+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Blocking Batch Files using Group Policy in Server 2003 in Technical; Hi, can anyone enligten me as how to prevent students running windows batch files in there home directories. We have ...
  1. #1

    Join Date
    Sep 2005
    Posts
    153
    Thank Post
    1
    Thanked 4 Times in 4 Posts
    Rep Power
    18

    Blocking Batch Files using Group Policy in Server 2003

    Hi,
    can anyone enligten me as how to prevent students running windows batch files in there home directories.
    We have an OU setup in Active Directory, which contains all the pupils also in seperate OU's for each year group
    I need to block all students regardless of their location for logging on.
    For their areas, we have a main network share setup called students, with hidden shares (\\server\share name$) setup for all student areas.
    I tried applying a new gp object to the Pupil OU and the following paths, but this didnt work! (See attachment)
    Thanks if anyone can help,
    Mark
    Attached Files Attached Files

  2. #2

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,787
    Thank Post
    572
    Thanked 2,154 Times in 982 Posts
    Blog Entries
    23
    Rep Power
    626

    Re: Blocking Batch Files using Group Policy in Server 2003

    There is an easy way, but for the life of me I can't remember what it is! You can, however try:
    Computer Config - Windows Settings - Software Restriction Policies - Designated file types and getting rid of .BAT and others, as always please be careful.

  3. #3

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,922
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593

    Re: Blocking Batch Files using Group Policy in Server 2003

    A bit of a bugger if you have your logon scripts as .bat files

    Another reason to move to vbs I suppose.

  4. #4

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,787
    Thank Post
    572
    Thanked 2,154 Times in 982 Posts
    Blog Entries
    23
    Rep Power
    626

    Re: Blocking Batch Files using Group Policy in Server 2003

    Do you specify the scripts per user or in AD GPO's?

  5. #5

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,922
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593

    Re: Blocking Batch Files using Group Policy in Server 2003

    Per user ... and since that is pretty much the last thing that happens when a user logs in the GPO would prevent the login script if it is a batch file.

    I tried it a while ago and that is why I don't restrict .bat files atm

    An alternative is to user software like NTPs file & quota sentinel ... it will kill off certain files as they are saved ... or better still, give the user access to create and save it, but they then can't delete or run it ... and so it sits there, waiting for you to find it and have a conversation with the luser in question ...

    Mwuhahaha ... Mwuhahahahahaha .... MWUHAHAHAHAHA!!!!!

    koff ... sorry ... forgot myself for a minute.

  6. #6

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,787
    Thank Post
    572
    Thanked 2,154 Times in 982 Posts
    Blog Entries
    23
    Rep Power
    626

    Re: Blocking Batch Files using Group Policy in Server 2003

    If you apply logon scripts via GPO all should be fine as they should be exempted policies because it is an 'approved' script.

  7. #7

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: Blocking Batch Files using Group Policy in Server 2003

    You can run the script at http://edugeek.net/index.php?name=Fo...iewtopic&t=178 to delete all these files at logon/logoff which will prevent them storing up the files and you can prevent them being downloaded using your proxy's controls.

    This isn't ideal but will mean that they need to re-create the files from scratch or sneak them through your firewall.

  8. #8
    eejit's Avatar
    Join Date
    Jun 2005
    Location
    Ireland
    Posts
    606
    Thank Post
    52
    Thanked 12 Times in 12 Posts
    Rep Power
    22

    Re: Blocking Batch Files using Group Policy in Server 2003

    Quote Originally Posted by GrumbleDook
    A bit of a bugger if you have your logon scripts as .bat files

    Another reason to move to vbs I suppose.
    You should block .vbs across the domain too though.

    We block *.bat, *.cmd, *.vbs and the allow 'pupil.bat' (or whatever) as a hash rule. A hash rule over-rules a path rule, also a 'more specific' path rule unrestricted over-rules a less specific path rule. I.e. if you block *.bat but allow pupil.bat then the pupil.bat should run as the rule is more specific. We've found that isn't too reliable in the past though. Allowing hash rules does seem to work for us every time.

  9. #9

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Blocking Batch Files using Group Policy in Server 2003

    cant you just take away exec rights on the home drives?

    Just give them List Read and Write, even tho they dont have "Modify", it will still let them make changes to existing files, but voila, no exec rights for anything...

  10. #10

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: Blocking Batch Files using Group Policy in Server 2003

    @E1uSiV3: Then you can't open folders.

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Blocking Batch Files using Group Policy in Server 2003

    Quote Originally Posted by Ric_
    @E1uSiV3: Then you can't open folders.
    Not if you get the inheritable and owner permissions correct.

  12. #12

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: Blocking Batch Files using Group Policy in Server 2003

    Quote Originally Posted by Geoff
    Quote Originally Posted by Ric_
    @E1uSiV3: Then you can't open folders.
    Not if you get the inheritable and owner permissions correct.
    But it's a pain in the arse to set up!

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Blocking Batch Files using Group Policy in Server 2003

    Quote Originally Posted by Ric_
    Quote Originally Posted by Geoff
    Quote Originally Posted by Ric_
    @E1uSiV3: Then you can't open folders.
    Not if you get the inheritable and owner permissions correct.
    But it's a pain in the arse to set up!
    Yes I know. Much easier on Linux.

    Code:
    mount /home rw,noexec,nosuid,nodev

  14. #14

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Blocking Batch Files using Group Policy in Server 2003

    lol go geoff

    btw look at a tool called SetACL

    Its real powerful, and i use it to set home dir perms, ownership etc etc. Tis pretty fast too...

SHARE:
+ Post New Thread

Similar Threads

  1. Rename a batch of files all at once.
    By Kyle in forum How do you do....it?
    Replies: 10
    Last Post: 19th November 2009, 06:31 AM
  2. server Group Policy editor Problem
    By DaveP in forum Windows
    Replies: 3
    Last Post: 13th December 2007, 09:17 PM
  3. Replies: 5
    Last Post: 13th December 2007, 09:09 PM
  4. Replies: 8
    Last Post: 21st November 2007, 03:02 PM
  5. Replies: 16
    Last Post: 9th March 2007, 03:03 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •