?
Solved

disabling USB port through GPO

Posted on 2004-10-13
9
Medium Priority
?
3,213 Views
Last Modified: 2012-06-21
Is there anyway to disable a USB port through GPO?
Thanks,
0
Comment
Question by:Chuckbuchan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12299175
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12299498

There's another way.

For ADM Files !!Something is a variable and must be listed in Strings (just so you know).

Anyway, we wrote the ADM below to deal with USB devices. Copy the below into a Text file called USB.adm (or really anything.adm):

CLASS MACHINE

CATEGORY "System"
      CATEGORY "USB Storage Services"
            POLICY "Disable Access to USB Storage Devices""
                  
                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif
            
                  #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help
                  #endif                  

                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY

            POLICY "Disable Access to USB Hub Services"

                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif

                  #if version >= 3
                        EXPLAIN !!USBHUBCFG_Help
                  #endif
      
                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY
      END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."


A few notes on that...

In order to see the Policy once you've loaded it you must select Administrative Templates, then View and Filtering and remove the Tick from:

Only show policy settings that can be fully managed

It does work though, we use it quite a lot ;)
0
 
LVL 11

Expert Comment

by:gothicbloody
ID: 12299560
try this script :
content of killusbdrive.adm

CODE  

CLASS MACHINE

CATEGORY !!categoryname

 POLICY !!policyname

  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

  EXPLAIN !!explaintext

    PART !!labeltext DROPDOWNLIST REQUIRED
 
      VALUENAME "Start"

      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST

    END PART

  END POLICY

END CATEGORY


[strings]
categoryname="Restrict Drives"
policyname="Disable the USB Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB Drive"
Enabled="Enabled"
Disabled="Disabled"
 ---------------------------
check this out :

http://www.reflex-magnetics.com/products/disknetpro/
http://devicelock.securitybyte.com/
http://support.microsoft.com/defaul...kb;en-us;823732 -- may work for you'

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 71

Expert Comment

by:Chris Dent
ID: 12299563
I should have explained a bit more really ;)

That makes a couple of Policies appear under Administrative Templates and System called USB Services (or at least it would if I hadn't made a typo above, so USB Storage Services).

It sets two registry values (Start) which determine whether a USB device will start up. Once the policy is applied it will simply stop the USB Devices loading on the Computers you apply the Policy to.

The Fully Managed thing is in the descriptions, but if you set the Policies to Enabled (to disable the device) it won't set back unless you reverse the Policy.
0
 

Author Comment

by:Chuckbuchan
ID: 12302657
I will have to try these approaches at a convenient time, for now I will all thank you, I will get back with you soon.
thanks
0
 

Author Comment

by:Chuckbuchan
ID: 12371482
I went through the settings of the GPO, and couldn't find anything that talks about  USB . Could you refer me to the location?
thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12372557

None of the settings in the GPO do until you manually add them.

Copy this into a file named USB.ADM (ignoring the Start and End lines).

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices""
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------

Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USB.adm file.

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed

Then, when it's done loading, expand Administrative Templates and you'll have a USB Services folder there. Expanding that will show policies to Disable Storage and Disable Hub devices.
0
 

Author Comment

by:Chuckbuchan
ID: 12382389
To Chris-Dent :
the file shows error on line 7
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 12382845

D'oh sorry.. slight typo (an extra "). Try this one:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices"
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question