Announcement

Collapse
No announcement yet.

GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

    Hello All,

    I have some promblem applied GPO to domain user account.

    I'll start from the step of process order in creating GPO to disable accessing to Lan Connection Property and USB drive, floppy drive and CD-ROM drive.


    First, I'm implementing a new GPO in AD to prevent user from accessing to property of a Lan connection by the following step:

    On DC

    1- Start Active directory Users and Computers and create one OU with two sub-OU in DC.
    + MainOU
    - SubOU1
    - SubOU2
    2- Move user from Users folder in AD to SubOU1 and SubOU2
    3- Create Global Group
    4- Add members of SubOU1 and SubOU2 to the Grobal Group
    5- Go to Property of the MainOU then create a new GPO in Group Policy Tab
    6- Select on the new GPO, just created and Click button Edit to edit GPO in User Configuration --> Administrative Templates --> Network --> Network and Dialup Connections. Enable setting of Prohibit access to properties of Lan connection
    7- Then Edit GPO in Computer Configuration --> Administrative Templates --> System --> Group Policy. Enable setting of User Group Policy Loopback Processing Mode
    8- Close GPO
    9- Select on the new GPO, just created again and Click button Properties
    10- Go to Security Tab then remove Authenticated Users and Add the Global Group (created in step3) with permissions: allow to Read and Apply Group Policy then click OK for all display properties


    On Client PCs

    I logon to client pcs using user account within the above Sub-OU, I get result changed even i set the account as a local administrator or power user right but when i logon to my pc using user account (the same within Sub-OU) with local administrator right, I get nothing change beside if i set it to power user right, i get result changed.I noticed that for some pc which previously used user act-membered of domain admin- to logon, it's also get the same result as mine.
    IS THERE ANY MISTAKES WITH THE STEP ABOVE?

    Second, I continue to implement GPO to prevent user from using Floppy Drive, USB Drive and CD-ROM Drive by the following step:

    1- Create .adm file with the code copied from http://support.microsoft.com/?kbid=555324

    CLASS MACHINE
    CATEGORY !!category
    CATEGORY !!categoryname
    POLICY !!policynameusb
    KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
    EXPLAIN !!explaintextusb
    PART !!labeltextusb DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    POLICY !!policynamecd
    KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
    EXPLAIN !!explaintextcd
    PART !!labeltextcd DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 1 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    POLICY !!policynameflpy
    KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
    EXPLAIN !!explaintextflpy
    PART !!labeltextflpy DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    POLICY !!policynamels120
    KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
    EXPLAIN !!explaintextls120
    PART !!labeltextls120 DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    END CATEGORY
    END CATEGORY

    [strings]
    category="Custom Policy Settings"
    categoryname="Restrict Drives"
    policynameusb="Disable USB"
    policynamecd="Disable CD-ROM"
    policynameflpy="Disable Floppy"
    policynamels120="Disable High Capacity Floppy"
    explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
    explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
    explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
    explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
    labeltextusb="Disable USB Ports"
    labeltextcd="Disable CD-ROM Drive"
    labeltextflpy="Disable Floppy Drive"
    labeltextls120="Disable High Capacity Floppy Drive"
    Enabled="Enabled"
    Disabled="Disabled"

    2- Add .adm file to the Administrative Templates
    3- Enable the setting to disable USB drive, Floppy Drive and CD-rom Drive
    4- Click OK for all displayed properties

    But When I tried to logon using the user act within the Sub-OU, I still be able to access flopy drive, usb drive and Cd-rom Drive in any pc.
    IS THERE SOMETHING WRONG WITH THE STEP I DID IN GROUP POLICY? TKS FOR ANY HELP.

  • #2
    Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

    Originally posted by n4me
    7- Then Edit GPO in Computer Configuration --> Administrative Templates --> System --> Group Policy. Enable setting of User Group Policy Loopback Processing Mode
    This configuration is superfluous since you're linking it to an OU filled with users.


    I logon to client pcs using user account within the above Sub-OU, I get result changed even i set the account as a local administrator or power user right but when i logon to my pc using user account (the same within Sub-OU) with local administrator right, I get nothing change beside if i set it to power user right, i get result changed.I noticed that for some pc which previously used user act-membered of domain admin- to logon, it's also get the same result as mine.
    I don't know if I understand you correctly but are you saying that the policy only applies to users when they're not in the local administrator group? Could you confirm if this is right or not? And if not, please give detailed information on when it is applied and when it is not. Run gpresults to see if things are getting applied as desired.

    I continue to implement GPO to prevent user from using Floppy Drive, USB Drive and CD-ROM Drive by the following step:
    If I'm reading the added code correctly you'll need to apply this GPO to computers and not users. Notice the CLASS MACHINE entry at the top. Link it to an OU containing the computers you want affected by this policy.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

      Thanks for help,

      2- Move user from Users folder in AD to SubOU1 and SubOU2
      7- Then Edit GPO in Computer Configuration --> Administrative Templates --> System --> Group Policy. Enable setting of User Group Policy Loopback Processing Mode
      If i don't enable this setting, "user" settings in the GPO aren't applies to people who logon using the user within the OU I created.

      I don't know if I understand you correctly but are you saying that the policy only applies to users when they're not in the local administrator group? Could you confirm if this is right or not? And if not, please give detailed information on when it is applied and when it is not. Run gpresults to see if things are getting applied as desired.
      Yes, if tested with WINDOWS XP, User policy setting applied when they're not in local administrator group. if tested with windows 2000, i discovered that the user policy setting of most user with local administrator group applies and fews people aren't applies.

      If I'm reading the added code correctly you'll need to apply this GPO to computers and not users. Notice the CLASS MACHINE entry at the top. Link it to an OU containing the computers you want affected by this policy.
      This one thks for remind. I did it and it work.

      Comment


      • #4
        Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

        Hi n4me
        Originally posted by n4me
        7- Then Edit GPO in Computer Configuration --> Administrative Templates --> System --> Group Policy. Enable setting of User Group Policy Loopback Processing Mode
        If i don't enable this setting, "user" settings in the GPO aren't applies to people who logon using the user within the OU I created.
        This is not true. Loopback Processing is used when you want the User settings of a GPO that is linked to a computer to be applied to any user that logs on to that computer. This link explains how loopback processing works.
        Yes, if tested with WINDOWS XP, User policy setting applied when they're not in local administrator group. if tested with windows 2000, i discovered that the user policy setting of most user with local administrator group applies and fews people aren't applies.
        If the Loopback Processing setting is enabled in serveral GPOs, it could account for the strange behaviour that you're getting. Did you run gpresults? Or if you want a gui use RSoP in logging mode.

        Post back the results and we'll see if we can get this sorted out.

        EDIT - If you're not already using GPMC I'd start. It makes administration of group policy much easier with an intuitive layout.
        Last edited by JeremyW; 18th August 2006, 11:23.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

          Hi JeremyW ,
          This is not true. Loopback Processing is used when you want the User settings of a GPO that is linked to a computer to be applied to any user that logs on to that computer.
          Yes, U r right. I tried to set Loopback Processing setting back to Not Configure and tried to logon again, i get GPOs(which're for Disable Floppy, Flash Drive and prohibit User form acess property of Lan Connection) applied for many win2000 pro pcs gpwin2000.txt however, there's still fews win2000 pro pcs that it wouldn't be applied gp2000no-applies.txt

          The following inside active directory set for OU:
          OUname for Computer:ITroom (Gponame for this OU:GPOCompDis, using for disable Removeable Drive)
          Ouname for User :Froom (Gponame for this OU:GPOUserDis, using for prohibit user to access Property of Lan Connection)

          For winXP pc with local power user right, it get both GPOCompDis and GPOUserDis applied gpXPpoweruser.txt ,deferrently, when i set it to local administrator right, I get only GPOComDis applied but not GPOUserDis gpXPadministrator.txt

          The above Computer Gpo(GPOComDis), it applies to each computer even i login on deferrent user or domain administrator user. Could u tell me is there anyways that can be only set to applies for user login on? so whenever i login on to domain administrator user, i can do everything within the pcs.

          Thks indeed for help and reply,
          Brgds
          N4me

          Comment


          • #6
            Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

            I took a look at them and it seems that the user policy doesn't get applied when you log on as an administrator. Are the administrative users in the OU you've specified? Are these users on the local machine?

            EDIT - OK, I took a closer look and it seems that a user policy does get applied. GPOUserDis is the policy that get applied when it's an administrator that logs on. GPODisUser is what gets applied when it's the power user. Do you have any GPO filtering going on? It seems very strange to me after looking at the results. There's no user info for the 2000 pro ones that are having issues. I'm puzzled.
            Last edited by JeremyW; 28th August 2006, 13:29.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

              Hi JeremyW,

              Sorry, I may cause you confuse. Ok, let me detail by adding some picture and compare the two deference between WindowsXp and Windows2000 Pro when users log on within AD of Group Policy configured on Windows 2000 Server:

              The Group Policy, GPOCompDis link to ITRoom OU. In security of Gpo property apply to user gpo
              Click image for larger version

Name:	CompInsideOU.gif
Views:	1
Size:	13.4 KB
ID:	462650

              The Group Policy, GPOUserDis link to FRoom OU. In security of Gpo property apply to user gpo
              Click image for larger version

Name:	UserInsideOU.gif
Views:	1
Size:	12.5 KB
ID:	462651

              Test With Windows 2000 Pro
              I log on using user gpo. The machine name GPO get applied both GPOCompDis and GPOUserDis even set user gpo as local administrator
              Click image for larger version

Name:	UserwithAdm.gif
Views:	1
Size:	22.9 KB
ID:	462652

              Test With Windows XP
              log on using user gpo. The machine name GPO get applied only GPOCompDis when i set user gpo as local administrator
              Click image for larger version

Name:	noapply.GIF
Views:	1
Size:	63.3 KB
ID:	462649
              but if i set user gpo as local power user, the machine name GPO get applied both GPOCompDis and GPOUserDis
              Click image for larger version

Name:	UserWithPowerUser.gif
Views:	1
Size:	24.2 KB
ID:	462653

              The GPOCompDis applies to computer so whenever i log on as administrator user (of domain controller) I still cannot use or access flash drive or floppy drive. Does it has any other method to apply to user setting template so if i want to access flash drive, i just log on as administrator user i can.

              B.Regards,
              Nara

              Comment


              • #8
                Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

                Thanks for the screen shots. That helped me to get a better picture of what we're dealing with.
                Could you do the following and post back?
                1. Configure the user "gpo" as a local administrator on the XP machine (computer is also named "gpo", right?) then log on and log off with the user "gpo"
                2. Install GPMC on your server if you haven't already
                3. Open GPMC, right click Group Policy Results and run the Group Policy Results Wizard... for the machine "gpo" and the user "gpo"
                4. After the wizard is done, click on the Settings tab and check to see if the LAN restrictions are listed
                5. Click on the Summary tab and post screen shots of all the information (blurring out your company info of course)
                6. Click on the Policy Events tab and post any errors or warnings you see
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

                  Install GPMC on your server if you haven't already
                  My Windows Server running windows 2000 server that GPMC isn't support.

                  Thanks,
                  Nara

                  Comment


                  • #10
                    Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

                    GPMC for Windows 2000
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment


                    • #11
                      Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

                      Originally posted by n4me
                      My Windows Server running windows 2000 server that GPMC isn't support.

                      Thanks,
                      Nara
                      I had assumed (and you know what that does for "u" & "me") you were on 2003 because of the KB you referenced was for 2003.

                      Thanks Chirs for posting GPMC for 2000.

                      n4me, I don't know if all the steps will apply since you're using 2000 but do as many as you can and post back.

                      Cheers.
                      Regards,
                      Jeremy

                      Network Consultant/Engineer
                      Baltimore - Washington area and beyond
                      www.gma-cpa.com

                      Comment


                      • #12
                        Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

                        Hi Jeremy,
                        I followed the step you told me but i run GPMC on Windows XP machine name GPO instead. Here is the following screen shot result getting form running Group Policy Results Wizard.
                        Click image for larger version

Name:	GpoRe SettingTab.GIF
Views:	1
Size:	42.4 KB
ID:	462654
                        Click image for larger version

Name:	GpoRe Summary.gif
Views:	1
Size:	78.6 KB
ID:	462655

                        B.regards,
                        Nara

                        Comment


                        • #13
                          Re: GPO not applied to prevent user from using floppy drive, usb dirve and Cd-Rom Drive

                          OK, that I think cleared up some things. I don't think the user settings of the GPO was ever applied.

                          Power Users can't modify the TCP/IP properties so we wouldn't be able to tell if it was applied or not when the user is a member of Power Users.

                          We need to make sure the computer and user can access the GPO

                          Inaccessible GPO (GPO Denied)
                          There is a link to the GPO, but the GPO cannot be accessed. There are several possible reasons for this:

                          The permissions on the GPO or on folders in the path to the Group Policy template are insufficient for it to be accessed and read. If this situation occurs the Component Status section of the Group Policy Results report will indicate Failure for the component Group Policy Infrastructure.

                          The GPO might have been deleted, but the link to it remains for some reason (such as replication lag).

                          Network connectivity problems might prevent access to the GPO.

                          The client is unable to contact any domain controller.
                          Taken from http://technet2.microsoft.com/Window....mspx?mfr=true
                          This link has steps to take to troubleshoot Group Policy.

                          Run netdiag and see if it shows any errors. If you have multiple DC, make sure replication is taking place. If both things show up fine then we should look at permissions on the sysvol share the the NTFS permissions on the GPO folder (use effective permissions on the GPO)
                          Regards,
                          Jeremy

                          Network Consultant/Engineer
                          Baltimore - Washington area and beyond
                          www.gma-cpa.com

                          Comment

                          Working...
                          X