Sign in to follow this  
Followers 0
BullGates

Restrict USB storage access according to AD user membership

2 posts in this topic

#1 ·  Posted (edited)

Hello,

I'm currently creating a script to run as service that let's users mount USB storage devices if user belongs to a certain membership. It seems to be working according to some tests I've made, but only if the computer is connected to the domain, if the computer is offline the service in certain conditions hangs - I believe due to some error on the adfunctions.au3.

Any idea on how can I protect my routines from the adfunctions.au3 errors?

Thanks in advance!

Opt("TrayIconHide", 1)
Opt("RunErrorsFatal", 0)

#include"adfunctions.au3"
#include"ServiceControl.au3"
#include <file.au3>
Global $UserOnline, $USBAccess, $Mode, $DCList, $x
Global $INTERNET_CONNECTION_LAN = 0X02
Dim $aDllRet

$InfPath = @WindowsDir & "\Inf\"
$ADGroup = "Domain_USBAccess"
$RegKeyCheck = "HKEY_LOCAL_MACHINE\SOFTWARE\USBAccess\"

While 1 = 1
    VerifyUserLogged() 
    ModeVerify();used to protect against offline mode (to avoid adfunctions.au3 errors)
    If $Mode = "Connected" And $UserOnline <> "" Then; to exclude when service is running without user loggedon

        $x = _ADListDomainControllers ($DCList)
        If $DCList[0] > 0 Then; this is possibly the problem when it hangs (but I don't have any idea on how to do it in other way)
            Sleep(1000)
            $IsMemberUSB = _ADIsMemberOf ($ADGroup, $UserOnline)
            $USBAccess = RegRead($RegKeyCheck, "USBAccess")
            If @error = 1 Then RegWrite($USBAccess, "USBAccess", "REG_DWORD", 0)
            ForceAccessState()
        EndIf
; I just need to check this from time to time
        Sleep(600000)
    Else
    EndIf
WEnd

Func VerifyUserLogged()
    $UserOnline = RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\", "AltDefaultUserName")
EndFunc ;==>VerifyUserLogged

Func ForceAccessState()
; Disable USB if user is not member of USB AD group, and last user had USB access!
    If $IsMemberUSB = False And $USBAccess = "1" Then
        DisableUSBAccess()
    EndIf

; Disable USB if user is not member of USB AD group, and last user doesn't had USB access!
    If $IsMemberUSB = False And $USBAccess = "0" Then
        DisableUSBAccess()
    EndIf

; Enable USB access if user is supposed to have it, but it doesn't!
    If $IsMemberUSB = True And $USBAccess = "0" Then
        EnableUSBAccess()
    EndIf
EndFunc ;==>ForceAccessState

Func DisableUSBAccess()
    If FileExists($InfPath & "USBSTOR.INF") Then FileMove($InfPath & "USBSTOR.INF", $InfPath & "USBSTOR.INF_")
    If FileExists($InfPath & "USBSTOR.PNF") Then FileMove($InfPath & "USBSTOR.PNF", $InfPath & "USBSTOR.PNF_")
    RegWrite($RegKeyCheck, "USBAccess", "REG_DWORD", 0)
    RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\", "Start", "REG_DWORD", 4)
EndFunc ;==>DisableUSBAccess

Func EnableUSBAccess()
    If FileExists($InfPath & "USBSTOR.INF_") Then FileMove($InfPath & "USBSTOR.INF_", $InfPath & "USBSTOR.INF")
    If FileExists($InfPath & "USBSTOR.PNF_") Then FileMove($InfPath & "USBSTOR.PNF_", $InfPath & "USBSTOR.PNF")
    RegWrite($RegKeyCheck, "USBAccess", "REG_DWORD", 1)
    RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\", "Start", "REG_DWORD", 3)
EndFunc ;==>EnableUSBAccess

Func ModeVerify()
    $aDllRet = DllCall("winnet.dll", "int", "InternetGetConnectedState", "long_ptr", 0, "long", 0)
    If Not @error And $aDllRet[0] <> 0 Then
        $nConnectedState = $aDllRet[1]
    EndIf
    $aDllRet = DllCall(@SystemDir & "\wininet.dll", "int", "InternetGetConnectedStateEx", "long_ptr", 0, "str", "", "long", 512, "long", 0)

    $nConnectedState = $aDllRet[1]
    If BitAND($nConnectedState, $INTERNET_CONNECTION_LAN) Then
        $Mode = "Connected"
    Else
        $Mode = "NotConnected"
    EndIf
EndFunc ;==>ModeVerify
Edited by BullGates

[topic="51913"]Restrict USB Storage usage to group membership[/topic] * [topic="48699"]Using nircmd library[/topic] * Some admin notes

Share this post


Link to post
Share on other sites



Hello,

I'm currently creating a script to run as service that let's users mount USB storage devices if user belongs to a certain membership. It seems to be working according to some tests I've made, but only if the computer is connected to the domain, if the computer is offline the service in certain conditions hangs - I believe due to some error on the adfunctions.au3.

Any idea on how can I protect my routines from the adfunctions.au3 errors?

Thanks in advance!

Opt("TrayIconHide", 1)
Opt("RunErrorsFatal", 0)

#include"adfunctions.au3"
#include"ServiceControl.au3"
#include <file.au3>
Global $UserOnline, $USBAccess, $Mode, $DCList, $x
Global $INTERNET_CONNECTION_LAN = 0X02
Dim $aDllRet

$InfPath = @WindowsDir & "\Inf\"
$ADGroup = "Domain_USBAccess"
$RegKeyCheck = "HKEY_LOCAL_MACHINE\SOFTWARE\USBAccess\"

While 1 = 1
    VerifyUserLogged() 
    ModeVerify();used to protect against offline mode (to avoid adfunctions.au3 errors)
    If $Mode = "Connected" And $UserOnline <> "" Then; to exclude when service is running without user loggedon

        $x = _ADListDomainControllers ($DCList)
        If $DCList[0] > 0 Then; this is possibly the problem when it hangs (but I don't have any idea on how to do it in other way)
            Sleep(1000)
            $IsMemberUSB = _ADIsMemberOf ($ADGroup, $UserOnline)
            $USBAccess = RegRead($RegKeyCheck, "USBAccess")
            If @error = 1 Then RegWrite($USBAccess, "USBAccess", "REG_DWORD", 0)
            ForceAccessState()
        EndIf
; I just need to check this from time to time
        Sleep(600000)
    Else
    EndIf
WEnd

Func VerifyUserLogged()
    $UserOnline = RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\", "AltDefaultUserName")
EndFunc ;==>VerifyUserLogged

Func ForceAccessState()
; Disable USB if user is not member of USB AD group, and last user had USB access!
    If $IsMemberUSB = False And $USBAccess = "1" Then
        DisableUSBAccess()
    EndIf

; Disable USB if user is not member of USB AD group, and last user doesn't had USB access!
    If $IsMemberUSB = False And $USBAccess = "0" Then
        DisableUSBAccess()
    EndIf

; Enable USB access if user is supposed to have it, but it doesn't!
    If $IsMemberUSB = True And $USBAccess = "0" Then
        EnableUSBAccess()
    EndIf
EndFunc ;==>ForceAccessState

Func DisableUSBAccess()
    If FileExists($InfPath & "USBSTOR.INF") Then FileMove($InfPath & "USBSTOR.INF", $InfPath & "USBSTOR.INF_")
    If FileExists($InfPath & "USBSTOR.PNF") Then FileMove($InfPath & "USBSTOR.PNF", $InfPath & "USBSTOR.PNF_")
    RegWrite($RegKeyCheck, "USBAccess", "REG_DWORD", 0)
    RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\", "Start", "REG_DWORD", 4)
EndFunc ;==>DisableUSBAccess

Func EnableUSBAccess()
    If FileExists($InfPath & "USBSTOR.INF_") Then FileMove($InfPath & "USBSTOR.INF_", $InfPath & "USBSTOR.INF")
    If FileExists($InfPath & "USBSTOR.PNF_") Then FileMove($InfPath & "USBSTOR.PNF_", $InfPath & "USBSTOR.PNF")
    RegWrite($RegKeyCheck, "USBAccess", "REG_DWORD", 1)
    RegWrite("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\", "Start", "REG_DWORD", 3)
EndFunc ;==>EnableUSBAccess

Func ModeVerify()
    $aDllRet = DllCall("winnet.dll", "int", "InternetGetConnectedState", "long_ptr", 0, "long", 0)
    If Not @error And $aDllRet[0] <> 0 Then
        $nConnectedState = $aDllRet[1]
    EndIf
    $aDllRet = DllCall(@SystemDir & "\wininet.dll", "int", "InternetGetConnectedStateEx", "long_ptr", 0, "str", "", "long", 512, "long", 0)

    $nConnectedState = $aDllRet[1]
    If BitAND($nConnectedState, $INTERNET_CONNECTION_LAN) Then
        $Mode = "Connected"
    Else
        $Mode = "NotConnected"
    EndIf
EndFunc ;==>ModeVerify
Oh well, maybe it's not the best way, but I'll ping the domain, and I'll only enter the AD routines if the ping is successful; any other idea is welcome...

[topic="51913"]Restrict USB Storage usage to group membership[/topic] * [topic="48699"]Using nircmd library[/topic] * Some admin notes

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0