billy_howard
asked on
Prevent access to USB Storage devices on a per user basis
Hi,
I'd like to know if it's possible to restrict USB devices on a per user bases, the only users that should be able to access USB Storage devices, are those in the "USB Access" security group.
I'm using both windows server 2000/2003 for this, with group policy management console. I know it can be done per machine, but we do need it per user, as everyone has roaming profiles.
In addition, this needs to be enforced, as im aware that if someone with rights inserts a usb stick, drivers are loaded into memory, thus anyone can use USB devices untill next reboot, any way to unload this or something?
Clients are windows XP based machines.
Thanks
Billy
I'd like to know if it's possible to restrict USB devices on a per user bases, the only users that should be able to access USB Storage devices, are those in the "USB Access" security group.
I'm using both windows server 2000/2003 for this, with group policy management console. I know it can be done per machine, but we do need it per user, as everyone has roaming profiles.
In addition, this needs to be enforced, as im aware that if someone with rights inserts a usb stick, drivers are loaded into memory, thus anyone can use USB devices untill next reboot, any way to unload this or something?
Clients are windows XP based machines.
Thanks
Billy
ASKER
Thanks,
But I need this for a network/server client architecture. I manage over 500 machines...
Regards
But I need this for a network/server client architecture. I manage over 500 machines...
Regards
billy,
I would recommend making a registry change to your XP clients. Your clients have to be running at least SP2.
Here is the article where I found the information regarding this procedure (to give proper credit):
http://labnol.blogspot.com/2006/07/how-employers-disable-usb-ports-how.html
Let us know if you have a login script and whether it is a batch file (.bat) or a visual basic script (.vbs).
I would recommend making a registry change to your XP clients. Your clients have to be running at least SP2.
Here is the article where I found the information regarding this procedure (to give proper credit):
http://labnol.blogspot.com/2006/07/how-employers-disable-usb-ports-how.html
Let us know if you have a login script and whether it is a batch file (.bat) or a visual basic script (.vbs).
The script will make the following changes:
Open registry and navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3.
oDbA came up with a solution I completely forgot about. Use group policy to modify the registry based on the user's group assignment.
https://www.experts-exchange.com/questions/22733050/Modify-registry-key-permissions-with-script.html
GPMC is available by download here in the event you don't have it:
http://go.microsoft.com/fwlink/?linkid=21813
Under a group policy (using Group Policy Management Console)
-Computer Configuration\Windows Settings\Security Settings\Registry
https://www.experts-exchange.com/questions/22733050/Modify-registry-key-permissions-with-script.html
GPMC is available by download here in the event you don't have it:
http://go.microsoft.com/fwlink/?linkid=21813
Under a group policy (using Group Policy Management Console)
-Computer Configuration\Windows Settings\Security Settings\Registry
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cheers for help
http://www.goodsoft2008.co
http://www.shop.com/+-a-li
http://diaryproducts.net/a
http://www.nolimitmemory.c