Group Polciy/Custom Policy Settings 1

[WCSO]

I new to working with Group Policy but find it easy to manage many pc's. I want to limit some pc's so they cannot use USB drives. I followed the directions at

http://support.microsoft.com/default.aspx?scid=kb;en-us;555324

with no problem but there seems to be no effect on the client machines. I have an OU with the desired users in it and added a policy from the Group Policy tab when viewing the properties of that OU. I make other changes to the policy and the changes come through on the client. Just this policy has not effect. I did turn off filtering so I could see the choices and enabled the option to disable USB drives. Is it because the item in group policy is under Computer Configuration and the rest of the changes I see come under User Configuration?

Thanks.

 

[captaincrunch00]

Heads up when disabling USB ports on the computer (that microsoft article seems to do that). That'll make the keyboard and mouse stop working if they are USB.

I have no idea on the problem at hand though.

 

[ncotton]

the knowledge base for that article is down. can you post the ADM file code that you have implemented, and tell me what type of objects you have applied the GPO to, I may have an idea. I will know after I see the code.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[WCSO]

Here is the ADM file:

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED

VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"

The GPO is applied to users. That is I made an OU, put the policy on that and have the users within the OU.

 

[ncotton]

OK, trust me, it's back up and running now. 30 seconds later.

Copy the code from the KB into notepad > save as DisableUSBDrives.adm and select Save As Type "All Files *" into "C:\Windows\INF" > You need to Create a GPO in the GPMC > Right click on new GPO > Edit > Expand Computer Settings > Right click Administrative Templates > Click Add/Remove Templates > Remove all existing ones (unless you are editing an already in use GPO, but i would do this in a new, completely seperate one) > click add > select DisableUSBDrives.adm and click add > click ok > you will now see ONE new root folder under Computer Settings > Administrative Templates > Look at the settings and configure them > close the GPOE and return to the GPMC > Drag/Link the new GPO to your selected OU.

NOTE
====
These settings will only be applied to machines whos MACHINE ACCOUNT, exist in the OU or below of which you have linked the GPO to. If you link it to an OU of users that is not ABOVE an OU of related machine accounts (which is a very common mistake), then the settings will not apply. It must be at the level of the OU containing the Computer accounts, which, if you dont mess with the AD structure for machine accounts is only underneath the Domain Level OU.
****WARNING****
As CC00 said, this will disable your USB post completely, not just USB drives. This will disable USB peripherals such as Mice/Keyboards/webcams/printers.

**## NOTE ##**
I came up with an ADM that disabled External Devices, but I dont know where it is. I think its floating round the internet somewhere on a desolate forum. I will have a look. However, if you dont use USB peripherals, just networked/parallel printer and PS2 mice and kb's, then this will be alright as a temporary measure.

Let me know how you go on, and I will try and get back to you on the Removable Storage Device thing.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[ncotton]

NOTE
====
These settings will only be applied to machines whos MACHINE ACCOUNT, exist in the OU or below of which you have linked the GPO to. If you link it to an OU of users that is not ABOVE an OU of related machine accounts (which is a very common mistake), then the settings will not apply. It must be at the level of the OU containing the Computer accounts, which, if you dont mess with the AD structure for machine accounts is only underneath the Domain Level OU.

That is your problem. This setting only changes machine accounts, if you want the setting to be applied to Users, you need to do the following.

MyTargetGroup - OU
MyTargetUsersOU - SubOU
MyTargetUsersList - A securityGroup (not OU) containing the users required
MyTagetMachines - SubOU - containing the list of machines that the policy is to run on


Link the Policy to MYTargetGroupOU, and place a filter on MyTargetGroupOU\MyTargetUsersOU\MyTargetUsersList secgroup.

That means that the pol will only be applied to these computers, but only when these users logon.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[ncotton]

You also have to make sure you add the ADM file into the Computer Settings > Administrative Template aswell.

If you add it to the Users section, the setting will still show up and be configurable, but they wont be applied.

You can see what kind of setting it is (machine or user) by looking at the ADM file, find the policy that you are looking for. Highlight it. Press Ctrl+E, then F, type "CLASS" without the "", and set search direction to UP, you will hit the policies class setting, and that is group that the settings will be applied to.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[WCSO]

I can follow you up until you say "place a filter" on the security group. How do you do that? Also, my main goal is to limit usb drive access. If you happen to find that, it would be appreciated. Thanks.

 

[ncotton]

Filters.....in the GPMC, click on the GPO, just highlight, not edit. On the right, you see the settings window, underneath it, a pane for active directory filtering can be seen. Remove the "everybody" entry, and create a new one. And just add the Security Group.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant