group policy to disable usb storage devices 2

[bshbsh]

I am trying to see if anyone on the domain can be prevented from attaching a USB hard drive or flash drive to their machines. I dont want to disable USB as we use USB keyboards and mouse.
Just out of curiosity is there a way to disable USB entirely on a machine via group policy.
Please advice.

 

[jet042]

I don't know about doing it with GP, but here is the registry key to disable writing to a USB harddrive or thumbdrive.

Under HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\, add a dword called "WriteProtect" and assign it a value of 1.

 

[bshbsh]

On a sidenote, could anyone kindly post a good link on how to create a custom gpo and assign it either to a subset of machines or users. Sorry, a newbie....

 

[bshbsh]

Btw, I did not find a StorageDevicePolicies key, but I created that and under that the WriteProtect key, but that still did not work.
Please advice.
Thanks.

 

[allywilson]

in GPO Editor have a look at Computer Configuration-->Windows Settings-->System Services-->Plug and Play.

I'm pretty sure that will stop new devices, but allow previously installed devices to continue to operate.

Give it a try and let us know.

Cheers

 

[bshbsh]

I got it. This registry key seem to do the trick perfectly.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004

The default value for Start is 3. Setting the value to 4 will disable the USB storage.

Now, is there anything similar to disable CD writing as well. I know this can be done from GP, but wondered is this can be done from the registry.

Thanks.

 

[allywilson]

http://www.pctools.com/guides/registry/detail/979/

<-- google is your friend.

 

[GrimR]

I done this once cant remember what I did but here are the two ADM templates for GPO I created. Hope it helps.

CLASS MACHINE

CATEGORY "Services und Drivers"
    POLICY "USB Storage"
    KEYNAME "System\CurrentControlSet\Services\usbstor"
     PART "Startup type" DROPDOWNLIST
       VALUENAME "Start"
           ITEMLIST
           NAME "Boot" VALUE NUMERIC 0
           NAME "System"   VALUE NUMERIC 1
           NAME "Auto Load"   VALUE NUMERIC 2 DEFAULT
           NAME "Load On Demand"       VALUE NUMERIC 3
           NAME "Disabled"   VALUE NUMERIC 4
           END ITEMLIST
     END PART
    END POLICY
END CATEGORY

and

CLASS MACHINE
CATEGORY "Removeable Storage Write Access"
POLICY "USB Write Access"
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
PART "USB Access" DROPDOWNLIST REQUIRED
VALUENAME "WriteProtect"
       ITEMLIST
        NAME "Enable USB Access" VALUE NUMERIC 1 DEFAULT
        NAME "Disable USB Access" VALUE NUMERIC 0
       End ITEMLIST
		 END PART
END POLICY
END CATEGORY

I suppose you could just vbscript it

Dim Wshshell
Set WshShell = WScript.CreateObject("WScript.Shell")

Wshshell.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" ,4 ,"REG_DWORD"

 

[bshbsh]

GrimR,
It looks very useful. Just wanted to make sure. Is it something you do on the AD so that it applies to all members of the domain?
Thanks.

 

[GrimR]

Yes, just add them in Group Policies.

http://support.microsoft.com/kb/323639

just though I would highlight this section

Note: If your new policy setting does not appear in the right pane as you expect, right-click the new Desktop Settings node, point to View, and then click to clear the check mark that is beside the Show Policies Only menu item.

 

[bshbsh]

Thanks GrimR. That was indeed very useful.

 

[bshbsh]

allywilson,
For some reason the registry key method doesnt seem to work even after a reboot.
Thanks.