Registry edit not being enforced by GPO help!

[ArizonaGeek]

I have created an ADM file to block USB keys and for the life of me I can't get my test computers to pick it up. It is the weirdest thing. I've even went thru and copied several ADM files from some websites trying to disable or make USB keys read only. The boss wants them blocked but we cant block USB because 75% of our machines are USB only keyboard and mouse. I am fairly new to writing GPO's but these seem to have been fairly straight forward. I can pick up other policies in the same GPO like hiding Task Manager from Ctrl-Alt-Delete so I know is picking it up. Anybody have ANY ideas? I have been banging my head about this for a week now. Thanks for any help!

 

[markdmac]

Post your ADM file for analysis. If you know the specific registry keys you needs set then you could use this free add on for AD that allows you to configure the registry directly via GPO.

http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ArizonaGeek]

This is the ADM script I found:

CLASS MACHINE
CATEGORY "Removeable Storage Write Access"
POLICY "USB Write Access"
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
VALUENAME "WriteProtect"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY;

I also unloaded the ADM file and tried the RegEdit software from DeskTopStandards, I set it under Computer Congfig to Update the start on HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR to value of 4 which should stop USB keys. With no avail, but again I know its getting the GPO because I still have Task Manager being blocked as a policy.

Now, somehow, I blocked my own local (non-test) machine from accessing my USB key. I am just gonna bang my head on the wall now. Thanks for any help anyone can give!

 

[markdmac]

When you implemented the regedit via GPO, did that change happen on a test machine?

Did you check GPRESULT on a workstation? How about using GPO Modelling in GPMC?

On your test machine did you do a GPUPDATE /FORCE?

Your ADM file is also flawed. You say the value should be 4 but you are setting a NUMERIC 1 value. Change the ADM to be NUMERIC 4 for VALUEON.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ArizonaGeek]

When I do GPO Modelling, under Computer Configuration (which is where I have the RegEdit software configured for HKLM) I get "No Data Available" which is strange. Also when doing a GPResult I see the correct GPO being pushed to the workstation.

The ADM file above was for making the USB Key read only, which was something else I had tried and was the latest ADM file to be applied. Since then I have removed it and tried with the RegEdit software. Which I also grabbed their full software package for a trial, whew pretty expensive ($21.45 per user) but I uninstalled that and am using the freebie registry part.

I did do a GPUpdate /force and I can still access my USB Key.

Thanks for the help!

 

[markdmac]

You did not answer all of the above questions. You see that the GPO is being applied, but is the registry being changed? If you manually set this registry setting does it block the access? Have you rebooted since this is a system setting?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ArizonaGeek]

The registry is not being updated by the GPO, I am setting CurrentControlSet\Services\USBSTOR to 4 in the policy but after a reboot and login it still shows a 3 in RegEdit. I've also turned off Windows Firewall (just in case) and I reboot after any change I make to the policy.

Thanks for all the help!

 

[markdmac]

Please confirm you are not using the default domain policy for this.

At what level is the GPO being applied? Have you set security on the GPO?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ArizonaGeek]

I am not using the default domain policy for this. I am fairly new at working with GPO and AD (in the last 6 months) but I figured it would be bad to mess with it.

I am not sure how to tell what level the GPO is being applied, but its precedence and link order is 1.

I have not set any security on the policy.

Thanks again!

 

[markdmac]

Take a look at the end of my FAQ faq329-5798 for some tips on implmenting a GPO.

The level of the GPO is where in AD you have applied or linked the GPO to. In order for your policy to have an effect, it needs to be applied at a level in the AD structure above where the computer account exists.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[ArizonaGeek]

Actually your article was a pretty big help. It also prompted me to start playing with VBS. Which I have never done before, so some of this seems pretty straight forward. I essentially took your script and added the line:

Path = "HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start"
WshShell.RegWrite Path, 4 ,"REG_DWORD"

To your "Add on code" area but I still cant make it work although the other areas I configured from your script do, adding a network printer for example. Something I missed on my path?

Thanks for all your help, I really appreciate it!

 

[markdmac]

You need to put the 4 in quotes.

"4"

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript