Hi Darren, We had set the script at computer configuration only! anyway we will take a closer look. regards Ananth. On Wed, Mar 26, 2008 at 9:47 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: > Ananth- > > The error you're getting is an access denied error. You can't repermission > an HKLM reg key like that from a logon script because logon scripts run in > the context of the user, who does not have permission to modify reg key > permissions by default. > > > Darren > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* Tuesday, March 25, 2008 3:08 AM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Script not applicable for local admin > > > > > > Hi Ray, > > > Its been a long time, but I have some doubts regarding the USB storage > device blocking script. Hope you can help out. > > We could never implemented the script yet, as there was a policy change > and USB devices were allowed for all. Now we are planning to implement and > we are in the process testing out policies. And in this regard we have some > queries. > > The script is as follows... > > Dim WshShell,Retvalue > Set WshShell = CreateObject("Wscript.Shell") > WshShell.RegWrite"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",3,"REG_DWORD" > Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls > %windir%\inf\usbstor.inf /D everyone /T /Y",0,False) > Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls > %windir%\inf\usbstor.pnf /D everyone /T /Y",0,False) > \\tai2dserver\SYSVOL\Tai2D.ent\scripts\subinacl.exe" /keyreg > \system\currentcontrolset\services\usbstor /deny=system > Set WshShell = Nothing > Wscript.Quit > > You had suggested to add the following line to the script, we created a > bat file and implemented this. Subinacl.exe was copied to > \\Server\sysvol\scripts folder > > "\\Server\sysvol\scripts\subinacl.exe" /keyreg > \system\currentcontrolset\services\usbstor /deny=system > > > Two policies were created one for the usb blocking vbs file and the second > one, the batch file to implement the subinacl setting. > > The two policies were set at the domain level and scope was set for all > authenticated users. > > But now in the test machines at logon we are getting this error. > > Script : \\Server\sysvol\scripts\usb.vbs > Line:3 > Char:1 > Invalid root in registry key > :HKLM\System\CurrentControlSet\Services\USBSTOR\Start > Code: 8007005 > Source:wshscript:regwrite > > What could be causing it? the script is exactly same as shown above! > Please advice!! > > Thanks and regards > Ananth. > > > > > > > > > On 3/10/07, *Ray Lewis* < razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Anth.. > > > > I was faced with this same problem last year.. scripting to set the DWORD > value will indeed disable the device, however, if an alternative stick is to > be used, this doesn't apply…. > > > > Using subinacl, to set the USBSTOR registry permissions to DENY for the > SYSTEM "group" should sort out your problem. Download subinacl.exe to a > share and add the following line to your existing script: > > > > "\\*your server*\*your shared folder*\subinacl.exe" /keyreg > \system\currentcontrolset\services\usbstor /deny=system > > > > My scenario was a little different as I wanted standard users to be denied > and for Administrators to be allowed – I controlled this simply via the > login scripts. > > > > Hope this helps… > > > > Ray > > > ------------------------------ > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mail to:gptalk-bounce@xxxxxxxxxxxxx] > *On Behalf Of *Ananth Rajagopal > > > *Sent:* 10 March 2007 14:08 > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Script not applicable for local admin > > > > Hi all, > > I got 3 questions.... > > 1. we have a script which disables removable usb drive access. but it > doesn't work for local admin logon's . how do i make it applicable for them > too..basically what the script does is it modifies the USBSTOR value from 3 > to 4, thus disabling it, but guys who have local admin rights just opens > device manager, removes the usb drives and reinstalls them! thus enabling > it! > > 2. how can i disable device manager access, even if the user has local > admin rights? > > 3. we have a scripts which copies some 10mb of data every time users logs > in, even if the files are already in the destination folder it is again > copied, how can i make it a incremental or diferential copy? we do this via > a batch file. > > a BIG thanks to all who regularly contribute to this very helpful list!! > :-) > > best regards > anth :-) > > > > >