Solved

Is it possible to lock down USB ports and CD/DVD drives using Microsft Group Policy?

Posted on 2008-10-03
8
1,407 Views
Last Modified: 2012-05-05
Hi
Environment is: Windows Server 2003, XP Pro workstations, Dell Hardware
I need to disable or restrict users from using "unauthorised" USB devices and CD/DVD Drives on any of our Domain computers. The PC's currently have USB connections to Keyboards, printers and mice, so I am obviously keen to keep these active. Is there any easy way to implement this process?
Thanks
0
Comment
Question by:healthmanagement
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 5

Accepted Solution

by:
libin_v earned 32 total points
ID: 22632853
0
 
LVL 1

Assisted Solution

by:computerguy79
computerguy79 earned 31 total points
ID: 22635111
While the Microsoft link note by Libin V is great and FREE,
here's a GUI tool you can use. its a little pricey but worth the investment. (especially if you are weary about creating custom .adm files and adding them to your AD)

I used to work in a high school enviro. where the kids made removable media my worst nightmare.

This utility allows a more micromanaged approach to individual machines rather than having to tailor it to specific OU's .

Please note one thing about the above article:
"Preference settings are hidden by default in the Group Policy template editor. When applying this template, follow these instructions to change the view settings that allow preferences to be viewed"
 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/e50f1e64-d7e5-4b6d-87ff-adb3cf874365.mspx

Make sure you check this out and configure this setting or you won't see the .adm correctly and you'll be banging your head wondering why its not working.  

Good luck.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 31 total points
ID: 22645150
To disallow certain but not all usb devices using group policy you would need vista.
0
 
LVL 2

Assisted Solution

by:patrickrw
patrickrw earned 31 total points
ID: 23000693
I've used a program called device lock. Yes you must purchase the license but it works very good and allows USB keyboard's and mice to still operate correctly. It will also allow specific usb thumb drives to work based on brand/encryption type if you need that capability.

http://www.devicelock.com/dl/

There's the website with the information on the software.
Good luck!
0
 
LVL 55

Expert Comment

by:McKnife
ID: 24593792
I would like to object.
The MS article does not give an answer to the question that is really on his mind (which is different to the title as one can read in the question body) "The PC's currently have USB connections to Keyboards, printers and mice, so I am obviously keen to keep these active...?".
So I suggest the correct answer is: no, there is no way to do it with xp clients and MS GPOs without using third party software.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question