Top menu

Topic: «Group Policy with Security Groups doesn't work», Unable to use Security Groups to control devices.

« Previous topic | Next topic »

J6 SysAdmin


User profile

Posts: 8
Joined: 08/14/2007
Hello,

We have purchased DeviceLock to manage our network. I am tasked with establishing the Group Policy for it. We are using an all windows 2003 server and XP client environment. I have been working with the group policy editor to define USB storage policy. My test is to create a domain Security Group called Write To All. Add this group to the device lock group policy on Removable Storage and give it Full control.

I have done this setup, rebooted the test PC to make sure policy applied. I created a testuser account and logged in with it. Inserted a USB drive and was denied. That is good because the testuser account wasnt a member of Write To All security group. Logged off and added the testuser to the group. Logged testuser back on, inserted the USB drive and again was denied. That was not good.

To identify the problem, I removed the Write To All group from the device lock group policy and specifically added the testuser to the group policy with Full control of Removable Devices. Rebooted the PC, logged in with testuser, inserted the USB drive and was grated access to it.

So basically, I can successfully define group policy access based on users but no groups. Can you let me know what the problem might be?

Thanks,

Aaron

Posted: 08/14/2007 20:09:32

Top

t-m00r
Senior Technical Support Engineer
Editor


User profile

Posts: 292
Joined: 06/28/2005
What are your settings for USB port? So far you have mentioned only those set for Removable.
Posted: 08/14/2007 20:17:38

Top

J6 SysAdmin


User profile

Posts: 8
Joined: 08/14/2007
I currently have it set to Not Configured and all of the Manage USB device ??? check boxes are checked except the top one, keyboards.

Initially, I was trying to use the USB settings but then realized that this was a Removable storage issue. So, I opened up USB and focused on the Removable settings.

Everything is working great except rights based on Domian\GroupName. I can use Domain\UserName and it works fine.

If you have a set of recommended policy settings just let me know. We basically want to lock everything down, average users will have read access to the CD/DVD. Then access to write DVD/CDs and use thumb drives will be controlled to Security Groups.

Aaron
Posted: 08/14/2007 21:30:28

Top

J6 SysAdmin


User profile

Posts: 8
Joined: 08/14/2007
I guess i should add that everything else is basically set to Everyone No Access except hard drives.
Posted: 08/14/2007 21:32:15

Top

t-m00r
Senior Technical Support Engineer
Editor


User profile

Posts: 292
Joined: 06/28/2005
Not really. USB flash drives are controlled at both USB and Removable levels. It is necessary to provide SYSTEM account with sufficient (Full access) privileges for USB port sometimes. In case there is Everyone:No access entry present for USB port, replace it with SYSTEM:Full access (all the accounts not explicitly listed in an access control list (here: USB ACL) get blocked by default).

If unsuccessful, the next most logical step in this case would be to set Full Audit, Allowed and Denied for both USB Port and Removable for Everyone, reproduce the issue a couple of times, and check Audit Log Viewer module for any related errors.

As to a set of recommended policy, there is no such a thing since there are too many variations of settings possible, depending on network architecture, goals to achieve, etc. You can learn some from DeviceLock User's Manual (looking through it, though it may sound sadistic as it is a 200+ pages brochure).
Posted: 08/14/2007 22:03:14

Top

J6 SysAdmin


User profile

Posts: 8
Joined: 08/14/2007
The manual is a little sadistic, but I did actually read about 140 pages of it. I know, all of the good stuff is in the last 60 pages.

I will work on what you said about the System account and auditing. I will update this tomorrow.

Aaron
Posted: 08/14/2007 22:26:49

Top

J6 SysAdmin


User profile

Posts: 8
Joined: 08/14/2007
Okay, here is todays testing. I set every DeviceLock option to Not Configured. I then set USB and Removable to Default Settings: Everyone, Admins and System Full Control. I refreshed policy and I got access to the USB Drive. Next I remove Everyone from Removable, refreshed policy and was denied access; good still. I then added DomainName\TestUser specifically with Full Control and it worked. I then removed TestUser and added DomainName\DeviceFullAccessGroup with full control and it failed. Below are the events from the last failure. The earliest entries are at the bottom of the event list, starting with the Action: Insert entry.

It looks like System accessed the device fine. I am not sure what System was looking for in the d:\hs\media\y\???? directories but it was successful in trying to access the drive. After that, TestUser tries to get access and fails.




8/15/2007 8:14:56 AM DeviceLock Audit Success Audit None 18 DomainName\testuser 802-LAPTOP "Process ID: -1
Process Name:
Device Type: USB port
Action: Remove
Name: USB Mass Storage Device
Information: USB\VID_ABCD&PID_1A00\1234054301A8
Status: 00000000
"
8/15/2007 8:14:53 AM DeviceLock Audit Failure Audit None 4 DomainName\testuser 802-LAPTOP "Process ID: 3912
Process Name: C:\WINDOWS\Explorer.EXE
Device Type: Removable
Action: Open
Name: D:\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:53 AM DeviceLock Audit Failure Audit None 4 DomainName\testuser 802-LAPTOP "Process ID: 3912
Process Name: C:\WINDOWS\Explorer.EXE
Device Type: Removable
Action: Open
Name: D:\
Information: Read
Status: 00000000
"
8/15/2007 8:14:53 AM DeviceLock Audit Failure Audit None 4 DomainName\testuser 802-LAPTOP "Process ID: 3912
Process Name: C:\WINDOWS\Explorer.EXE
Device Type: Removable
Action: Open
Name: D:\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Failure Audit None 4 DomainName\testuser 802-LAPTOP "Process ID: 3836
Process Name: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
Device Type: Removable
Action: Open
Name: D:\
Information: Read
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Failure Audit None 4 DomainName\testuser 802-LAPTOP "Process ID: 3912
Process Name: C:\WINDOWS\Explorer.EXE
Device Type: Removable
Action: Open
Name: D:\AutoRun.inf
Information: Read
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 4 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: 1440
Process Name: C:\WINDOWS\System32\svchost.exe
Device Type: Removable
Action: Open
Name: D:\hs\media\y\9968\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 4 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: 1440
Process Name: C:\WINDOWS\System32\svchost.exe
Device Type: Removable
Action: Open
Name: D:\hs\media\y\9964\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 4 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: 1440
Process Name: C:\WINDOWS\System32\svchost.exe
Device Type: Removable
Action: Open
Name: D:\hs\media\y\9951\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 4 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: 1440
Process Name: C:\WINDOWS\System32\svchost.exe
Device Type: Removable
Action: Open
Name: D:\hs\media\y\9953\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 4 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: 1440
Process Name: C:\WINDOWS\System32\svchost.exe
Device Type: Removable
Action: Open
Name: D:\hs\media\y\11399\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 4 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: 1440
Process Name: C:\WINDOWS\System32\svchost.exe
Device Type: Removable
Action: Open
Name: D:\
Information: DirList
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 4 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: 1440
Process Name: C:\WINDOWS\System32\svchost.exe
Device Type: Removable
Action: Open
Name: D:
Information: DirectRead
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 14 NT AUTHORITY\SYSTEM 802-LAPTOP "Process ID: -1
Process Name:
Device Type: USB port
Action: Device Access
Name: USB Mass Storage Device (USB\VID_ABCD&PID_1A00\1234054301A8)
Information: Read Write
Status: 00000000
"
8/15/2007 8:14:52 AM DeviceLock Audit Success Audit None 17 DomainName\testuser 802-LAPTOP "Process ID: -1
Process Name:
Device Type: USB port
Action: Insert
Name: USB Mass Storage Device
Information: USB\VID_ABCD&PID_1A00\1234054301A8
Status: 00000000
"


Posted: 08/15/2007 14:31:42

Top

J6 SysAdmin


User profile

Posts: 8
Joined: 08/14/2007
It looks like I am having the same problem as the person in this forum entry.

[url]http://www.protect-me.com/forum/read.php?FID=1&TID=338[/url]

What was the resolution for his trouble ticket?

Aaron
Posted: 08/15/2007 14:40:36

Top

roman_g
Guest



It seems that your case also needs some more atention. We moved to support. Ticket 7021.
Posted: 08/15/2007 14:50:49

Top

Coleman Craig


User profile

Posts: 19
Joined: 08/16/2007
Complete stab at something here....

Are your security groups either domain global or universal. If so does the problem reproduce using a domain local group?
Posted: 08/16/2007 19:29:13

Top