usb deny write access problem

tunnel15 · 16 Apr 2012

hello,
my first post here..my problem is as follows...
I have a win7 peer2peer netwrk with 10 computers
To block usb write access i created 3 accounts on each machines

superAdmin

administrator acc) full rights
localAdmin : (administrator acc) Removable disk :deny write access policy enabled
users : (standard acc) Removable disk :deny write access policy enabled

the standard acc users have passwords for localAdmin so that they can install softwares
but i don't want them to write to usbs,my problem is they can still write to the usb by
supplying the local admin psswrd ,even tho deny write accesss policy for the localAdmin account is enabled.

BTW if i log into localAdmin i cannot write to usb,but the standard account user can write with the localAdmin psswrd.

Pls help..
thanks in advance:)

Maguscreed · 16 Apr 2012

I am not seeing a way to have your cake and eat it too in this situation without creating an entire new user group that is essentially a hands tied admin account just call it 'installer' or something. That has no privileges outside of installing software at all.

tunnel15 · 16 Apr 2012

thank you maguscreed:)
hmmm don't understand why those options exists if it don't work ,earlier i tried making groups and had assigned some accounts to them but then found that group policies can't be applied to custom grps.What you say makes sense in this situation will give it a shot ..
thank you again:)

PS: I kno that policies can be applied to custom grps if it is a server -client set up

Maguscreed · 16 Apr 2012

well the problem here is that you are using local admin to affect the installs local admin account is given permissions all throughout the system and it needs a vast majority of them for the system to function properly.
(local admin account handles updating for user accounts for instance, even though this is done in the background.)
So there will likely always be little cracks for the users to get through as long as you are using it for the purpose of installing software.

tunnel15 · 16 Apr 2012

the local admn account by itself (when logged into) doesn't have write access,but it provides write access to other std users

Maguscreed · 16 Apr 2012

Okay I have a brilliant idea, I'm going to ask an alien for help with this one.
Give him a bit to reply light speed time distortions and all that.

Maguscreed · 16 Apr 2012

Alright,
So we have to remove the users from the admin account. It's far easier to give install rights to the normal user accounts than it is to try toying with the admin account rights.
Local Group Policies - Apply to All Users Except Administrators

Group Policy - Apply to a Specific User or Group

Either way should actually work. Number 2 is probably going to be easier.
You'll then need to change the admin password to lock them back out.

tunnel15 · 17 Apr 2012

thank you maguscreed ,feels good to know help is available....i only meant to highlight the issue ,sorry for the burst of questions..
..the first option won't work for me 'coz i need a std acc with backup rights and
well i've tried the second option it does work as it implies BUT only when you are logged into that particular user, when you log in as the std user the elevation prompt appears and it allows you to write to usb even though that particular admin acc has deny write access enabled.
I am under the impression that there is some other setting that needs to be on/off ....maybe..

pls bear with me and help me crack this one...

Maguscreed · 17 Apr 2012

as long as you give the standard user any kind of access to local admin you will have this problem.
local admin MUST have write permissions or the OS doesn't function.

tunnel15 · 19 Apr 2012

i guess i'm stuck with my problem ,will have to rethink strategy
But thanks a ton maguscreed...:)