Issues appear after removing .ADM Template

Hello,

I was not sure where to post this, so I started here. Long story short, I used a custom template from http://support.microsoft.com/kb/555324 to restrict USB, CD activity on one of our network computers.

End users were playing around and removed the USB cable to the local printer, and tried to plug it back in. Due to the restriction, windows could not identify the printer, so it stopped working.

I thought it would be a quick fix and simple task of removing the adm template and forcing a gpupdate.

That did not work, and now I am stumped.

USB access and CDROM appear to remain restricted even though the template was removed, and the policy refreshed.

I browsed the registry and USBSTOR has the appropriate settings.

What can I do to re-enable the USB / CDROM functionality?

Thanks.

Frankly, there may be only a handful of our members who can answer this, and they might not show up soon.

You might get answers sooner by joining and posting at Ars Technica. Post in this subforum there: http://arstechnica.com/civis/viewforum.php?f=15

OK, Thank you.

[QUOTE=InfoTech1;2692012]I was not sure where to post this, so I started here. Long story short, I used a custom template from http://support.microsoft.com/kb/555324 to restrict USB, CD activity on one of our network computers.[/quote] So you made a local gpo, which was meant for Microsoft Windows Server 2003 Systems, on a local workstation?

End users were playing around and removed the USB cable to the local printer, and tried to plug it back in. Due to the restriction, windows could not identify the printer, so it stopped working.
Of course

I thought it would be a quick fix and simple task of removing the adm template and forcing a gpupdate.

That did not work, and now I am stumped.
Accounts need to relogin before efects are taken place. For a local system policy a reboot of the system needs to take place.

USB access and CDROM appear to remain restricted even though the template was removed, and the policy refreshed.

I browsed the registry and USBSTOR has the appropriate settings.
So it is now a a value of 3 again?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
“Start”=dword:00000003 to disable it

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]

“Start”=dword:00000004 to enable it

Thank you for the response. I have verified that the setting is at 3, and the USB operation is still disabled. I have rebooted the machine several times to no avail.

Hmm. Weird. If you reboot and the registry sets itself again, the only thing that can do that is a gpo.

I am guessing you also may need to restore all the other settings.

Did you change this gpo on the local machine or did you put it in the domain of a server?

Well, perhaps the several re-boots finally got it. It is now working again. Thanks fir the replies.

I don’t know what OS you are using .
I know we’re told that most of the time a reboot is not necessary from Vista up.
I have Vista & if this is the case .
Why when I use Windows Update ( I do mine one update at a time) .
On many the update requires a reboot.
So why do updates require a reboot when MS tells us they are not needed with other installs , etc. ?

So with almost anything you install or do that makes a system modification .
Reboot.

My information says it actually takes 3 reboots for some things to be set in Vista.
This is for things like “Last known good startup”.
This is why there are several ControlsSets before the CurrentControlSet in the registry.

So when in doubt reboot & sometime at least 3 times.

Good info Cholla, noted. This was an XP Pro system btw.

[QUOTE=cholla;2692194]
I know we’re told that most of the time a reboot is not necessary from Vista up.[/quote]
You are correct that since Vista GPO’s has been implemented a lot better.

Global Policy Objects (GPO’s) are specific settings that may or may not require a reboot or a relogin. Basically a GPO is a very easy way to hack the registry. GPO’s are like the registry devided in several parts of the system. It can affect user accounts, user groups, local machines or machine groups.

Because GPO’s are just modified registry settings, they are automatically applied at the boot and login process of a system. You can enfore a GPO, therefore immediately affecting the registry of a running system, but current sessions or programs may not care about the modified settings.

GPO’s are awesome. I can make a domain network in such a way that you cannot access it unless you comply with my rules. That can include windows security updates, anti virus, the entire automatic deployment of Microsoft Office or control your entire desktop.