11/02/2010, 9:05 pm
One of the great new features with Windows 7 was Bitlocker to Go that enabled IT Administrators to ensure that all data written to USB drives is encrypted. In conjunction with this new feature Microsoft also added another option called “Deny write access to removable drives not protected by BitLocker” which allowed user to still read the files off USB drives that were not encrypted.
The problem with this policy setting is that it is only supported on Windows 7 family computers so unless you are running a SOE that is 100% Windows 7 users could simply logon to XP or Windows Vista to get around this restriction.
Luckily Microsoft added a new feature to Windows XP Service Pack 2 that allowed administrator to prevent writing to USB block storage devices (a.k.a memory sticks ) which can be implemented via a Group Policy Preferences registry key.
Key: HKLM\System\CurrentControlSet\Control\StorageDevicePolicies
Value: WriteProtect (REG_DWORD)
Data: 0 = Disabled
Data: 1 = Enabled
To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type System\CurrentControlSet\Control\StorageDevicePolicies into the Key Path field then type WriteProtect into the Value Name field and 1 in the Value Data field and click OK.
Once the key is enabled this is the message the user will see when the try to write to a USB storage device.
Note: This registry key will also work on Windows Vista
Update: Seem that the MS articles had the wrong registry keys
I got the correct key from http://www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/
For additional WRONG information on this feature see the links below:
http://support.microsoft.com/kb/555441
http://support.microsoft.com/kb/823732
10/02/2010, 8:20 pm
Now all three post’s by Rich Crandall showing in great detail the modes of Group Policy Loopback.
10/02/2010, 12:26 pm
Rich has just posted Part 2 of the in depth look at at loopback group policy processing has just been posted. Check it out at CB5 Blog | Loopback Policy Processing Debug Series – Merge Mode
08/02/2010, 8:44 pm
Ever wanted to know how loopback group policy really worked. Well Rich Crandall on the CB5 Blog has just done a the first post in a three part series talking about how loopback policy is applied.
Check it out at CB5 Blog | Loopback Policy Processing Debug Series – Normal Mode
08/02/2010, 2:44 pm
This week I have selected the Group Policy preference “Files” setting which can be found under either Users or Computers > Preferences > Windows Settings > Files. I commonly see the file update option used where a licence file or a single .exe application needs to be updated on all the computers in an organisation. Here a central copy of the file(s) is stored on a central server and when then central version is updated all the computers will receive the new version of the file at the next policy update. Much better than a logon script!!!!
You also have to ensure that the destination folder in the Create, Replate and Update options already exists as it will not automatically create the folder if it doesn’t exist. If you do need to create the folder for the destination then use the “Folders” option. Also make sure that if you are copying the file(s) to a location that its under the correct context (e.g. User context for files into their local profile and Computer context if it is being copied into the program files folder).
This option is a Create Replace Update and Delete (CRUD) enabled setting so the behaviour is a little different depending on your action. All these options support wild cards so you can use it to copy (or delete) multiple files.
Create
This option will copy a file from a location (like a network share) to another location (like on the local computer) only if the destination file does not already exist.
Replace
Again, this option will copy a file from a location (like a network share) to another location (like on the local computer) but this option will delete and overwrite the destination if it already exists.
Update
This one is very similar to Replace however it only changes the individual attributes that changes. If the file does not already exist then it does the same as the Create option.
Delete
As the name suggests it will delete what ever file you specify in the “Delete file(s):” field. Remember this also include wild cards so you can use “C:\Path\*.*”
