How to disable USB pen drives over network (but must not affect usb keyboards and mice)

Hi,
What is the best solution to stop the use for pen drives on a network but cannot disable USB fully because some PCs use USB keyboards and mice.

Would the best solution be GPO's??

YB
YellowbusTeamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bradleys40Commented:
this can be achieved through group policy

To collate all the information on how to do this would take me hours,
I hopeyou dont mind but I have found a website that has a downloadable adm file and instructions on using it.
http://www.petri.co.il/disable_usb_disks_with_gpo.htm
0
YellowbusTeamAuthor Commented:
Hi,
Thanks for that.

When i try to add the .ADM file in GPO editor i get the error:

'The following error occurred in
\\domain\*********\policies\**********************************\adm\usbsotre.adm on line 1L
Error 51 Unexpected keyword
Found <!DOCTYPE
Expected: CLASS, CATEGORY, [strings]
The file can not be loaded'


Any ideas??
0
bradleys40Commented:
i have just found a blog about this error
http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks
I will continue to look for a resolution to this issue
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

bradleys40Commented:
create an adm file with the code snippet and try to add this
CLASS MACHINE
 
CATEGORY "Services und Drivers"
    POLICY "USB Storage"
    KEYNAME "System\CurrentControlSet\Services\usbstor"
     PART "Startup type" DROPDOWNLIST
       VALUENAME "Start"
           ITEMLIST
           NAME "Boot" VALUE NUMERIC 0
           NAME "System"   VALUE NUMERIC 1
           NAME "Auto Load"   VALUE NUMERIC 2 DEFAULT
           NAME "Load On Demand"       VALUE NUMERIC 3
           NAME "Disabled"   VALUE NUMERIC 4
           END ITEMLIST
     END PART
    END POLICY
END CATEGORY

Open in new window

0
YellowbusTeamAuthor Commented:
Hi,

How do i do that? :-)

0
bradleys40Commented:
i have created the file for you just remove the .txt and add .adm to the end of it
removable-storage.txt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YellowbusTeamAuthor Commented:
would you advise running it on the 'computer config' or 'user config' in GPO editor?

0
YellowbusTeamAuthor Commented:
also - importing the .adm template - Does this apply settings within the GPO editor as soon as its added?

0
bradleys40Commented:
depends on your gp setup and how you want it to effect the computers or the users, i cannot answer that only suggest that the safest way is at computer level then no-one can use it on that machine
0
bradleys40Commented:
when the template is imported it is "available to enable"
0
YellowbusTeamAuthor Commented:
ok thanks

once added - where in the GPO editor is it located so we can enable it?
0
bradleys40Commented:
this will be under "services and drivers"

This will have to be my last post today i need to go
0
bradleys40Commented:
I foyu have any probs see this page its a good resource
http://support.microsoft.com/kb/555324
0
YellowbusTeamAuthor Commented:
thanks for you help

just a quickie - in 'services and drivers' theres nothing there??
0
bradleys40Commented:
In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.

Follow these steps:
In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.

Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.

Now you will be able to see the new settings in the right pane:

You can now configure any of the above settings:

An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.
You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.

see http://www.petri.co.il/disable_usb_disks_with_gpo.htm
for the implementation details

I really must go now
0
YellowbusTeamAuthor Commented:
Thats great - thanks
0
YellowbusTeamAuthor Commented:
regarding the 2 files, usbstor.sys and usbstor.inf

Where are these located as there are a few differnt locations with the same files

0
YellowbusTeamAuthor Commented:
also - is it true that this will only work if the PC has had a USB pen drive in it in the past??
0
bradleys40Commented:
The files should be found in the c:\windows\inf
I am not aware that this will only work if a usb pen has been used in the past, in my last position this was implemented on new machines
0
YellowbusTeamAuthor Commented:
Hi,

i have found the .inf file in '\Windows\info' however usbstor.sys isnt there - any ideas??

There is a copy of usbstor.sys  in '\sytem32\drivers' - is this it?

Thanks

0
YellowbusTeamAuthor Commented:
any news on:

' have found the .inf file in '\Windows\info' however usbstor.sys isnt there - any ideas??
There is a copy of usbstor.sys  in '\sytem32\drivers' - is this it?'



thanks
0
YellowbusTeamAuthor Commented:
is the above the correct file?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.