Windows 2003 Group Policy

[Guest]

We are using Windows 2003 Domain Server with Window XP and Windows 2000 Prof
client PCs. We have followed those instructions to setup new GPO for USB
storage device/floppy disk/cdrom disabled.

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
http://support.microsoft.com/?kbid=555324

Disabling USB Storage with Group Polic
http://www.windowsdevcenter.com/pub.../disabling-usb-storage-with-group-policy.html


The steps:
- Create a new adm file, and then copy to \%system%\inf folder
- Go to OU --> GPO --> Computer Configuration --> Administrative Templates
--> "Add the new adm"
- Also Enabled those policies

Enable USB (Enabled)
Enable CD-ROM (Enabled)
Enable Floppy (Enabled)
Enable High Capacity Floppy (Enabled)

It's should be worked.

1. Unfortunately, when we want to stop this policy, "Change to Not
configure", it's failed. At last, it has been finished when we changed those
policies as following

Enable USB (Disabled)
Enable CD-ROM (Disabled)
Enable Floppy (Disabled)
Enable High Capacity Floppy (Disabled)

Why ? "not configure" = back to normal as previous policy ???

2. Our OU strcuture

- IT
- IT1
- IT2
- FIN
- SERVER

We just assigned this new policy to IT OU, supposed it only post to IT OU,
IT1/IT2 sub OU ... But just find some of servers are also lose CDROM and
Floppy ? What's happened ?

Can help please ?

 

[Mark Heitbrink [MVP]]

Hi,

1. Unfortunately, when we want to stop this policy, "Change to Not
configure", it's failed. [...] Why ? "not configure" = back to
normal as previous policy ???

Because you are working with NT4 style policies (red icons) and not
"fully managed 200 Style" (blue icons)
The red ones are tattoing the registry. They are not within one of
the \policies hives in the registry.
"Not configured" means with this kind of policy: "The actual setting
will not be changed". So if you have activated it, it stays like this
if you set it back to "not configured". (it´s still active)
If the behavior of "deactivated" fits your wishes is depending on the
ADM Template and how it is defined, what happens to the value
on "deactivate"

Mark

 

[Guest]

Thanks for your reply !

In case, I have changed back the policy as "deactivate".

Enable CD-ROM (Disabled)
Enable Floppy (Disabled)

It's worked. The CD-ROM and floppy drive come back. Furthermore, I have got
one more testing.

1. Use one domain PC -> Enable CD-ROM (Disabled), and then reboot for a few
times. I make sure CD-ROM & Floppy drive appeared.
2. Changed to "CD-ROM (Not Configured)", and also reboot for a few
times...oh, CD-ROM lose again...
3. Why it did not hold in active mode after step 1.

Many thanks !

Hi,

1. Unfortunately, when we want to stop this policy, "Change to Not
configure", it's failed. [...] Why ? "not configure" = back to
normal as previous policy ???

Because you are working with NT4 style policies (red icons) and not
"fully managed 200 Style" (blue icons)
The red ones are tattoing the registry. They are not within one of
the \policies hives in the registry.
"Not configured" means with this kind of policy: "The actual setting
will not be changed". So if you have activated it, it stays like this
if you set it back to "not configured". (it´s still active)
If the behavior of "deactivated" fits your wishes is depending on the
ADM Template and how it is defined, what happens to the value
on "deactivate"

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.