LinkBack URL
About LinkBacksI'm having enough problem with the old plan!Originally Posted by SYNACK
What now? Where?
I'm having enough problem with the old plan!
What now? Where?
OK. Another tack.
Might be permissions set on the usb denying access to students. Where would that be then?
@witch
If these are XP clients, check to see that c:\Windows\inf\usbstor.inf (and usbstor.pnf) exist. If it does, ensure that there isn't a deny acl on them.
Last edited by pete; 3rd July 2012 at 09:32 AM.
Resultant Set of Policy (it's a very handy thing to know, so worth perservering with here)
* Log on to a computer that has had the problem as administrator
* Open your Run prompt from the start menu or with windowsKey + R
* type mmc and press enter
* Go to the File menu and choose Add/Remove snap in
* Click the Add button at the bottom
* Scroll down the list and find Resultant Set of Policy, select it, click the Add button
* Click Close
* Click OK
* Right click the Resultant Set of Policy in the left-hand pane and choose to Generate RSoP Data
* Click Next at the Welcome screen, Next past the logging/planning mode screen (it only lets me choose Logging mode here anyway)
* Click Next when it says This Computer
* Click the "Another User" radio button and pick out a username having the issue (it will only list the usernames of people who have logged on at this machine). Click Next.
* Untick "gather extended error info" and and click Next
* Click Finish when it's done
You then get something that looks very much like the Group Policy editor but only shows those settings that have been configured. Expand the tree on the left as normal and when you are looking at a group policy folder (e.g. Admin Templates > System > Logon, whatever) it will use the right pane to show you those settings that are configured, what they are configured to, and which GPO the setting is derived from. If you double click any setting you can look at the Precedence tab and see if two or more GPOs are fighting over the same setting and which one is winning.
It's still a case of trawling through looking for likely settings, but it narrows the search down only to those settings that are relevant and tells you where you can find the setting and change it.
Hope that helps (and that no-one has beaten me to typing this out while I've been writing it up)
Last edited by sonofsanta; 3rd July 2012 at 09:34 AM.
witch (3rd July 2012)
windows key + R is disabled as well as the run command when logged in as a user
When I do this as admin I don't get the option to choose another user-??
Thanks for the info though, I will save it for future reference
*all users are Windows 7
Last edited by witch; 3rd July 2012 at 10:23 AM.
A quick test here seems to suggest that if I run RSOP from my machine, I can select another computer and then choose from the list of users that have been logged on at that machine, so give it a go from your workstation and it might let you select the right combination.
You can also run it in your Active Directory console - right click on the computer or user in AD, go down to All Tasks and choose Resultant Set of Policy - Logging. It should be the same as above from there on out.
Just tried it on an IT suite machine rather than a netbook and got the option this time.
However, nothing visible so I am leaning towards permissions on the drive -anyone know where this might be??
I can't think there'd be permissions on the drives themselves, as they're likely to be formatted with FAT32 rather than NTFS so are technically incapable of supporting security permissions.
So I'm out of ideas as we don't block storage here. Sorry
Have a look at this link and see it any of the methods outlined have been implimented, especially points 2 and 3 in the how to as that could restrict students and not staff depending on the permissions set
How to disable USB sticks and limit access to USB storage devices on Windows systems | Diary Products - Hannes Schmidt
witch (3rd July 2012)
Nope, nothing implemented.
This is driving me mad
What is stopping the usb access??
Hi there the answer is in GPO. Its probably under the default domain policy or default desktop policy (depends on who wrote your GPO's) there is a setting User Configuration \ Administrative Templates \ Windows Components \ Windows Explorer. which allows you to restrict access to drive A:, C:, D: E: (or combination of them) if you change this to c:\ only then access will be restored to usb & Cd's (assuming you want cd access) if not just restric access to C & D then E:\ would be usb. this should resolve the problem.
hope this helps.
cheers
Thanks,but not in default domain or default anything as this would affect all users and the staff CAN access the USB. I have looked everywhere in every other policy. All the settings are "not configured"!
Must be somewhere!
ok well. the setting is off by default so it must be enabled somewhere. possible a contradictory policy or a policy is being inherited from somewhere. have you got any other security software in place or just purely group policy ? I wrote all our polices from scratch and debated a lot about if to enable this feature or not as by default access is granted to pretty much everything.
i would run gp modelling on a pc in the student container and use a student user print the report off and loot at it that way (sorry if you have already but i can't think of anything else)
Nope, just group policy
Have run gpmodelling with no results that help.
I think something somewhere is enabled but isnt showing.
When I have time I am going to delete and recreate a few important policies and see if it works
ok well if you want second pair of eyes pm me the policy(s) and will take a look for you.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
