Theoretically you could do that, but besides the obvious security downside, the registry tweaks really only disable the driver startup, so you would still have to reboot for that to take effect. All in all, the ADM approach talked about in that article is pretty weak and only good for completely disabling a device rather than having granularity of who gets it disabled. One thing I forgot to mention is that Vista now includes device lockdown as part of GP, including control over read and read and writing a particular device. Of course, you need Vista.
Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Best Sent: Wednesday, December 13, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lockdown CD-ROM access for some Can't you just set up two group policies with two .adm files? One activates the lock, and the other group policy deactivates the lock. Or, as those are just registry entries, you *can* set it up so that the people that are to have CD-ROM access also have high enough rights to change those keys on the registry (you can set access rights on individual registry keys as of XP). Their login script deactivates the lock, and their logout script enables the lock again. Jon _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, December 13, 2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lockdown CD-ROM access for some Yes, that's the same one I had found previously and didn't meet my requirements since it's on a per-computer basis, not per-user unfortunately. That information was actually pulled from this KB article. http://support.microsoft.com/kb/555324 ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Steele Sent: Wednesday, December 13, 2006 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lockdown CD-ROM access for some A quick google search turned up this reference to a custom .ADM template that is available. http://joeelway.spaces.live.com/blog/cns!2095EAC3772C41DB!293.entry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, December 13, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Lockdown CD-ROM access for some I have been given a task for our secured environments (by secured, I mean government clearances required) to develop a means to lock down access to the CDROM drive at a user based level. They want most users to be restricted from using the CDROM drives in anyway, but allow a certain security group the ability to have full use of their CDROM drives. As far as I can tell, there is not a group policy that allows for this type of granular lockdown of the devices. Any suggestions on how to best tackle this? Information simply cannot leave these secured environments, and they no longer want users to have unfettered access to CD/DVD burners. The drive letter of the CD drives may not always be the same, in fact some machine's drive letters may vary wildly. Thanks, ~Ben _____ **************************************************************************** ************* WARNING: This electronic transmission is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this message you are hereby notified that any dissemination, distribution, reproduction or any other use of this message is prohibited. If you have received this message in error, please notify us immediately by return email and destroy the original transmission immediately and all copies thereof. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Calgary Olympic Development Association/Canada Olympic Park. **************************************************************************** *************