USB Sticks for users

[Toni Van Remortel]

Hi,

On our domain (loaded with students), users have offcourse no admin rights.
This gives problems with USB memory sticks. WHen a user plugs his/her stick
into the USB port, Windows starts to install a lot of drivers. Sometimes
this works, sometimes Windows gets angry about it and refuses any further
actions.

Is there a way to allow users to install the drivers anyway? I think it's a
problem with unsigned drivers (and even some drivers from Windows appear as
unsigned, weird).

Thanx.

 

[Richard G. Harper]

You should be able to set Windows 2000 to default to accepting unsigned
drivers:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/596.asp

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Toni Van Remortel]

You should be able to set Windows 2000 to default to accepting unsigned
drivers:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/596.asp


Well, I did enable this, and now _every_ workstation refuses to install any
driver for the user, while before it only happend with a few.
It seems that everything in AD is inverted here (almost all settings I apply
through a GPO, don't do what they should).

*sigh* Getting sick of AD here :-(

 

[Richard G. Harper]

I wish I had some sage advice, but all I can offer is that the policies work
on my AD network exactly as they should.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Toni Van Remortel]

I wish I had some sage advice, but all I can offer is that the policies
work on my AD network exactly as they should.

I'm afraid that the previous sysadmin did too much "registry hacking
sessions" on the domain controller.
I'll try to manage it through low level workstation registry hacks.

Tnx anyway.

 

[Richard G. Harper]

The only thing to keep in mind is that most "workstation registry hacks" are
liable to be overridden by Group Policy when it pushes out. The workstation
settings are the basis for the settings that will apply after GPO comes
down - so you may enable it on the workstation only to have your rogue GPO
turn it right back off again.

I'd really start thinking about using something like the RSOP (Resultant Set
of Policies) tool on Windows XP, or the Windows Server 2003 DCs, to analyze
what's going on with GPO. If that's not possible (all your workstations are
Windows 2000) then it might just pay to start up a new GPO with the settings
you want and then nuke all the existing GPOs that you can't figure out.

Just a thought.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[ephemeral.strobe]

As far as I know this problem can be solved with such tools like
ScriptLogic Desktop Authority.

 

[Toni Van Remortel]

I'd really start thinking about using something like the RSOP (Resultant
Set of Policies) tool on Windows XP, or the Windows Server 2003 DCs, to
analyze what's going on with GPO.

I did a walkthrough of all GPO settings and found some that bothered me:
- Windows Settings
- Security Settings
- Public Key Policies/Autoenrollment Settings [this doesn't exist in my AD
- Policy : enqbled
- Renew expired certificates ... : disabled
- Update certificates ... : disabled
I like to enable these, but they don't shop up in my GPO editor.

What I still don't like, is that the error occurs on C:\Winnt\inf\usb.inf
and that the driver is unsigned. It is a Microsoft driver as far as I know.

Last note: it only appears on newly installed computers. Older installations
(with automatic updates enabled) do not have the problem ...

 

[Toni Van Remortel]

You should be able to set Windows 2000 to default to accepting unsigned
drivers.

Ok, one of my colleages found a solution.
First, you need offcourse the policy to allow installing unsigned drivers by
users.
Second, I've set a machine policy: modify rights for authenticated users on
inf\usb.inf. This seems to be the solution!

Hope this helps others too

Regards,