Prevent access to USB Storage devices on a per user basis


I'd like to know if it's possible to restrict USB devices on a per user bases, the only users that should be able to access USB Storage devices, are those in the "USB Access" security group.

I'm using both windows server 2000/2003 for this, with group policy management console. I know it can be done per machine, but we do need it per user, as everyone has roaming profiles.

In addition, this needs to be enforced, as im aware that if someone with rights inserts a usb stick, drivers are loaded into memory, thus anyone can use USB devices untill next reboot, any way to unload this or something?

Clients are windows XP based machines.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

billy_howardAuthor Commented:

But I need this for a network/server client architecture. I manage over 500 machines...


I would recommend making a registry change to your XP clients.  Your clients have to be running at least SP2.

Here is the article where I found the information regarding this procedure (to give proper credit):

Let us know if you have a login script and whether it is a batch file (.bat) or a visual basic script (.vbs).
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

The script will make the following changes:
Open registry and navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3.

Open in new window

oDbA came up with a solution I completely forgot about.  Use group policy to modify the registry based on the user's group assignment.

GPMC is available by download here in the event you don't have it:

Under a group policy (using Group Policy Management Console)
-Computer Configuration\Windows Settings\Security Settings\Registry
Stick with the script option to import a reg file using startup under computer configuration in GPMC.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael PfisterCommented:
Michael PfisterCommented:

(ex SecureWave Sanctuary Device Control)
billy_howardAuthor Commented:
Cheers for help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.