+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 33
Windows Server 2008 R2 Thread, Students denied access to usb in Technical; Originally Posted by SYNACK new plan, 2008r2 also has gpo modelling, its an option in the group policy management snapin, ...
  1. #16

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,042
    Thank Post
    1,314
    Thanked 2,308 Times in 1,623 Posts
    Rep Power
    692
    Quote Originally Posted by SYNACK View Post
    new plan, 2008r2 also has gpo modelling, its an option in the group policy management snapin, this should let you pick a user and machine to test for.
    I'm having enough problem with the old plan!
    What now? Where?

  2. #17

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,042
    Thank Post
    1,314
    Thanked 2,308 Times in 1,623 Posts
    Rep Power
    692
    OK. Another tack.
    Might be permissions set on the usb denying access to students. Where would that be then?

  3. #18


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,618
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    @witch

    If these are XP clients, check to see that c:\Windows\inf\usbstor.inf (and usbstor.pnf) exist. If it does, ensure that there isn't a deny acl on them.
    Last edited by pete; 3rd July 2012 at 09:32 AM.

  4. #19

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,815
    Thank Post
    837
    Thanked 1,392 Times in 959 Posts
    Blog Entries
    47
    Rep Power
    602
    Resultant Set of Policy (it's a very handy thing to know, so worth perservering with here)
    * Log on to a computer that has had the problem as administrator
    * Open your Run prompt from the start menu or with windowsKey + R
    * type mmc and press enter
    * Go to the File menu and choose Add/Remove snap in
    * Click the Add button at the bottom
    * Scroll down the list and find Resultant Set of Policy, select it, click the Add button
    * Click Close
    * Click OK
    * Right click the Resultant Set of Policy in the left-hand pane and choose to Generate RSoP Data
    * Click Next at the Welcome screen, Next past the logging/planning mode screen (it only lets me choose Logging mode here anyway)
    * Click Next when it says This Computer
    * Click the "Another User" radio button and pick out a username having the issue (it will only list the usernames of people who have logged on at this machine). Click Next.
    * Untick "gather extended error info" and and click Next
    * Click Finish when it's done

    You then get something that looks very much like the Group Policy editor but only shows those settings that have been configured. Expand the tree on the left as normal and when you are looking at a group policy folder (e.g. Admin Templates > System > Logon, whatever) it will use the right pane to show you those settings that are configured, what they are configured to, and which GPO the setting is derived from. If you double click any setting you can look at the Precedence tab and see if two or more GPOs are fighting over the same setting and which one is winning.

    It's still a case of trawling through looking for likely settings, but it narrows the search down only to those settings that are relevant and tells you where you can find the setting and change it.

    Hope that helps (and that no-one has beaten me to typing this out while I've been writing it up)
    Last edited by sonofsanta; 3rd July 2012 at 09:34 AM.

  5. Thanks to sonofsanta from:

    witch (3rd July 2012)

  6. #20

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,042
    Thank Post
    1,314
    Thanked 2,308 Times in 1,623 Posts
    Rep Power
    692
    windows key + R is disabled as well as the run command when logged in as a user
    When I do this as admin I don't get the option to choose another user-??
    Thanks for the info though, I will save it for future reference


    *all users are Windows 7
    Last edited by witch; 3rd July 2012 at 10:23 AM.

  7. #21

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,815
    Thank Post
    837
    Thanked 1,392 Times in 959 Posts
    Blog Entries
    47
    Rep Power
    602
    Quote Originally Posted by witch View Post
    windows key + R is disabled as well as the run command when logged in as a user
    When I do this as admin I don't get the option to choose another user-??
    Thanks for the info though, I will save it for future reference
    A quick test here seems to suggest that if I run RSOP from my machine, I can select another computer and then choose from the list of users that have been logged on at that machine, so give it a go from your workstation and it might let you select the right combination.

    You can also run it in your Active Directory console - right click on the computer or user in AD, go down to All Tasks and choose Resultant Set of Policy - Logging. It should be the same as above from there on out.

  8. #22

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,042
    Thank Post
    1,314
    Thanked 2,308 Times in 1,623 Posts
    Rep Power
    692
    Just tried it on an IT suite machine rather than a netbook and got the option this time.
    However, nothing visible so I am leaning towards permissions on the drive -anyone know where this might be??

  9. #23

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,815
    Thank Post
    837
    Thanked 1,392 Times in 959 Posts
    Blog Entries
    47
    Rep Power
    602
    I can't think there'd be permissions on the drives themselves, as they're likely to be formatted with FAT32 rather than NTFS so are technically incapable of supporting security permissions.

    So I'm out of ideas as we don't block storage here. Sorry

  10. #24
    old_n07's Avatar
    Join Date
    Jun 2012
    Location
    North Staffordshire
    Posts
    97
    Thank Post
    10
    Thanked 16 Times in 14 Posts
    Rep Power
    7
    Have a look at this link and see it any of the methods outlined have been implimented, especially points 2 and 3 in the how to as that could restrict students and not staff depending on the permissions set

    How to disable USB sticks and limit access to USB storage devices on Windows systems | Diary Products - Hannes Schmidt

  11. Thanks to old_n07 from:

    witch (3rd July 2012)

  12. #25

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,042
    Thank Post
    1,314
    Thanked 2,308 Times in 1,623 Posts
    Rep Power
    692
    Nope, nothing implemented.
    This is driving me mad
    What is stopping the usb access??

  13. #26

    Join Date
    Jun 2010
    Location
    Cardiff
    Posts
    74
    Thank Post
    32
    Thanked 2 Times in 2 Posts
    Rep Power
    9
    Hi there the answer is in GPO. Its probably under the default domain policy or default desktop policy (depends on who wrote your GPO's) there is a setting User Configuration \ Administrative Templates \ Windows Components \ Windows Explorer. which allows you to restrict access to drive A:, C:, D: E: (or combination of them) if you change this to c:\ only then access will be restored to usb & Cd's (assuming you want cd access) if not just restric access to C & D then E:\ would be usb. this should resolve the problem.

    hope this helps.

    cheers

  14. #27

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,042
    Thank Post
    1,314
    Thanked 2,308 Times in 1,623 Posts
    Rep Power
    692
    Quote Originally Posted by richbrowncardiff View Post
    Hi there the answer is in GPO. Its probably under the default domain policy or default desktop policy (depends on who wrote your GPO's) there is a setting User Configuration \ Administrative Templates \ Windows Components \ Windows Explorer. which allows you to restrict access to drive A:, C:, D: E: (or combination of them) if you change this to c:\ only then access will be restored to usb & Cd's (assuming you want cd access) if not just restric access to C & D then E:\ would be usb. this should resolve the problem.

    hope this helps.

    cheers
    Thanks,but not in default domain or default anything as this would affect all users and the staff CAN access the USB. I have looked everywhere in every other policy. All the settings are "not configured"!
    Must be somewhere!

  15. #28

    Join Date
    Jun 2010
    Location
    Cardiff
    Posts
    74
    Thank Post
    32
    Thanked 2 Times in 2 Posts
    Rep Power
    9
    ok well. the setting is off by default so it must be enabled somewhere. possible a contradictory policy or a policy is being inherited from somewhere. have you got any other security software in place or just purely group policy ? I wrote all our polices from scratch and debated a lot about if to enable this feature or not as by default access is granted to pretty much everything.

    i would run gp modelling on a pc in the student container and use a student user print the report off and loot at it that way (sorry if you have already but i can't think of anything else)

  16. #29

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,042
    Thank Post
    1,314
    Thanked 2,308 Times in 1,623 Posts
    Rep Power
    692
    Nope, just group policy
    Have run gpmodelling with no results that help.
    I think something somewhere is enabled but isnt showing.
    When I have time I am going to delete and recreate a few important policies and see if it works

  17. #30

    Join Date
    Jun 2010
    Location
    Cardiff
    Posts
    74
    Thank Post
    32
    Thanked 2 Times in 2 Posts
    Rep Power
    9
    ok well if you want second pair of eyes pm me the policy(s) and will take a look for you.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Denied Access to Playback and Recording Devices
    By vehmeier in forum Windows Vista
    Replies: 2
    Last Post: 9th March 2010, 01:56 PM
  2. Deny access to RDP & CMD
    By mcloum in forum Wireless Networks
    Replies: 10
    Last Post: 12th January 2009, 01:50 PM
  3. Licensing issues associated with student remote access to terminal servers
    By meastaugh1 in forum Thin Client and Virtual Machines
    Replies: 2
    Last Post: 24th October 2008, 11:56 AM
  4. Restrict Access To USB Devices
    By MuppetQueen in forum Wireless Networks
    Replies: 25
    Last Post: 15th December 2005, 04:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •