does is it modifies the USBSTOR value from 3
to 4, thus disabling it, but guys who have local admin rights just opens
device manager, removes the usb drives and reinstalls them! thus enabling
it!
2. how can i disable device manager access, even if the user has local
admin rights?
3. we have a scripts which copies some 10mb of data every time users logs
in, even if the files are already in the destination folder it is again
copied, how can i make it a incremental or diferential copy? we do this via
a batch file.
a BIG thanks to all who regularly contribute to this very helpful list!!
:-)
best regards
anth :-)
Other related posts:
- » [gptalk] Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
- » [gptalk] Re: Script not applicable for local admin
Anth.. I was faced with this same problem last year.. scripting to set the DWORD value will indeed disable the device, however, if an alternative stick is to be used, this doesn't apply…. Using subinacl, to set the USBSTOR registry permissions to DENY for the SYSTEM "group" should sort out your problem. Download subinacl.exe to a share and add the following line to your existing script: "\\*your server*\*your shared folder*\subinacl.exe" /keyreg \system\currentcontrolset\services\usbstor /deny=system My scenario was a little different as I wanted standard users to be denied and for Administrators to be allowed – I controlled this simply via the login scripts. Hope this helps… Ray ------------------------------ *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On Behalf Of *Ananth Rajagopal *Sent:* 10 March 2007 14:08 *To:* gptalk@xxxxxxxxxxxxx *Subject:* [gptalk] Script not applicable for local admin Hi all, I got 3 questions.... 1. we have a script which disables removable usb drive access. but it doesn't work for local admin logon's . how do i make it applicable for them too..basically what the script does is it modifies the USBSTOR value from 3 to 4, thus disabling it, but guys who have local admin rights just opens device manager, removes the usb drives and reinstalls them! thus enabling it! 2. how can i disable device manager access, even if the user has local admin rights? 3. we have a scripts which copies some 10mb of data every time users logs in, even if the files are already in the destination folder it is again copied, how can i make it a incremental or diferential copy? we do this via a batch file. a BIG thanks to all who regularly contribute to this very helpful list!! :-) best regards anth :-)