[gptalk] Re: USB storage block problem.
- From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Thu, 19 Apr 2007 12:55:01 +0530
So I should run from Computer Configuration, instead of user configuration?
On 4/19/07, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
I suspect the problem is that you are trying to modify an HKLM reg key in
the user's security context and they don't have permissions to do that. That
is why a startup script was suggested—because that runs in the LocalSystem
security context.
Darren
*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Ananth Rajagopal
*Sent:* Wednesday, April 18, 2007 8:28 PM
*To:* gptalk@xxxxxxxxxxxxx
*Subject:* [gptalk] Re: USB storage block problem.
Hi,
yesterday I tried out the script and it was working fine, we deployed it
by evening and today morning, we got an error message in all the systems,
the error message is attached.
I had applied the script in User Configuration, as most of the users do
not shut down their systems, we wanted the script to be applied while users
logon, instead of when at system start.
Kindly advice.
best regards
Anth.
On 4/18/07, *Linux'o Mania* <linuxomania@xxxxxxxxxxx > wrote:
Okay....
First you put this vbscript in *Computer Configuration > Windows Settings
> Scripts > Startup* section.
Now when you restart the computers, it will do the following....
- Will set the USBSTOR key's startup value to 4 (original is 3).
This will not let the USB Mass Storage devices start.
- Will deny anyone's access from usb.inf, usb.pnf files. This will
deny any newer devices from getting detected....
Please test & share results...
Regds,
LP
*Ananth Rajagopal <ananth.rg@xxxxxxxxx> *wrote:
What happens with our old script is that, when users plug in a new usb
device the device gets accepted! I'll test the script you have send and will
let you know as soon as possible, how it fares.
thanks for the help!
On 4/18/07, *Ananth Rajagopal* < ananth.rg@xxxxxxxxx> wrote:
Can you explain a bit more detailed, we already have a bat file running as
logon script, where do I putt his script, run from the bat file or
separately at Computer Startup event? if so can u guide me step by step.
thanks for the reply!
regards
Anth.
On 4/18/07, *Linux'o Mania* < linuxomania@xxxxxxxxxxx> wrote:
Use this script in GPO's Computer Startup event....
_________________________________________________________________________________
Dim WshShell,Retvalue
Set WshShell = CreateObject("Wscript.Shell")
WshShell.RegWrite"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",4,"REG_DWORD"
Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls
%windir%\inf\usbstor.inf /D everyone /T /Y",0,False)
Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls
%windir%\inf\usbstor.pnf /D everyone /T /Y",0,False)
Set WshShell = Nothing
Wscript.Quit
_________________________________________________________________________________
*Ananth Rajagopal < ananth.rg@xxxxxxxxx>* wrote:
Hi all,
We have this script running in our Windows 2003 domain.
@echo off
:: *********DISABLE USB MASS STORAGE DEVICE********
regedit /s "\\Tai3dserver\SYSVOL\tai3d .com\scripts\disable.reg"
"\ \Tai3dserver\SYSVOL\tai3d.com\scripts \subinacl.exe" /keyreg
\system\currentcontrolset\services\usbstor /deny=system
the subinacl.exe deployment was advised by Mr. Ray Lewis, basically what
the script does is, it modifies a registry value such that usb removable
storage devices are not read by the system, but new usb storage devices are
getting accessed, how do i block the modification of this registry value?
Kindly suggest methods, I'm a novice in this...
best regards
Ananth.
------------------------------
Yahoo! Mail is the world's favourite email. Don't settle for less, sign up
for your free account
today<http://uk.rd.yahoo.com/evt=44106/*http:/uk.docs.yahoo.com/mail/winter07.html>.
------------------------------
Yahoo! Mail is the world's favourite email. Don't settle for less, sign up
for your free account
today<http://uk.rd.yahoo.com/evt=44106/*http:/uk.docs.yahoo.com/mail/winter07.html>
.
- Follow-Ups:
- [gptalk] Re: USB storage block problem.
- From: Linux'o Mania
- References:
- [gptalk] Re: USB storage block problem.
- From: Ananth Rajagopal
- [gptalk] Re: USB storage block problem.
- From: Linux'o Mania
- [gptalk] Re: USB storage block problem.
- From: Ananth Rajagopal
- [gptalk] Re: USB storage block problem.
- From: Darren Mar-Elia
Other related posts:
- » [gptalk] USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
- » [gptalk] Re: USB storage block problem.
I suspect the problem is that you are trying to modify an HKLM reg key in the user's security context and they don't have permissions to do that. That is why a startup script was suggested—because that runs in the LocalSystem security context. Darren *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On Behalf Of *Ananth Rajagopal *Sent:* Wednesday, April 18, 2007 8:28 PM *To:* gptalk@xxxxxxxxxxxxx *Subject:* [gptalk] Re: USB storage block problem. Hi, yesterday I tried out the script and it was working fine, we deployed it by evening and today morning, we got an error message in all the systems, the error message is attached. I had applied the script in User Configuration, as most of the users do not shut down their systems, we wanted the script to be applied while users logon, instead of when at system start. Kindly advice. best regards Anth. On 4/18/07, *Linux'o Mania* <linuxomania@xxxxxxxxxxx > wrote: Okay.... First you put this vbscript in *Computer Configuration > Windows Settings > Scripts > Startup* section. Now when you restart the computers, it will do the following.... - Will set the USBSTOR key's startup value to 4 (original is 3). This will not let the USB Mass Storage devices start. - Will deny anyone's access from usb.inf, usb.pnf files. This will deny any newer devices from getting detected.... Please test & share results... Regds, LP *Ananth Rajagopal <ananth.rg@xxxxxxxxx> *wrote: What happens with our old script is that, when users plug in a new usb device the device gets accepted! I'll test the script you have send and will let you know as soon as possible, how it fares. thanks for the help! On 4/18/07, *Ananth Rajagopal* < ananth.rg@xxxxxxxxx> wrote: Can you explain a bit more detailed, we already have a bat file running as logon script, where do I putt his script, run from the bat file or separately at Computer Startup event? if so can u guide me step by step. thanks for the reply! regards Anth. On 4/18/07, *Linux'o Mania* < linuxomania@xxxxxxxxxxx> wrote: Use this script in GPO's Computer Startup event.... _________________________________________________________________________________ Dim WshShell,Retvalue Set WshShell = CreateObject("Wscript.Shell") WshShell.RegWrite"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",4,"REG_DWORD" Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls %windir%\inf\usbstor.inf /D everyone /T /Y",0,False) Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls %windir%\inf\usbstor.pnf /D everyone /T /Y",0,False) Set WshShell = Nothing Wscript.Quit _________________________________________________________________________________ *Ananth Rajagopal < ananth.rg@xxxxxxxxx>* wrote: Hi all, We have this script running in our Windows 2003 domain. @echo off :: *********DISABLE USB MASS STORAGE DEVICE******** regedit /s "\\Tai3dserver\SYSVOL\tai3d .com\scripts\disable.reg" "\ \Tai3dserver\SYSVOL\tai3d.com\scripts \subinacl.exe" /keyreg \system\currentcontrolset\services\usbstor /deny=system the subinacl.exe deployment was advised by Mr. Ray Lewis, basically what the script does is, it modifies a registry value such that usb removable storage devices are not read by the system, but new usb storage devices are getting accessed, how do i block the modification of this registry value? Kindly suggest methods, I'm a novice in this... best regards Ananth. ------------------------------ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today<http://uk.rd.yahoo.com/evt=44106/*http:/uk.docs.yahoo.com/mail/winter07.html>. ------------------------------ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today<http://uk.rd.yahoo.com/evt=44106/*http:/uk.docs.yahoo.com/mail/winter07.html> .
- [gptalk] Re: USB storage block problem.
- From: Linux'o Mania
- [gptalk] Re: USB storage block problem.
- From: Ananth Rajagopal
- [gptalk] Re: USB storage block problem.
- From: Linux'o Mania
- [gptalk] Re: USB storage block problem.
- From: Ananth Rajagopal
- [gptalk] Re: USB storage block problem.
- From: Darren Mar-Elia