Announcement

Collapse
No announcement yet.

managing GPO on Server2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • managing GPO on Server2003

    hello all ,
    i have at work SBS 2003 and i want to tighten the security in my office and i want to ask a few questions about it .

    1. if i want to make a GPO for a few users i need to put them in an own OU and then make the gpo properties and the will apply only for them ? am i right? -- a short explanation --- i have a few user that are only secretarys and i want to disable a lot of functions like : opening RUN and changing desktop. and so on... and i have other users that i don't wan to disable anything.

    2.what are your recommendation for a good secure GPO Properties. ( i don't want the users to be able to install programs , to see network folders beside some public ones, i don't want them to plug a USB device and to use the CD Rom .
    can you send me a good location that has a detailed document.
    and explain how to do those GPO Properties.

    i hope you can help me
    thanks a lot
    ok103

  • #2
    Re: managing GPO on Server2003

    Hi,

    Steps are fine.......For specific option just go through all the policies and you can check the help for details..

    is also a good option for more specific search...

    As far as USB and disk disabling is concerned just look the following link:

    http://www.petri.com/disable_usb_disks_with_gpo.htm

    Regards,
    Kapil Sharma
    ~~~~~~~~~~~~~
    Life is too short, Enjoy It.

    Comment


    • #3
      Re: managing GPO on Server2003

      thanks alot for your replay i will try to do this on my test user on my server ...
      i have read the post about disabling USB and CD-ROM and i want to ask something .... can i disable USB and CD-Rom Per users? i mean if i have OU called "Managment" and i want them to be able to plug USB or CD-ROM and i have OU called "Sec" and that i don't want them to use CD-ROM and USB ... i mean can i disable them to each user ????
      i know that the rest of the GPO i can manage per user if i put them in a right OU ....
      i mean if i disable those fituresa to a user called "sec" and i need to install something in his computer and i as "administrator" need the USB enabled...
      what do i do ? just log on as admin ?? that's it ?

      hope you can help me ...
      thanks alot
      ok103

      Comment


      • #4
        Re: managing GPO on Server2003

        Hi,

        Below files are used for USB mass storage. For disabling USB mass storage just set deny access on these files using file security in GPO just allow those users who want to access the USB:

        usbstor.inf
        usbstor.PNF
        usbstor.sys

        For disable/Enable CD-ROM you can use a registry setting so you can deploy a reg file for different users using GPOs as per the requirement.

        For specific registry setting you just need to do some ............

        Regards,
        Kapil Sharma
        ~~~~~~~~~~~~~
        Life is too short, Enjoy It.

        Comment


        • #5
          Re: managing GPO on Server2003

          thanks a lot kapilsharma11 for your replay .

          but i don't know how to make a GPO with the files you wrote down .. can you help me .. ?
          i'm using SBS2003 and i have AD with 2 major OU in my "Users" OU . the first one is Managmenent - that i want those users to be able to plug USB in any computer in the office.
          and the other OU called: Secretery that i don't want them to use USB when they log in to any computer in the office .

          can i set the GPO to Deny access to those files that you wrote? (where are they stored ? ) and if so what is the route that i have to go ??
          and the same Q is about deployiong a GPO with reg file to spesific users ..
          please help me , i don't want to make mistakes.

          thanks alot
          OK103

          Comment


          • #6
            Re: managing GPO on Server2003

            Hi,

            Refer the attached doc................

            And the mentioned files remain under system32, you can also make a search to locate them but do not forget to include system and hidden files in search.

            Regards,
            Attached Files
            Kapil Sharma
            ~~~~~~~~~~~~~
            Life is too short, Enjoy It.

            Comment


            • #7
              Re: managing GPO on Server2003

              thanks man i'll try it when i get back to work ....
              but one important Q .. the screen shots that you post me ...
              i have to do that on srever under the "cleint GPO" right? i need to "deny all" for the security group called secretry and everyone ; and "allow all" to administrator and security group called : Managment... right? and that means that when a user from secretery will to on to the computer he will not be able to use USB and when a user from menegment will log on to the SAME computer he will be able to use USB .. right?
              and what about changes in the reg .. by GPO .. the same way ??? (sane route?)

              i hope you can help me ...

              yhanks
              ok103

              Comment


              • #8
                about disabling USB and CD-ROM

                hello .
                i tried what you told me to do ... and i did what is post in the petri site ( with the removable_storage.adm) and removed the SYSTEM from The security tab .. and i could't disable the USB ( this is a USB that i work with in the office all the time .. every user with this GPO can see the contant of the usb and can see the contant of the CD-ROM ...
                can anyone help me out ??

                by the way the USERs with the GPO can't install for CD-ROm thas all ...
                and i couldn't find USBSTOR.SYS ... it's not under c:\windows\

                hope you can help me out ....
                by the way ... can i upload or attach files here to show us ??

                thanks a lot
                OK103

                Comment


                • #9
                  Re: managing GPO on Server2003

                  Yes you can.........

                  Remember to configure the policy at right place with right options.

                  One thing keep in mind:

                  You have to enable the "Disable USB" policy as enabling the "Disable USB" option will disable that. If you choose the Disable "Disable USB" then USB would get enabled.........

                  Always here to help.

                  Regards,
                  Kapil Sharma
                  ~~~~~~~~~~~~~
                  Life is too short, Enjoy It.

                  Comment


                  • #10
                    Re: managing GPO on Server2003

                    i have enabled the "Disable USB" policy and did all the instructions with the removable_storage.adm and i can't find the usbstor.sys... so basiclly it doesn't work .

                    i also disabled the CD and now when the put a cd the get a screen that say you don't have permission to install... but i want them to not be able to get in to the CD drive at all.

                    can you help me .... i'm going crazy...
                    thanks
                    ok103

                    Comment


                    • #11
                      Re: managing GPO on Server2003

                      Originally posted by ok103 View Post
                      hello all ,
                      i have at work SBS 2003 and i want to tighten the security in my office and i want to ask a few questions about it .

                      1. if i want to make a GPO for a few users i need to put them in an own OU and then make the gpo properties and the will apply only for them ? am i right? -- a short explanation --- i have a few user that are only secretarys and i want to disable a lot of functions like : opening RUN and changing desktop. and so on... and i have other users that i don't wan to disable anything.

                      2.what are your recommendation for a good secure GPO Properties. ( i don't want the users to be able to install programs , to see network folders beside some public ones, i don't want them to plug a USB device and to use the CD Rom .
                      can you send me a good location that has a detailed document.
                      and explain how to do those GPO Properties.

                      i hope you can help me
                      thanks a lot
                      ok103
                      I think you should watch this Technet Webcast and get a deeper understanding of the whole idea. In fact, I think I had better watch it myself
                      TIA

                      Steven Teiger [SBS-MVP(2003-2009)]
                      http://www.wintra.co.il/
                      sigpic
                      Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                      We donít stop playing because we grow old, we grow old because we stop playing.

                      Comment


                      • #12
                        Re: managing GPO on Server2003

                        Well that was interesting. Live webcast recorded Sept 2005 but I am unable to join the "live" meeting. All I wanted was to download the WMV file but nooooooooo, that would be too easy for Microcrap. Just going round in circles. Need to sit down.....I'm giddy now.

                        Will go watch Train Signal GPO Lab instead. At least that is easy to find.
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment

                        Working...
                        X