none
How to disable bluetooth device per security group via GPO or logon, WMI or vbs scripts? RRS feed

  • Question

  • Some of my user say members of BluetoothEnabledUsers security Group need to have Bluetooth working on their Windows 7 laptops. All the remaining user should not have working Bluetooth and should not be able to switch it on. How to disable bluetooth device per security group via GPO or logon, WMI or vbs scripts? I can not disable Bluetooth services because user will not be able to see content of Devices & Printers.


    Regards, Ilkin
    Tuesday, May 3, 2011 12:51 PM

Answers

  • We manage various Devices including Bluetooth, infraRed, USB etc...

    We have taken two approaches.  Initially a user logon script that would capture the computer and add it to a global group.  This way we could apply computer settings such as Bluetooth to the user.

    Eventually we adopted the use of a tool from CenterTools called DriveLock.  It is an agent on the system managed via group policy settings.  The agent knows what group your users belong to and applies the desired permissions.  For example if you have 4 groups A-D, and you want Group A to have access to bluetooth but restrict its use for groups B, C and D, you would would configure the policy.  A user from Group A can log into any machine in the enterprise and receive the adequate level of control, without stamping the registry.

    We have used DriveLock since 2008 on Windows XP, and are evaluating the Windows 7 Upgrade.

    Wednesday, May 4, 2011 7:55 PM

All replies

  • We manage various Devices including Bluetooth, infraRed, USB etc...

    We have taken two approaches.  Initially a user logon script that would capture the computer and add it to a global group.  This way we could apply computer settings such as Bluetooth to the user.

    Eventually we adopted the use of a tool from CenterTools called DriveLock.  It is an agent on the system managed via group policy settings.  The agent knows what group your users belong to and applies the desired permissions.  For example if you have 4 groups A-D, and you want Group A to have access to bluetooth but restrict its use for groups B, C and D, you would would configure the policy.  A user from Group A can log into any machine in the enterprise and receive the adequate level of control, without stamping the registry.

    We have used DriveLock since 2008 on Windows XP, and are evaluating the Windows 7 Upgrade.

    Wednesday, May 4, 2011 7:55 PM
  • Thanks a lot CONKAF. I will evaluate Drivelock too. I have tried to use registry tracker and trace the difference between enabled and disabled stages but was not successful. Besides RegSnap tracked many registry changes the resulting reg file was not imported properly. 
    Regards, Ilkin
    Tuesday, May 10, 2011 8:55 PM
  • I just use the MS Devcon tool to disable the hardware and script it via GP.

    All you need to find is the hardware ID from Device Manager, then the command would look something like:

    Devcon Disable "USB\VID_0A5C&PID_219C&REV_0628"
    or:
    Devcon Enable "USB\VID_0A5C&PID_219C&REV_0628"
    to re-enable it

    Devcon is available from http://support.microsoft.com/kb/311272


    Regards,
    Matt

    Friday, May 18, 2012 11:01 AM