Univention Bugzilla – Bug 30835
Exam mode: GPO template
Last modified: 2013-06-07 21:39:10 CEST
It shall be tested if it is possible to ship templates for the GPOs gathered in Bug 30384.
Created attachment 5189 [details] webproxy-GPOs for IE, Chrome and Firefox: Docs and ADMX-Templates Die ADMX-Templates für Firefox sind aktuell noch nur auf Englisch. Anleitung im tar-Archiv: proxy/webproxy-GPO-configuration.txt
Note: ADMX templates need to be copied to the Policies/PolicyDefinitions folder in the sysvol. The Windows Group Policy Management Console then prefers these to the ADMX templates on the local machine. Thus, this requires that all the basic Windows ADMX templates need to be copied to the server folder as well (once): http://www.microsoft.com/en-us/download/details.aspx?id=624
For convenience: The link to the standard Windows ADMX templates updated for Windows 8 / Windows Server 2012: http://www.microsoft.com/de-de/download/details.aspx?id=36991
Created attachment 5197 [details] ControlRemovableMediaDriversPreWin7_ADMX.zip In Windows XP and Vista two layers are needed to lock down USB-Access: 1. Disable installed USB drivers. This can be done with the ADMX attached, which was converted from the ADM code of MS KB article 555324 2. Prevent new USB drivers to be installed. This requires restriction of file system permissions. I did not translate the required steps to german yet, but they are here: http://www.grouppolicy.biz/tag/usb/ The link also shows the extended GPO settings for removable media access control implemented in Windows 7.
Btw. Maybe it would be convenient to use a uniform prefix in the UCS@school example GPO ADMX-templates (i.e. web-proxy and pre-win7-usb until now), so all the new settings can be accessed via Computer Configuration > Policies > Administrative Templates > UCS@school > etc This would require minor changes in the ADMX files. I guess the vbs-files don't need to be adjusted, as they only read registry keys defined by the ADMX.
(In reply to comment #4) > In Windows XP and Vista two layers are needed to lock down USB-Access: > 1. Disable installed USB drivers. > This can be done with the ADMX attached, which was converted from > the ADM code of MS KB article 555324 > 2. Prevent new USB drivers to be installed. > This requires restriction of file system permissions. I did not translate > the required steps to german yet, but they are here: > http://www.grouppolicy.biz/tag/usb/ Does this affect all kinds of USB devices or only USB storage devices? → What happens when USB keyboards/mouses are plugged in? → Other devices: USB soundcards, WebCams, ...?
Well, the article, registry key and driver name is about usb storage, so I guess that's what is affected.
We still need to decide about how to provide the additional ADMX templates collected here. The manual section created for Bug 30834 now refers to the original upstream projects but e.g. for FirefoxADM the converted ADMX-Templates are quite useful. We should probably also send them upstream.
The vbs scripts from firefoxADM are not working out of the box, they seem to be unmaintained for quite a while and do not apply to paths and concepts used in recent Firefox relases, e.g. * still uses greprefs/all.js * no support for x64 paths. * the firfox_shutdown.vbs script does not clean up things properly. It would be necessary to modify the vbs scripts according to the recommendations of http://kb.mozillazine.org/Locking_preferences
Created attachment 5212 [details] Updated webproxy-GPOs for IE, Chrome and Firefox: Docs and ADMX-Templates With updated firefox_startup.vbs and firefox_shutdown.vbs scripts.
The ADMX templates and vbs files now ship as /usr/share/doc/ucs-school-umc-exam/examples/GPO and this path is documented in the manual.
The GPO templates exists, are working and are correctly documented.
*** Bug 31584 has been marked as a duplicate of this bug. ***
UCS@school 3.1 R2 has been released: http://download.univention.de/doc/release-notes-ucsschool-3.1-rev2.pdf If this error occurs again, please use "Clone This Bug".