locked
GPO in windows server 2008 cannot apply on windows xp. RRS feed

  • 問題

  • I have setup a domain server with 2008 version, and setup the group policy of disable write access on removable memory disk. But finally, just successfully apply on vista platform client only, all platform with windows xp sp2 does not apply. Is there some wrong or missing setting ?Could you give me any solutions about this? Thanks

    2008年7月4日 上午 03:08

解答

  • Dear Customer,

     

    To disable the USB Storage, we can do the following:

     

    1. If a USB storage device is not already installed on the computer, assign the user or the group Deny permissions to the following files:

    - %SystemRoot%\Inf\Usbstor.pnf

    - %SystemRoot%\Inf\Usbstor.inf

     

    If the computers are in the domain, you can do the following:

     

    To set the file permission from GPO:

    a. Open Domain Policy or OU policy which will apply to client computers.

    b. Expand Computer Configuration\Windows Settings\Security Settings\File System.

    c.  Right click the File system, select Add File, type c:\windows\inf\Usbstor.pnf in text box and click OK.

    d. Set the permission to deny the users read/write/full control the file. NOTE: Please just add the user account, do not deny everyone group.

    e. Click ok to end the configuration.

    f.  Repeat the step c to step e to add Usbstor.inf at this time.

     

    You will see that %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf item will be listed in the right panel. When the GPO applies, this setting will apply to all the domain members. Users will not have the permission to read and file and then cannot add the USB storage device.

     

     

    2. If a USB storage device is already installed on the computer, set the "Start" value in the following registry key to 4:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

     

    For more information, please refer to:

    823732 HOW TO: Disable the Use of USB Storage Devices in Windows XP   http://support.microsoft.com/?id=823732

     

    To set the registry key:

     

    There is a command line: Reg.exe on Windows 2000 and Windows XP support tools which can help us to modify registry key from command line.

    You can write a batch file to set the data of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\start to 4.

     

    Then add the batch file to domain or OU GPO as computer startup policy, when domain member starts up, this batch file will applied to domain members and installed USB storage device cannot be used.

     

    There is a third party tool to manage the USB storage device, for more information, please refer to:

    http://www.reflex-magnetics.com/products/disknetpro/

     

    NOTE: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Hope it helps.

     

    Thanks & Regards

    Tom Zhang

    2008年7月22日 上午 08:04
    版主

所有回覆

  • Some of the GPO in 2008 may not able to apply in Windows XP machine.

    2008年7月5日 下午 02:16
  • Sorry! Then what can i do? and that policy really can't apply on it. and any solutions about this until now ?
    2008年7月5日 下午 02:27
  • If the policy does not exist in Windows XP, I am afraid you cannot apply it there.

    2008年7月6日 上午 12:30
  • Thank you for your advise. As a result, would you prefer or recommend all clients turn to be vista platform rathan than xp when the server upgraded to windows server 2008 subject to the compatibility of GPO policy, right ?

    2008年7月7日 上午 09:02
  • Actually that is not that related but Vista do apply more function and feature than Windows XP. I will highly recommended you to upgrade the OS into Windows Vista to enjoy more function and features.

    2008年7月7日 下午 02:24
  • I don't think upgrade to vista is the good solution, but also lead to more more problem in maintaining the new plaform.

    As the article saying, I suppose the USB GPO from windows server 2008 that is designed for Windows Vista platform (You should know that the GPO is just a registry). So if you want to apply the removable policy for the Windows XP, you should create an Administrative Template which designed
    for Windows XP. (Try google, there are different types of policy).
    Thanks
    2008年7月9日 上午 06:16
  • Dear Customer,

     

    To disable the USB Storage, we can do the following:

     

    1. If a USB storage device is not already installed on the computer, assign the user or the group Deny permissions to the following files:

    - %SystemRoot%\Inf\Usbstor.pnf

    - %SystemRoot%\Inf\Usbstor.inf

     

    If the computers are in the domain, you can do the following:

     

    To set the file permission from GPO:

    a. Open Domain Policy or OU policy which will apply to client computers.

    b. Expand Computer Configuration\Windows Settings\Security Settings\File System.

    c.  Right click the File system, select Add File, type c:\windows\inf\Usbstor.pnf in text box and click OK.

    d. Set the permission to deny the users read/write/full control the file. NOTE: Please just add the user account, do not deny everyone group.

    e. Click ok to end the configuration.

    f.  Repeat the step c to step e to add Usbstor.inf at this time.

     

    You will see that %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf item will be listed in the right panel. When the GPO applies, this setting will apply to all the domain members. Users will not have the permission to read and file and then cannot add the USB storage device.

     

     

    2. If a USB storage device is already installed on the computer, set the "Start" value in the following registry key to 4:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

     

    For more information, please refer to:

    823732 HOW TO: Disable the Use of USB Storage Devices in Windows XP   http://support.microsoft.com/?id=823732

     

    To set the registry key:

     

    There is a command line: Reg.exe on Windows 2000 and Windows XP support tools which can help us to modify registry key from command line.

    You can write a batch file to set the data of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\start to 4.

     

    Then add the batch file to domain or OU GPO as computer startup policy, when domain member starts up, this batch file will applied to domain members and installed USB storage device cannot be used.

     

    There is a third party tool to manage the USB storage device, for more information, please refer to:

    http://www.reflex-magnetics.com/products/disknetpro/

     

    NOTE: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Hope it helps.

     

    Thanks & Regards

    Tom Zhang

    2008年7月22日 上午 08:04
    版主
  • I have the same problem, but not only with new settings in GPO. I can't apply any GPOs on my Windows XP machines at all.  My situation is following.

     

    I used a network with some Windows XP machines in a domain and Windows Server 2003 as the DC. Everything worked well. I have upgraded the DC to Windows Server 2008 and reinstalled some workstation on Windows XP Professional with SP3 and succesfully joined them to domain. Users can login, but GPOs are not applyed at all. In events I found one event with ID 1054 that says thas no DC can be found. DNS works perfectly.

     

    Can you suggest some ideas?

     

    2008年9月3日 上午 09:32