Thanks Ben. #1 worked great! #4 the reg entry was made. An XP Pro disk opens just showing the contents of the disk. Is there a switch for this script to ignore (or don't overwrite) if the entry is already there so my login script doesn't stop and wait for user input?
-----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Monday, March 23, 2009 10:45 AM To: NT System Admin Issues Subject: Re: April 1st Conflicker Version C to erupt On Mon, Mar 23, 2009 at 9:04 AM, Paul Everett <[email protected]> wrote: > 1. Is there a way (script or GP) to take "domain users" out of the > local admin group? In addition to other suggestions, you could always do: NET LOCALGROUP Administrators "%YourDomain%\Domain Users" /DELETE Put that in your logon script. If "Domain Users" has local admin rights, then it will succeed, and remove "Domain Users" for future logons. If it's already been done, it will fail harmlessly. > 4. How do I do the INI redirection trick? It works by redirecting AUTORUN.INF to a non-existent registry location. That will make Windows completely ignore the AUTORUN.INF file on any disk. It involves a single registry key and value: Hive: HKEY_LOCAL_MACHINE Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf Default value:"@SYS:DoesNotExist" If you put the following in a .REG file, you can import it using REGEDIT: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" Or, you can use the REG command (all on one line): REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /t REG_SZ /d "@SYS:DoesNotExist" -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
