On Mon, Mar 23, 2009 at 9:04 AM, Paul Everett
<[email protected]> wrote:
> 1. Is there a way (script or GP) to take "domain users" out of the
> local admin group?
In addition to other suggestions, you could always do:
NET LOCALGROUP Administrators "%YourDomain%\Domain Users" /DELETE
Put that in your logon script. If "Domain Users" has local admin
rights, then it will succeed, and remove "Domain Users" for future
logons. If it's already been done, it will fail harmlessly.
> 4. How do I do the INI redirection trick?
It works by redirecting AUTORUN.INF to a non-existent registry
location. That will make Windows completely ignore the AUTORUN.INF
file on any disk. It involves a single registry key and value:
Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Default value:"@SYS:DoesNotExist"
If you put the following in a .REG file, you can import it using REGEDIT:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Or, you can use the REG command (all on one line):
REG ADD "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /t REG_SZ /d
"@SYS:DoesNotExist"
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
