Blocking Batch Files using Group Policy in Server 2003

[markwilliamson2001]

Hi,
can anyone enligten me as how to prevent students running windows batch files in there home directories.
We have an OU setup in Active Directory, which contains all the pupils also in seperate OU's for each year group
I need to block all students regardless of their location for logging on.
For their areas, we have a main network share setup called students, with hidden shares (\\server\share name$) setup for all student areas.
I tried applying a new gp object to the Pupil OU and the following paths, but this didnt work! (See attachment)
Thanks if anyone can help,
Mark

[Dos_Box]

There is an easy way, but for the life of me I can't remember what it is! You can, however try:
Computer Config - Windows Settings - Software Restriction Policies - Designated file types and getting rid of .BAT and others, as always please be careful.

[GrumbleDook]

A bit of a bugger if you have your logon scripts as .bat files

Another reason to move to vbs I suppose.

[Dos_Box]

Do you specify the scripts per user or in AD GPO's?

[GrumbleDook]

Per user ... and since that is pretty much the last thing that happens when a user logs in the GPO would prevent the login script if it is a batch file.

I tried it a while ago and that is why I don't restrict .bat files atm

An alternative is to user software like NTPs file & quota sentinel ... it will kill off certain files as they are saved ... or better still, give the user access to create and save it, but they then can't delete or run it ... and so it sits there, waiting for you to find it and have a conversation with the luser in question ...

Mwuhahaha ... Mwuhahahahahaha .... MWUHAHAHAHAHA!!!!!

koff ... sorry ... forgot myself for a minute.

[Dos_Box]

If you apply logon scripts via GPO all should be fine as they should be exempted policies because it is an 'approved' script.

[Ric_]

You can run the script at http://edugeek.net/index.php?name=Fo...iewtopic&t=178 to delete all these files at logon/logoff which will prevent them storing up the files and you can prevent them being downloaded using your proxy's controls.

This isn't ideal but will mean that they need to re-create the files from scratch or sneak them through your firewall.

[eejit]

A bit of a bugger if you have your logon scripts as .bat files

Another reason to move to vbs I suppose.

You should block .vbs across the domain too though.

We block *.bat, *.cmd, *.vbs and the allow 'pupil.bat' (or whatever) as a hash rule. A hash rule over-rules a path rule, also a 'more specific' path rule unrestricted over-rules a less specific path rule. I.e. if you block *.bat but allow pupil.bat then the pupil.bat should run as the rule is more specific. We've found that isn't too reliable in the past though. Allowing hash rules does seem to work for us every time.

[E1uSiV3]

cant you just take away exec rights on the home drives?

Just give them List Read and Write, even tho they dont have "Modify", it will still let them make changes to existing files, but voila, no exec rights for anything...

[Ric_]

@E1uSiV3: Then you can't open folders.

[Geoff]

@E1uSiV3: Then you can't open folders.

Not if you get the inheritable and owner permissions correct.

[Ric_]

@E1uSiV3: Then you can't open folders.

Not if you get the inheritable and owner permissions correct.

But it's a pain in the arse to set up!

[Geoff]

@E1uSiV3: Then you can't open folders.

Not if you get the inheritable and owner permissions correct.

But it's a pain in the arse to set up!

Yes I know. Much easier on Linux.

Code:

mount /home rw,noexec,nosuid,nodev

[E1uSiV3]

lol go geoff

btw look at a tool called SetACL

Its real powerful, and i use it to set home dir perms, ownership etc etc. Tis pretty fast too...