?
Solved

disabling USB port through GPO

Posted on 2004-10-13
9
Medium Priority
?
3,240 Views
Last Modified: 2012-06-21
Is there anyway to disable a USB port through GPO?
Thanks,
0
Comment
Question by:Chuckbuchan
9 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12299175
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12299498

There's another way.

For ADM Files !!Something is a variable and must be listed in Strings (just so you know).

Anyway, we wrote the ADM below to deal with USB devices. Copy the below into a Text file called USB.adm (or really anything.adm):

CLASS MACHINE

CATEGORY "System"
      CATEGORY "USB Storage Services"
            POLICY "Disable Access to USB Storage Devices""
                  
                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif
            
                  #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help
                  #endif                  

                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY

            POLICY "Disable Access to USB Hub Services"

                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000
                  #endif

                  #if version >= 3
                        EXPLAIN !!USBHUBCFG_Help
                  #endif
      
                  VALUENAME "Start"
                  VALUEOFF NUMERIC 3
                  VALUEON NUMERIC 4
            END POLICY
      END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."


A few notes on that...

In order to see the Policy once you've loaded it you must select Administrative Templates, then View and Filtering and remove the Tick from:

Only show policy settings that can be fully managed

It does work though, we use it quite a lot ;)
0
 
LVL 11

Expert Comment

by:gothicbloody
ID: 12299560
try this script :
content of killusbdrive.adm

CODE  

CLASS MACHINE

CATEGORY !!categoryname

 POLICY !!policyname

  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"

  EXPLAIN !!explaintext

    PART !!labeltext DROPDOWNLIST REQUIRED
 
      VALUENAME "Start"

      ITEMLIST
       NAME !!Disabled VALUE NUMERIC 3 DEFAULT
       NAME !!Enabled VALUE NUMERIC 4
      END ITEMLIST

    END PART

  END POLICY

END CATEGORY


[strings]
categoryname="Restrict Drives"
policyname="Disable the USB Drive"
explaintext="Disables the computers USB Drive completely"
labeltext="Disable USB Drive"
Enabled="Enabled"
Disabled="Disabled"
 ---------------------------
check this out :

http://www.reflex-magnetics.com/products/disknetpro/
http://devicelock.securitybyte.com/
http://support.microsoft.com/defaul...kb;en-us;823732 -- may work for you'

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 71

Expert Comment

by:Chris Dent
ID: 12299563
I should have explained a bit more really ;)

That makes a couple of Policies appear under Administrative Templates and System called USB Services (or at least it would if I hadn't made a typo above, so USB Storage Services).

It sets two registry values (Start) which determine whether a USB device will start up. Once the policy is applied it will simply stop the USB Devices loading on the Computers you apply the Policy to.

The Fully Managed thing is in the descriptions, but if you set the Policies to Enabled (to disable the device) it won't set back unless you reverse the Policy.
0
 

Author Comment

by:Chuckbuchan
ID: 12302657
I will have to try these approaches at a convenient time, for now I will all thank you, I will get back with you soon.
thanks
0
 

Author Comment

by:Chuckbuchan
ID: 12371482
I went through the settings of the GPO, and couldn't find anything that talks about  USB . Could you refer me to the location?
thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12372557

None of the settings in the GPO do until you manually add them.

Copy this into a file named USB.ADM (ignoring the Start and End lines).

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices""
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------

Then select Administrative Templates under Computer Configuration, right click there and Add a Template - directing it to the USB.adm file.

Right Click on Administrative Templates again and go to Filtering..., and remove the tick from:

Only show policy settings that can be fully managed

Then, when it's done loading, expand Administrative Templates and you'll have a USB Services folder there. Expanding that will show policies to Disable Storage and Disable Hub devices.
0
 

Author Comment

by:Chuckbuchan
ID: 12382389
To Chris-Dent :
the file shows error on line 7
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 12382845

D'oh sorry.. slight typo (an extra "). Try this one:

-----------------------------------------------Start-----------------------------------------------

CLASS MACHINE

CATEGORY "System"
     CATEGORY "USB Services"
          POLICY "Disable Access to USB Storage Devices"
               
               KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif
         
               #if version >= 3
                    EXPLAIN !!USBStorageCfg_Help
               #endif              

               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY

          POLICY "Disable Access to USB Hub Services"

               KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
               #if version >= 4
                    SUPPORTED !!SUPPORTED_Windows2000
               #endif

               #if version >= 3
                    EXPLAIN !!USBHUBCFG_Help
               #endif
     
               VALUENAME "Start"
               VALUEOFF NUMERIC 3
               VALUEON NUMERIC 4
          END POLICY
     END CATEGORY
END CATEGORY

[Strings]

SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"

USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."

-----------------------------------------------End-----------------------------------------------
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question