So I should run from Computer Configuration, instead of user configuration? On 4/19/07, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
I suspect the problem is that you are trying to modify an HKLM reg key in the user's security context and they don't have permissions to do that. That is why a startup script was suggested—because that runs in the LocalSystem security context. Darren *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On Behalf Of *Ananth Rajagopal *Sent:* Wednesday, April 18, 2007 8:28 PM *To:* gptalk@xxxxxxxxxxxxx *Subject:* [gptalk] Re: USB storage block problem. Hi, yesterday I tried out the script and it was working fine, we deployed it by evening and today morning, we got an error message in all the systems, the error message is attached. I had applied the script in User Configuration, as most of the users do not shut down their systems, we wanted the script to be applied while users logon, instead of when at system start. Kindly advice. best regards Anth. On 4/18/07, *Linux'o Mania* <linuxomania@xxxxxxxxxxx > wrote: Okay.... First you put this vbscript in *Computer Configuration > Windows Settings > Scripts > Startup* section. Now when you restart the computers, it will do the following.... - Will set the USBSTOR key's startup value to 4 (original is 3). This will not let the USB Mass Storage devices start. - Will deny anyone's access from usb.inf, usb.pnf files. This will deny any newer devices from getting detected.... Please test & share results... Regds, LP *Ananth Rajagopal <ananth.rg@xxxxxxxxx> *wrote: What happens with our old script is that, when users plug in a new usb device the device gets accepted! I'll test the script you have send and will let you know as soon as possible, how it fares. thanks for the help! On 4/18/07, *Ananth Rajagopal* < ananth.rg@xxxxxxxxx> wrote: Can you explain a bit more detailed, we already have a bat file running as logon script, where do I putt his script, run from the bat file or separately at Computer Startup event? if so can u guide me step by step. thanks for the reply! regards Anth. On 4/18/07, *Linux'o Mania* < linuxomania@xxxxxxxxxxx> wrote: Use this script in GPO's Computer Startup event.... _________________________________________________________________________________ Dim WshShell,Retvalue Set WshShell = CreateObject("Wscript.Shell") WshShell.RegWrite"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",4,"REG_DWORD" Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls %windir%\inf\usbstor.inf /D everyone /T /Y",0,False) Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls %windir%\inf\usbstor.pnf /D everyone /T /Y",0,False) Set WshShell = Nothing Wscript.Quit _________________________________________________________________________________ *Ananth Rajagopal < ananth.rg@xxxxxxxxx>* wrote: Hi all, We have this script running in our Windows 2003 domain. @echo off :: *********DISABLE USB MASS STORAGE DEVICE******** regedit /s "\\Tai3dserver\SYSVOL\tai3d .com\scripts\disable.reg" "\ \Tai3dserver\SYSVOL\tai3d.com\scripts \subinacl.exe" /keyreg \system\currentcontrolset\services\usbstor /deny=system the subinacl.exe deployment was advised by Mr. Ray Lewis, basically what the script does is, it modifies a registry value such that usb removable storage devices are not read by the system, but new usb storage devices are getting accessed, how do i block the modification of this registry value? Kindly suggest methods, I'm a novice in this... best regards Ananth. ------------------------------ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today<http://uk.rd.yahoo.com/evt=44106/*http:/uk.docs.yahoo.com/mail/winter07.html>. ------------------------------ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today<http://uk.rd.yahoo.com/evt=44106/*http:/uk.docs.yahoo.com/mail/winter07.html> .