Hi,
I have a windows 2008 R2 based domain controller AD infrastructure with windows XP & win 7 clients. I have applied a USB blocking GPO with Microsoft recommended custom ADM (http://support.microsoft.com/kb/555324).Besides the ADM, I have restricted access to the 03 USB files [1. usbstor.inf ,2. usbstor.pnf, 3. Usbstor.sys] and also the USBSTOR registry @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. Only domain admins have Full Allow access on these files& registry and others including local systems admin accounts are having full deny acess on these files & registry.
This policy is working perfectly fine for windows 7 systems, but causing issues on windows XP systems now. It's getting applied on Windows XP systems, but somehow locking the local security policy container. As a result, the XP systems are unable to release/update the GPOs when there is a change in existing GPOs or a new GPO comes in. When I observed the RSOP data on these XP machines, I observed memory error in applying the restricted USB registry settings ( refer the attached RSOP screenshot). It shows the old applied GPOs like WSUS & other GPOs even if I remove those GPOs in AD.
Most interesting part is, if I remove this USB GPO or move the computer to another OU and run gpupdate/force, everything works fine and all new/changed GPO are applied perfectly. But again if I apply the USB GPO, I am unable to release the deleted GPOs or apply new GPOs on the XP systems. I already have tried this with new freshly configured GPO as well with no luck.
Request if anyone can help on this issue.
Regards,
Jnana R Dash