[gptalk] Re: Script not applicable for local admin

• From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
• To: gptalk@xxxxxxxxxxxxx
• Date: Wed, 26 Mar 2008 10:29:27 +0530

Hi Darren,

We had set the script at computer configuration only! anyway we will take a
closer look.

regards
Ananth.

On Wed, Mar 26, 2008 at 9:47 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

>  Ananth-
>
> The error you're getting is an access denied error. You can't repermission
> an HKLM reg key like that from a logon script because logon scripts run in
> the context of the user, who does not have permission to modify reg key
> permissions by default.
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* Tuesday, March 25, 2008 3:08 AM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Script not applicable for local admin
>
>
>
>
>
> Hi Ray,
>
>
> Its been a long time, but I have some doubts regarding the USB storage
> device blocking script. Hope you can help out.
>
> We could never implemented the script yet, as there was a policy change
> and USB devices were allowed for all. Now we are planning to implement and
> we are in the process testing out policies. And in this regard we have some
> queries.
>
> The script is as follows...
>
> Dim WshShell,Retvalue
> Set WshShell = CreateObject("Wscript.Shell")
> WshShell.RegWrite"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",3,"REG_DWORD"
> Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
> %windir%\inf\usbstor.inf /D everyone /T /Y",0,False)
> Retvalue = WshShell.run ("%comspec% /c  %logonserver%\netlogon\xcacls
> %windir%\inf\usbstor.pnf /D everyone /T /Y",0,False)
> \\tai2dserver\SYSVOL\Tai2D.ent\scripts\subinacl.exe" /keyreg
> \system\currentcontrolset\services\usbstor /deny=system
> Set WshShell = Nothing
> Wscript.Quit
>
> You had suggested to add the following line to the script, we created a
> bat file and implemented this. Subinacl.exe was copied to
> \\Server\sysvol\scripts folder
>
> "\\Server\sysvol\scripts\subinacl.exe" /keyreg
> \system\currentcontrolset\services\usbstor /deny=system
>
>
> Two policies were created one for the usb blocking vbs file and the second
> one, the batch file to implement the subinacl setting.
>
> The two policies were set at the domain level and scope was set for all
> authenticated users.
>
> But now in the test machines at logon we are getting this error.
>
> Script : \\Server\sysvol\scripts\usb.vbs
> Line:3
> Char:1
> Invalid root in registry key
> :HKLM\System\CurrentControlSet\Services\USBSTOR\Start
> Code: 8007005
> Source:wshscript:regwrite
>
> What could be causing it? the script is exactly same as shown above!
> Please advice!!
>
> Thanks and regards
> Ananth.
>
>
>
>
>
>
>
>
> On 3/10/07, *Ray Lewis* < razor@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>   Anth..
>
>
>
> I was faced with this same problem last year.. scripting to set the DWORD
> value will indeed disable the device, however, if an alternative stick is to
> be used, this doesn't apply….
>
>
>
> Using subinacl, to set the USBSTOR registry permissions to DENY for the
> SYSTEM "group" should sort out your problem. Download subinacl.exe to a
> share and add the following line to your existing script:
>
>
>
> "\\*your server*\*your shared folder*\subinacl.exe" /keyreg
> \system\currentcontrolset\services\usbstor /deny=system
>
>
>
> My scenario was a little different as I wanted standard users to be denied
> and for Administrators to be allowed – I controlled this simply via the
> login scripts.
>
>
>
> Hope this helps…
>
>
>
> Ray
>
>
>   ------------------------------
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mail to:gptalk-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Ananth Rajagopal
>
>
> *Sent:* 10 March 2007 14:08
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Script not applicable for local admin
>
>
>
> Hi all,
>
> I got 3 questions....
>
> 1. we have a script which disables removable usb drive access. but it
> doesn't work for local admin logon's . how do i make it applicable for them
> too..basically what the script does is it modifies the USBSTOR value from 3
> to 4, thus disabling it, but guys who have local admin rights just opens
> device manager, removes the usb drives and reinstalls them! thus enabling
> it!
>
> 2. how can i disable device manager access, even if the user has local
> admin rights?
>
> 3. we have a scripts which copies some 10mb of data every time users logs
> in, even if the files are already in the destination folder it is again
> copied, how can i make it a incremental or diferential copy? we do this via
> a batch file.
>
> a BIG thanks to all who regularly contribute to this very helpful list!!
> :-)
>
> best regards
>  anth :-)
>
>
>
>
>

• Follow-Ups:
  • [gptalk] Re: Script not applicable for local admin
    • From: Darren Mar-Elia

• References:
  • [gptalk] Re: Script not applicable for local admin
    • From: Ananth Rajagopal
  • [gptalk] Re: Script not applicable for local admin
    • From: Darren Mar-Elia

Other related posts:

• » [gptalk] Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin
• » [gptalk] Re: Script not applicable for local admin

1. Home
2. gptalk
3. Archive
4. 03-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---