rajoo_sharma
asked on
Disable USB using group policy in a win2k3 domain, template not available after importing (Add)
Hi,
In a win2k3 domain I want to disable USB using group policy, by default, Group Policy does not offer a facility to easily disable drives containing removable media, such as USB ports...
The solution is available at:
http://support.microsoft.com/default.aspx/kb/555324
but when I did as explained, the imported template was not available in the group policy.
Please help me why it is not appearing, the screen shots of what I did are attached and the .adm file also.
( I uploaded usb.adm file as usb.adm.txt beacuse the .adm extension is not allowed, but while importing in GP it was usb.adm only)
Regards
Rajeev
1.PNG
2.PNG
3.PNG
4.PNG
usb.adm.txt
In a win2k3 domain I want to disable USB using group policy, by default, Group Policy does not offer a facility to easily disable drives containing removable media, such as USB ports...
The solution is available at:
http://support.microsoft.com/default.aspx/kb/555324
but when I did as explained, the imported template was not available in the group policy.
Please help me why it is not appearing, the screen shots of what I did are attached and the .adm file also.
( I uploaded usb.adm file as usb.adm.txt beacuse the .adm extension is not allowed, but while importing in GP it was usb.adm only)
Regards
Rajeev
1.PNG
2.PNG
3.PNG
4.PNG
usb.adm.txt
that should be right click on "restrict drives"
ASKER
Thanks buddy, it was absolutely helpful, I could see the options.
but the settings did not work :-(, the user in the OU could access a pen drive, I restarted the server before testing it, please help me :-)
Regards
but the settings did not work :-(, the user in the OU could access a pen drive, I restarted the server before testing it, please help me :-)
Regards
The machine using the pen drive would need the policy to take affect. Try running gpupdate /force on the machine that the pen drive is connected to. It will replicate out to the machines over the next few hours any way depending on the network.
Not used this particular setting before but it may well not work until the pen drive is removed and re inserted as well. It looks like it restricts the driver from installing.
Not used this particular setting before but it may well not work until the pen drive is removed and re inserted as well. It looks like it restricts the driver from installing.
ASKER
Yes, It did not work, I ran gpudate /force also.
I'm stuck to you :-). Is there any other way to disable usb using group policy? It's a big headache.
Regards
I'm stuck to you :-). Is there any other way to disable usb using group policy? It's a big headache.
Regards
I've jsut tested it and it only worked after rebooting the machine. The policy stops the driver loading into memory and as such it doesn't work until the driver is not loaded in memory in the first place.
Just to check that you have got the usb policy set to enabled and enabled. It will set the registry key to 4 if its working correctly.
[HKEY_LOCAL_MACHINE\SYSTEM
Just to check that you have got the usb policy set to enabled and enabled. It will set the registry key to 4 if its working correctly.
[HKEY_LOCAL_MACHINE\SYSTEM
ASKER
Thank you so much for the support, I'll try it again and when I'm back in the office Saturday evening ( :-( )
and get back to you.
Thanks once again
Regards
and get back to you.
Thanks once again
Regards
HI
as Qump says the Key is
HKEY_LOCAL_MACHINE\SYSTEM\
you can have a script VBS to change this value to 4
as I notice that Even the CDROM and the Floppy disk also when they have the Value for the Star DWORD = 4 this make it Disabled
Other way .. Use GFI Endpoint Security
as Qump says the Key is
HKEY_LOCAL_MACHINE\SYSTEM\
you can have a script VBS to change this value to 4
as I notice that Even the CDROM and the Floppy disk also when they have the Value for the Star DWORD = 4 this make it Disabled
Other way .. Use GFI Endpoint Security
ASKER
Thanks Housammuhanna,
GFI Endpoint Security is paid, Is there any freeware or within GPO solution?
Regards
GFI Endpoint Security is paid, Is there any freeware or within GPO solution?
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Housammuhanna,
Yes it is not setting the value to 4.
Please let me know where should I run this script from?
I created a .bat file with the script you gave, tried it running as logon script (added it in the GPO->User Configuration->Windows Setting->Scripts->Logon )
but the reg value did not change to 4 and USB worked.
Yes it is not setting the value to 4.
Please let me know where should I run this script from?
I created a .bat file with the script you gave, tried it running as logon script (added it in the GPO->User Configuration->Windows Setting->Scripts->Logon )
but the reg value did not change to 4 and USB worked.
Hi Rajoo, running this as a logon script would be of no use unless the user was an admin to the machine he/she is logging onto. Does the group policy still not work for the machines on which you were testing.
If its not working are you sure that you have linked it the the same OU in AD that the machines are placed.
If you are wanting to use the script attach it to a startup or shutdown script for the computers and not the users.
If its not working are you sure that you have linked it the the same OU in AD that the machines are placed.
If you are wanting to use the script attach it to a startup or shutdown script for the computers and not the users.
Dear Rajoo:
This is not a .bat file
this is a .VBS File
and do the exact thing you do like having it in computer configuration\Startup Script
Note that the OU that you are appling this script to should include the computer object that this policy will apply on
Have A Nice Day
This is not a .bat file
this is a .VBS File
and do the exact thing you do like having it in computer configuration\Startup Script
Note that the OU that you are appling this script to should include the computer object that this policy will apply on
Have A Nice Day
ASKER
Hi gump, housammuhanna,
thank you so much for helping me.
Gump the group policy still not working on my target machine, all other settings are applied through the group policy for example hiding the control panel or disable RUN command, hide Tools ->Folder options menu of windows explorer, setting the proxy etc. I mean a lot of settings are working fine except this one :-(. It does not matter how it is disabled through group policy or script, I really have to disable it on logon.
housammuhanna, the computer object is not in this OU, It is a multimedia institute's network comprising of 100+ computers in labs, we have three OUs (Staff, Projects and Students), moving the computer object to one of the OUs will not have effect on other two.
I'm really stuck, please help.
thank you so much for helping me.
Gump the group policy still not working on my target machine, all other settings are applied through the group policy for example hiding the control panel or disable RUN command, hide Tools ->Folder options menu of windows explorer, setting the proxy etc. I mean a lot of settings are working fine except this one :-(. It does not matter how it is disabled through group policy or script, I really have to disable it on logon.
housammuhanna, the computer object is not in this OU, It is a multimedia institute's network comprising of 100+ computers in labs, we have three OUs (Staff, Projects and Students), moving the computer object to one of the OUs will not have effect on other two.
I'm really stuck, please help.
Hi again Rajoo
Can you post the results of a 'gpresult /v' just intrested in whether the setting is making it to the machine and not working or if it isn't even being seen by the machine.
In my test setup it shows as
GPO: test AV gpo
Setting: SYSTEM\CurrentControlSet\S
State: Enabled
Ignore the name I used though as I added the settings to a GPO I've been using for AV settings.
Also can you confirm that the GPO is linked to the users OU or the computers OU as it does have to be linked to the OU's that the computers are located in not the one where the users are located. This setting disables drivers that are required by the machine irrespective of user. If you link it at a user level then I don't think it will work as the user doesn't have the rights to change the registry key mentioned above.
The same applys to the use of the VBS script in that it needs to be run by the system account in order to have permissions to change the registry key.
Can you post the results of a 'gpresult /v' just intrested in whether the setting is making it to the machine and not working or if it isn't even being seen by the machine.
In my test setup it shows as
GPO: test AV gpo
Setting: SYSTEM\CurrentControlSet\S
State: Enabled
Ignore the name I used though as I added the settings to a GPO I've been using for AV settings.
Also can you confirm that the GPO is linked to the users OU or the computers OU as it does have to be linked to the OU's that the computers are located in not the one where the users are located. This setting disables drivers that are required by the machine irrespective of user. If you link it at a user level then I don't think it will work as the user doesn't have the rights to change the registry key mentioned above.
The same applys to the use of the VBS script in that it needs to be run by the system account in order to have permissions to change the registry key.
ASKER
Hi gump,
Thanks for the support, I'll post the 'gpresult /v' output around 7 PM (IST) GMT 5:30+ when I reach the institute. I'm actually a part time network administrator there.
Thank you so much for the support you have given.
Regards
Thanks for the support, I'll post the 'gpresult /v' output around 7 PM (IST) GMT 5:30+ when I reach the institute. I'm actually a part time network administrator there.
Thank you so much for the support you have given.
Regards
ASKER
Hi Rajoo
the problem is that there is no computer policy being applied at all due to filtering. The easiest thing to do is create a new policy in the OU in which the computer 1sys1 is stored and import the custom template as you did to the computer templates and then set the restrict usb policy to enabled and the setting within the policy also to enabled.
I've pasted the section which shows that there are no computer policies applied to that machine.
After the policy is configured and the gpupdate /force is run you will be able to run the gpresult /v again and see the policy applied in the computers section. You can then confirm the regkey is applied as mentioned above and after a reboot the machine will ignore any further usb memory.
All being well :)
COMPUTER SETTINGS
------------------
CN=1SYS1,CN=Computers,DC=a
Last time Group Policy was applied: 7/22/2008 at 7:26:36 PM
Group Policy was applied from: controller2.arenarajouri.c
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Default Domain Policy
Filtering: Denied (Security)
Local Group Policy
Filtering: Not Applied (Empty)
the problem is that there is no computer policy being applied at all due to filtering. The easiest thing to do is create a new policy in the OU in which the computer 1sys1 is stored and import the custom template as you did to the computer templates and then set the restrict usb policy to enabled and the setting within the policy also to enabled.
I've pasted the section which shows that there are no computer policies applied to that machine.
After the policy is configured and the gpupdate /force is run you will be able to run the gpresult /v again and see the policy applied in the computers section. You can then confirm the regkey is applied as mentioned above and after a reboot the machine will ignore any further usb memory.
All being well :)
COMPUTER SETTINGS
------------------
CN=1SYS1,CN=Computers,DC=a
Last time Group Policy was applied: 7/22/2008 at 7:26:36 PM
Group Policy was applied from: controller2.arenarajouri.c
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Default Domain Policy
Filtering: Denied (Security)
Local Group Policy
Filtering: Not Applied (Empty)
ASKER
Hi gump,
As you said
"The easiest thing to do is create a new policy in the OU in which the computer 1sys1 is stored..."
It means this setting will not work user wise? I mean suppose I do not want users of "Students" OU to access the USB but I want "Staff" users to access it. so by applying it at machine level it will be stopped for everyone?
Regards
As you said
"The easiest thing to do is create a new policy in the OU in which the computer 1sys1 is stored..."
It means this setting will not work user wise? I mean suppose I do not want users of "Students" OU to access the USB but I want "Staff" users to access it. so by applying it at machine level it will be stopped for everyone?
Regards
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
gump, u've been a great support, I'll try the suggested solution in the evening and update u.
Thanks and Regards
Thanks and Regards
ASKER
Hi gump,
denying access to usbstor.sys didn't work :-(
??????????????????????
Regards
denying access to usbstor.sys didn't work :-(
??????????????????????
Regards
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The solutions I provided to Rajoo would have worked for him as per my instructions. I tested most of the instructions and explained the flaws in each as detailed above.
The Answer I also offer work on several company and they have no problem with USB anymore
untick "only show policy settings that can be fully managed" and click OK.
you will be able to see the settings now.