[gptalk] Re: Script not applicable for local admin

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sun, 11 Mar 2007 07:56:57 -0700

Actually, I think if you disable the USBStor device, then no USB storage
devices will work. That is the base driver that they all use AFAIK.


As I said, there is nothing you can do if a user is local admin, that they
can't eventually get around if they're clever. However, you can try hiding
it using Group Policy. Device Manager is an MMC snap-in, which means you can
set a GP Admin. Template setting to restrict the ability to load that
snap-in. Its under User Configuration\Admin Templates\Windows
Components\Microsoft Management Console\Restrictied-Permitted Snap-ins.




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: Sunday, March 11, 2007 5:39 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Script not applicable for local admin


Dear Ray,

I'll do what you suggested, hopefully i can give feedback in a couple of
days time. I didn't know it worked with other usb drives, anyway will test
that! I was of the impression that all usb drives across the network was
blocked, anyway have to check that. 

Is there anyway to block users from accessing device manager? even f the
user had local admin permissions?

thanks for writing.


On 3/10/07, Ray Lewis <razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:



I was faced with this same problem last year.. scripting to set the DWORD
value will indeed disable the device, however, if an alternative stick is to
be used, this doesn't apply..


Using subinacl, to set the USBSTOR registry permissions to DENY for the
SYSTEM "group" should sort out your problem. Download subinacl.exe to a
share and add the following line to your existing script: 


"\\your server\your shared folder\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system


My scenario was a little different as I wanted standard users to be denied
and for Administrators to be allowed - I controlled this simply via the
login scripts.


Hope this helps.





From: gptalk-bounce@xxxxxxxxxxxxx [mail
<mailto:to:gptalk-bounce@xxxxxxxxxxxxx>  to:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: 10 March 2007 14:08
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Script not applicable for local admin


Hi all,

I got 3 questions....

1. we have a script which disables removable usb drive access. but it
doesn't work for local admin logon's . how do i make it applicable for them
too..basically what the script does is it modifies the USBSTOR value from 3
to 4, thus disabling it, but guys who have local admin rights just opens
device manager, removes the usb drives and reinstalls them! thus enabling

2. how can i disable device manager access, even if the user has local admin

3. we have a scripts which copies some 10mb of data every time users logs
in, even if the files are already in the destination folder it is again
copied, how can i make it a incremental or diferential copy? we do this via
a batch file. 

a BIG thanks to all who regularly contribute to this very helpful list!! :-)

best regards
 anth :-)


Other related posts: