Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO - Disable USB _ Help Please

Status
Not open for further replies.
teesee1

teesee1

IS-IT--Management
Nov 10, 2006
13
GB
hi,

I have an DC running on a Windows 2003 Server.

I have 1 PC running Win2000 connecting to this DC.

I want to lock the PC down so the user cannot use the floppy, cd or usb.

I have followed the instructions on however this does not seem to be working, i.e. i can still use the cd and floppy etc.

I know the Group Policy is being applied as some other parts of it (i.e. hide the control panel) are working.

Any suggestions? One person in our IT dept has said that this GPO is for servers running 2003, i.e it disables the servers cd / usb / floppy etc. Is this true?

Thanks in advance
 
Sort by date Sort by votes
555324KB explains how to use ADM template to push out registry changes to the machines. That's all this template does.

I don't have 2000 machine to check, but just open registry and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom. If that key exists then this GPO will work on that version of windows for "cdrom" setting. Check other settings same way.

I just tested it on windows XP and CDROM drive dissapeared when i set the value to 4.

First check if that group policy works as expected, meaning go into registry and check if the changes are being applied.

eg. for USB settings the key should look like that:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom
disabled -> Start = 4
enabled -> Start = 1


Even before messing with ADM templates, I'd just change the registry manually and reboot the machine to see if it worked. Once you confirm that the registry setting does what it's suppose to, then you can apply group policy with your settings.
But if you just have one machine that you want to put that restriction on, then I would not even bother with group policies.


There's another way to disable USB that is explained here:

BTW, is it me? or did they get that kb article backwards?

KB says:
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4

Shouldn't it be this way?:
NAME !!Disabled VALUE NUMERIC 4 DEFAULT
NAME !!Enabled VALUE NUMERIC 1


Lukasz
 
Upvote 0 Downvote
Hide all the drive letters you don't want the user to have access to. Check my FAQ for ADM code that does this.

faq329-6116

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
264
gbaughma
gbaughma
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
153
technome
technome
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
118
RRankin355
RRankin355
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
117
on3mansh0w
on3mansh0w
juliog
  • Locked
  • Question
Unable to get Server 2019 GPO Redirected Folders to Work on Windows 7
Replies
1
Views
124
tacohunter
tacohunter

Part and Inventory Search

Sponsor

Back
Top