Safely Remove Hardware Icon not in Taskbar when flashdrive is plugged in

All replies

• 

  

  0

  Sign in to vote

  Hi,

  This info below is all assuming that you give users access to the Desktop Icons.  If you don't maybe you can take the info and apply it to your situation.

   

  As USB drives become more wide spread so does the need to eject them.  However USB is not really plug and play because the devices cannot removed safely with out ejecting them.  Ejecting is easy you say?  It should be!  But it's not. 

   

  In order to eject a flash drive users must have access to certian things.  The worst one is the control panel.  Without access to the control panel you cannot eject a flash drive.  Here is the security configuration I use

   

  1.  Create A Desktop Shortuct named Eject.

   

  Shortcut Path:

  %windir%\system32\rundll32.exe shell32.dll,Control_RunDLL hotplug.dll

   

  Icon Path:

  %windir%\system32\hotplug.dll

   

  2.  Do Not Stop Users from Having Access to Control Panel

   

  Windows Steady State 2.5 has an option in Windows Restrictions->Start Menu Restrictions->Remove The Control Panel Icon.   This must be UNCHECKED.  What it is really doing is prohibiting access to the control panel.

   

  3.  OPTIONAL Limit Which Control Panel Applets Users Can See.

   

  • In gpedit.msc navigate to User Configuration->Administrative Templates->Control Panel. 
  • Find the option - Show only specified Control Panel Applets and double click it.
  • Select the Enabled radio button and click show.
  • Add access.cpl and click ok, then apply.

  Issues

  This does not prevent access completely to the control panel but it is the best comprimise I can find.  There may be a way into the control panel files if the users have a thumb drive and on it a control pane shortcut. (pretty rare)  If they do have a shortcut to a specific applet they can double click it to run it.  So far there isn't a fix for that but in my opinon it's pretty unlikely.

   

  -Dan

  Wednesday, October 1, 2008 7:16 PM
• 

  

  0

  Sign in to vote

  Hi Dan, thanks for your prompt reply!

   

  OK, I did all that you said and I only have one problem. In your first line of your response you say:

  "This info below is all assuming that you give users access to the Desktop Icons.  If you don't maybe you can take the info and apply it to your situation."

   

  Now I assumed that If I put the Eject icon on the users desktop through the administrative account (C:\doc&settings, etc)

  that the user should be able to access this icon. I put icons for the user for some other programs on the desktop and they work fine.

   

  I have tried adding the run as a dll in the allowed programs in System State but it won't hold the changes.

   

  Any ideas?

   

  Thanks again

   

  Thursday, October 2, 2008 2:03 PM
• 

  

  0

  Sign in to vote

  Quick Background:

  In my configuration I use Windows XP Pro.  When Windows starts, users automatically get logged on to the computer.  At this point they have access to the Desktop and whatever icons I put there for them to use.  Typically: My Computer, My Document, Office 2007 Icons, Eject USB and a few others.

   

  Specifics on how I create the Desktop Shortcut.

  Through Steady State I create a public user account called “all”.  At this point I don’t put ANY restrictions on the account.  This means going to the Windows Restrictions and Feature Restrictions Tabs and choosing “No Restrictions”.  I do NOT lock the account.  At this point I logon to the “all” account.  Here is where I add the desktop icons, including my usb eject.  I don’t add them from the administrative account.  From what I’ve learned it is less troublesome to do it this way.

  1.       Right click on the desktop, Choose NEW, Shortcut

  2.       Put in: %windir%\system32\rundll32.exe shell32.dll,Control_RunDLL hotplug.dll and click Next

  3.       Add a name for the shortcut.  I use Eject Usb

  4.       Now it’s on the desktop but has a crappy icon.

  5.       Right click the new shortcut on the desktop and go to properties

  6.       Click Change Icon…

  7.       Put in: %windir%\system32\hotplug.dll and click OK

  8.       This will bring up a list of icons.  I use the first one.  Select it and Choose OK

  9.       Click OK at the Eject USB Properties.

  10.   Now you have an Eject USB icon with the correct icon.

  11.   Test it out.

  Lock the user account so that the Eject USB icon still works

  After I have the all account setup just like I want it I go back to my admin account and get ready to lock it down with Steady State.   In Steady state I choose High Restrictions for both Windows Restrictions and Feature Restrictions.  I don’t leave all boxes checked.  Here is what I do:

  Windows Restrictions – I use all the defaults in High Restrictions except for:

  ·         Uncheck: Remove the My Documents Icon

  ·         Uncheck: Remove Control Panel Icon – THIS ALLOWS THE USB EJECT TO WORK

  ·         Uncheck: Remove the Shut Down button

  ·         Uncheck: Remove CD and DVD burning features

  ·         Uncheck: Allow only programs in the Programs Files and Windows folders to run – I do this because of custom software….don’t do this unless you need to.

  Feature Restrictions - I use all the defaults in High Restrictions except for:

  ·         Uncheck: Prevent Printing

  ·         Uncheck: Third Party Extension tools – ALWAYS UNCHECK THIS

  At this point restrictions are set and I lock the “all” profile.  If you follow these steps you should be able to logon and the USB shortcut will work.  I don’t do anything in the Block Programs for the DLL so I would get rid of that customization.

   

  Let me know if that helps

  -Dan

   

  Thursday, October 2, 2008 3:45 PM
• 

  

  0

  Sign in to vote

  Thank you so very much Dan, everything is working like a charm!

   

  Monday, October 6, 2008 4:57 PM