General discussion

Locked

Disabling CD-ROM for Users only - Win2K?

By HankSchupp ·
I want to be able to deny access to the CD-ROM and Floppy to all users but have them available to the Admin when they log in. Can it be done?

I know we can can turn off the autorun, we can deny ability to install from the CD, and we can stop remote users from accessing the CD - all simple registry settings. But can it be disabled altogether?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Disabling CD-ROM for Users only - Win2K?

by rkelly In reply to Disabling CD-ROM for User ...

You can do this quite simple with a Domain Level Group Policy Object.

You will need to drill down through the Administrative templates to find the settings that you want.

Once you apply the GPO it will by default block access to everyone on your network to the CDRom and Floppy Disk Drives. You need to filter the scope of the GPO by assigning permissions to the GPO.

Leave the Authenticated Users as they are and Add Domain Admins and give them the DENY Apply Group Policy right to your GPO.

With this setup anyone who is a member of Domain Admins will get access to the CDRom Drives and FDDs. Alternatively you could create a group (called drive access, say) and add all the users that need access to the drives to this group, give this group DENY apply group policy instead of Domain Admins.

Collapse -

Disabling CD-ROM for Users only - Win2K?

by HankSchupp In reply to Disabling CD-ROM for User ...

This is not a truly unacceptable reply. I did not specify that I was using an NT Domain Server. The answer is a good one about the power and granularity of Group Policy. However, even after loading the resource kit and going through every setting in the book ... I could not find a policy that would actually lock the CD or Floppy drive. There was a setting that said "Restrict access to the CD ROM to Local users only". Unfortunately it meant anyone logging physically onto that machine - not the normal meaning of the term Local User. Even with the setting enabled, any user who logged onto the machine could see and interact with the CD and floppy. It only stopped someone Telnet or FTP-ing to the devices.

Now, given this is my firstforay into the Group Policy arena - I may have missed on how to do this. I believe that if I was running a Windows 2000 Domain server this could have been absolutely correct - I will be building a server Monday or Tuesday next week and find out.
Anyone already running a W2K native domain that could test this out and save me several hours labor and a fight with the server manager?

Thanks for your support!

rkelly - If it comes in that in a native W2k environment your answer is correct you will be awarded points.

Collapse -

Disabling CD-ROM for Users only - Win2K?

by HankSchupp In reply to Disabling CD-ROM for User ...

More info: The Server is NT 4.0 the workstations are/will be W2K Pro. How does this affect the answer?

Collapse -

Disabling CD-ROM for Users only - Win2K?

by pikikoko In reply to Disabling CD-ROM for User ...

What we did was very simple. To keep the users from the cd and floppy we went in and pulled the power. Its fast and simply.
When a tech or admin need to work on them, they get plugged back in. We pulled our plugs and found we have not had to go in and plug them back in once every two years. They users don't get to load all their games.
It works very very well.
good luck

Collapse -

Disabling CD-ROM for Users only - Win2K?

by HankSchupp In reply to Disabling CD-ROM for User ...

We did much the same at my last job. We pulled the power for the Floppy and enabled the "allocate cd" option under C2 security for the cd. That 'mostly' kept the users from installing any software. It was a classified data system though and really our prime concern was eliminating ways for the user to offload any data.

In this case, using the Device Manager, I could just disable the device and that would suffice. When the admin logged in it wouln't take more than a couple clicks to enable the device. A minor compromise and one we're basically willing to live with. However, the only negative aspect of this would be if the Admin forgot to disable it when he logged out - then the user would have access: and that is totally unacceptable in the current environment.

So that is why I am trying to find a way to automate the process. So that when an admin logs in - the CDROM and Floppy are available. When a user logs in they are not. Whether it is using Kixtart to enable/disable it with scripting or to write a vbscript to do much the same.

Still looking ... commercially I found the program DEVICELOCK which is nice. Able to lock any device: LPT port, Floppy, CD, ZIP, Serial port, etc. There are several other applications that incorporate CD/Floppy locking as well. Just trying to use the resources at hand before going that path.

Any other ideas folks?

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums