Any reason why you cant use a start-up script instead? Ray On Wed Mar 26 5:54 , "Ananth Rajagopal" sent: >Thanks Darren... We couldn't figure it out! > >What we did is, we have a vbs script to change the usbstor value to 4. and >this bat file to set deny permission to SYSTEM. whenever a new stick is used, the value changes and user can use the stick! > > >now how can we set it to work the way we want.. > >Kindly advice. > >regards >Ananth. > > > >On Wed, Mar 26, 2008 at 10:35 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: > > > > > > > > > > > > > > > >I see what the problem is. Start is a reg. value, not a key. You >can't permission values. You can only permission keys! > > > > > > > > > >From: >gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf >Of Ananth Rajagopal > >Sent: Tuesday, March 25, 2008 9:59 PM > >To: gptalk@xxxxxxxxxxxxx > >Subject: [gptalk] Re: Script not applicable for local admin > > > > > >Hi Darren, > > > >We had set the script at computer configuration only! anyway we will take a >closer look. > > > >regards > >Ananth. > > > >On Wed, Mar 26, 2008 at 9:47 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: > > > > > >Ananth- > >The error you're getting is an >access denied error. You can't repermission an HKLM reg key like that from a >logon script because logon scripts run in the context of the user, who does not >have permission to modify reg key permissions by default. > > > >Darren > > > > > >From: gptalk-bounce@xxxxxxxxxxxxx >[mailto:gptalk-bounce@xxxxxxxxxxxxx] >On Behalf Of Ananth Rajagopal > >Sent: Tuesday, March 25, 2008 3:08 AM > >To: gptalk@xxxxxxxxxxxxx > >Subject: [gptalk] Re: Script not applicable for local admin > > > > > > > > > > > > > > > > >Hi Ray, > > > > > > > >Its been a long time, but I have some doubts regarding the USB storage device >blocking script. Hope you can help out. > > > >We could never implemented the script yet, as there was a policy change and USB >devices were allowed for all. Now we are planning to implement and we are in >the process testing out policies. And in this regard we have some queries. > > > >The script is as follows... > > > >Dim WshShell,Retvalue > >Set WshShell = CreateObject("Wscript.Shell") > >WshShell.RegWrite >"HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start",3,"REG_DWORD" > >Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls >%windir%\inf\usbstor.inf /D everyone /T /Y",0,False) > >Retvalue = WshShell.run ("%comspec% /c %logonserver%\netlogon\xcacls >%windir%\inf\usbstor.pnf /D everyone /T /Y",0,False) > >\\tai2dserver\SYSVOL\Tai2D.ent\scripts\subinacl.exe" /keyreg >\system\currentcontrolset\services\usbstor /deny=system > >Set WshShell = Nothing > >Wscript.Quit > > > >You had suggested to add the following line to the script, we created a bat >file and implemented this. Subinacl.exe was copied to \\Server\sysvol\scripts >folder > > > >"\\Server\sysvol\scripts\subinacl.exe" /keyreg >\system\currentcontrolset\services\usbstor /deny=system > > > > > > > >Two policies were created one for the usb blocking vbs file and the second one, >the batch file to implement the subinacl setting. > > > >The two policies were set at the domain level and scope was set for all >authenticated users. > > > >But now in the test machines at logon we are getting this error. > > > >Script : \\Server\sysvol\scripts\usb.vbs > >Line:3 > >Char:1 > >Invalid root in registry key >:HKLM\System\CurrentControlSet\Services\USBSTOR\Start > >Code: 8007005 > >Source:wshscript:regwrite > > > >What could be causing it? the script is >exactly same as shown above! Please advice!! > > > >Thanks and regards > >Ananth. > > > > > > > > > > > > > > > > > > > > > > >On 3/10/07, Ray Lewis < razor@xxxxxxxxxxxxxxxxxxxxxxxx> >wrote: > > > > > > > > > > > > >Anth.. > > > >I was faced with this >same problem last year.. scripting to set the DWORD value will indeed disable >the device, however, if an alternative stick is to be used, this doesn't >apply…. > > > >Using subinacl, to set >the USBSTOR registry permissions to DENY for the SYSTEM "group" >should sort out your problem. Download subinacl.exe to a share and add the >following line to your existing script: > > > >"\\your server\your >shared folder\subinacl.exe" /keyreg >\system\currentcontrolset\services\usbstor /deny=system > > > >My scenario was a >little different as I wanted standard users to be denied and for Administrators >to be allowed – I controlled this simply via the login scripts. > > > >Hope this helps… > > > >Ray > > > > > > > > > > > > > >From: gptalk-bounce@xxxxxxxxxxxxx >[mail >to:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal > > > > > >Sent: 10 March 2007 14:08 > >To: gptalk@xxxxxxxxxxxxx > >Subject: [gptalk] Script not applicable for local admin > > > > > > > > > > > >Hi all, > > > >I got 3 questions.... > > > >1. we have a script which disables removable usb drive access. but it doesn't >work for local admin logon's . how do i make it applicable for them >too..basically >what the script does is it modifies the USBSTOR value from 3 to 4, thus >disabling it, but guys who have local admin rights just opens device manager, >removes the usb drives and reinstalls them! thus enabling it! > > > >2. how can i disable device manager access, even if the user has local admin >rights? > > > >3. we have a scripts which copies some 10mb of data every time users logs in, >even if the files are already in the destination folder it is again copied, how >can i make it a incremental or diferential copy? we do this via a batch file. > > > >a BIG thanks to all who regularly contribute to this very helpful list!! :-) > > > >best regards > > anth :-) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************