[gptalk] Re: Script not applicable for local admin

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 25 Mar 2008 21:17:13 -0700

Ananth-

The error you're getting is an access denied error. You can't repermission
an HKLM reg key like that from a logon script because logon scripts run in
the context of the user, who does not have permission to modify reg key
permissions by default.


Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: Tuesday, March 25, 2008 3:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Script not applicable for local admin

 

 

Hi Ray,


Its been a long time, but I have some doubts regarding the USB storage
device blocking script. Hope you can help out.

We could never implemented the script yet, as there was a policy change and
USB devices were allowed for all. Now we are planning to implement and we
are in the process testing out policies. And in this regard we have some
queries.

The script is as follows...

Dim WshShell,Retvalue
Set WshShell = CreateObject("Wscript.Shell")
WshShell.RegWrite
"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",3,"REG_DWORD"
Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
%windir%\inf\usbstor.inf /D everyone /T /Y",0,False)
Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
%windir%\inf\usbstor.pnf /D everyone /T /Y",0,False)
\\tai2dserver\SYSVOL\Tai2D.ent\scripts\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system
Set WshShell = Nothing
Wscript.Quit

You had suggested to add the following line to the script, we created a bat
file and implemented this. Subinacl.exe was copied to
\\Server\sysvol\scripts folder

"\\Server\sysvol\scripts\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system


Two policies were created one for the usb blocking vbs file and the second
one, the batch file to implement the subinacl setting.

The two policies were set at the domain level and scope was set for all
authenticated users.

But now in the test machines at logon we are getting this error.

Script : \\Server\sysvol\scripts\usb.vbs
Line:3
Char:1
Invalid root in registry key
:HKLM\System\CurrentControlSet\Services\USBSTOR\Start
Code: 8007005
Source:wshscript:regwrite

What could be causing it? the script is exactly same as shown above! Please
advice!!

Thanks and regards
Ananth.




 

 

On 3/10/07, Ray Lewis < <mailto:razor@xxxxxxxxxxxxxxxxxxxxxxxx>
razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Anth..

 

I was faced with this same problem last year.. scripting to set the DWORD
value will indeed disable the device, however, if an alternative stick is to
be used, this doesn't apply..

 

Using subinacl, to set the USBSTOR registry permissions to DENY for the
SYSTEM "group" should sort out your problem. Download subinacl.exe to a
share and add the following line to your existing script: 

 

"\\your server\your shared folder\subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system

 

My scenario was a little different as I wanted standard users to be denied
and for Administrators to be allowed - I controlled this simply via the
login scripts.

 

Hope this helps.

 

Ray

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mail
<mailto:to:gptalk-bounce@xxxxxxxxxxxxx>  to:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal


Sent: 10 March 2007 14:08
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Script not applicable for local admin

 

Hi all,

I got 3 questions....

1. we have a script which disables removable usb drive access. but it
doesn't work for local admin logon's . how do i make it applicable for them
too..basically what the script does is it modifies the USBSTOR value from 3
to 4, thus disabling it, but guys who have local admin rights just opens
device manager, removes the usb drives and reinstalls them! thus enabling
it! 

2. how can i disable device manager access, even if the user has local admin
rights?

3. we have a scripts which copies some 10mb of data every time users logs
in, even if the files are already in the destination folder it is again
copied, how can i make it a incremental or diferential copy? we do this via
a batch file. 

a BIG thanks to all who regularly contribute to this very helpful list!! :-)

best regards
 anth :-)

 

 

Other related posts: