Prevent access to USB Storage devices on a per user basis

Hi,

I'd like to know if it's possible to restrict USB devices on a per user bases, the only users that should be able to access USB Storage devices, are those in the "USB Access" security group.

I'm using both windows server 2000/2003 for this, with group policy management console. I know it can be done per machine, but we do need it per user, as everyone has roaming profiles.

In addition, this needs to be enforced, as im aware that if someone with rights inserts a usb stick, drivers are loaded into memory, thus anyone can use USB devices untill next reboot, any way to unload this or something?

Clients are windows XP based machines.

Thanks
Billy
LVL 1
billy_howardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

billy_howardAuthor Commented:
Thanks,

But I need this for a network/server client architecture. I manage over 500 machines...

Regards
0
samiam41Commented:
billy,

I would recommend making a registry change to your XP clients.  Your clients have to be running at least SP2.

Here is the article where I found the information regarding this procedure (to give proper credit):
http://labnol.blogspot.com/2006/07/how-employers-disable-usb-ports-how.html

Let us know if you have a login script and whether it is a batch file (.bat) or a visual basic script (.vbs).
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

samiam41Commented:
The script will make the following changes:
Open registry and navigate to the following registry key:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
 
Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3.

Open in new window

0
samiam41Commented:
oDbA came up with a solution I completely forgot about.  Use group policy to modify the registry based on the user's group assignment.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22733050.html

GPMC is available by download here in the event you don't have it:
http://go.microsoft.com/fwlink/?linkid=21813

Under a group policy (using Group Policy Management Console)
-Computer Configuration\Windows Settings\Security Settings\Registry
0
samiam41Commented:
Stick with the script option to import a reg file using startup under computer configuration in GPMC.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael PfisterCommented:
0
Michael PfisterCommented:
http://www.lumension.com/usb_security.jsp

(ex SecureWave Sanctuary Device Control)
0
billy_howardAuthor Commented:
Cheers for help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.