locked
Regarding policies for users on XP RRS feed

  • Question

  • I have a XP workgroup workstation with a few users and an administrator. I would like to enable security policies on the PC so that only the administrator is able to access the USB and CD Rom drives in the PC. Its only a workstation and i have open to using free opensource software as well if in case i cant do it locally on the machine.  your suggestions are welcome. 

     

     

    Thursday, July 14, 2011 3:03 PM

All replies

  • The best you can do with Group Policy is prevent users installing programs from removeable media.  You cannot remove access to removeable media completely.

    You would need a third-party product for that.

    Thursday, July 14, 2011 4:00 PM
  • Hi,

    There is a useful article which covers access via policy to lock down CDROM, USB etc (http://support.microsoft.com/kb/555324)

    Kind Regards,

    Martin

     


    If you find my information useful, please rate it. :-)
    Saturday, July 16, 2011 12:30 PM
    Moderator
  • Nice link, Martin.  But these policies will disable the devices for all users, surely, because they are Computer Configurations, and they actually disable the drivers.

    If this policy was applied in a domain, it could be filtered by security group.  But stand-alone?


    Saturday, July 16, 2011 1:53 PM
  • Hi,

    You can impliment this policy to a user or user group if you wish via a logon script.

    Essentially you would set up the policy as a file (e.g. defaultpolicy.adm) and store it in your netlogon folder along with the logon script. Then you can define the script per group or per user from active directory.

    Does this make sense?

     

    Kind Regards,

    Martin

     


    If you find my information useful, please rate it. :-)
    Monday, July 18, 2011 2:58 PM
    Moderator
  • I'll take your work for it, Martin.  I've never done this in a non-AD environment, so I assume what you are saying is right. 

     

    Monday, July 18, 2011 5:03 PM
  • Hi Teddy,

    I am thinking back to good ole Windows 98SE days where we had to use poledit :-)

    Logon scripts are very underrated but are still very useful for custom environments.

    Useful for creating scripts: http://technet.microsoft.com/en-us/library/cc758918(WS.10).aspx

    Useful for adding scritps: http://support.microsoft.com/kb/324803 or http://support.microsoft.com/kb/315245

    Martin

     


    If you find my information useful, please rate it. :-)
    Monday, July 18, 2011 6:03 PM
    Moderator
  • Fine, but I actually don't understand what you're saying about including the .adm file in the netlogon folder.  As far as I understand it, the .adm file you referred to (which I think is very cool), is imported into the Adminitrative Templates of the local or domain GP, and configured from there.

    I have no experience with, or knowledge about 'including an .adm file in the logon script'.  Please explain in more detail.  Also, your comment about over-riding domain/ou policy with a local policy using a logon script sounds weird to me.  Can you really do that?  And if so, why?  Why not just amend/create a domain/ou level policy?


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
    Monday, July 18, 2011 6:55 PM
  • Hi Teddy,

    Check out: http://support.microsoft.com/kb/269799

    Martin


    If you find my information useful, please rate it. :-)
    Monday, July 18, 2011 7:16 PM
    Moderator
  • Hi Martin,

    Thanks for all the links.  The last one refers to a non-domain environment, and that's fine, although _very_ old-fashioned!  I would imaging managing individual logon profiles for a peer-peer network must be a nightmare. 


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
    Monday, July 18, 2011 7:30 PM