USB disable / enable group policy logon script

Hi, I need to know if it is possible to use a logon script deployed through group policy to either disable or enable the use of usb storage devices on a computer based on which user is currently loggod in ? The average user in our organization will not be authorized to use USB storage devices but the IT staff & management need to be able to use a USB storage device on any computer in the domain. If someone could give me fairly explicit instrutions on how to accomplish this it would be much appreciated as my vbs & group policy skills are not well developed at this point. Thanks!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


I have implemented this. Basically, in my case, it disabled USB storage devices on all computers no matter if it's domain admin or user.
When I (admin) have to access the USB storage device or give someone temporary access, all i do is to go to c:\windows\inf file and give full permission to usbstor.inf and usbstor.pnf then i go t registry editor HLM_System_CurrentControlSet_services and click on USBSTOR, modify the value "START".

HOpe this helps.

This Microsoft Knowledge base article should shed a bit more light onto what you want to do. 
Also, if you want to know how to implement GP for that, here's a good link
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

DonNetwork AdministratorCommented:
This cannot be done, as the drivers implemented in the process of enabling/disabling usb are loaded during the startup phase(needs to be rebooted to turn on or off)

doesn't need to be rebooted. You can gpupdate to make it to work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DonNetwork AdministratorCommented:
gpupdate doesnt load drivers
It works for me without restarting computer.
DonNetwork AdministratorCommented:
pbtechAuthor Commented:
There has got to be a way to make it so that when an unauthorized user logs on a batch file runs to disable file permissions to usbstor.inf & usbstor.pnf & changes the registry value for usb storage devices that disables any existing or newly introduced usb storage device. Conversely an authorized user should have a batch file run when they log on that enables the file permissions & the registry & a log off batch file that automatically runs to disables usb storage devices when they leave. I just need the right vbs code to make the 3 batch files, 1 to disable on log on, 1 to enable on log on, & 1 to disable on log off. I also need guidance of how to create the GPO that deploys these logon / logoff scripts so that I can attatch them to the appropriate OU's that contain authorized users in 1 OU & unauthorized users in a diffent OU. Thanks!
pbtechAuthor Commented:
The directive I have been given by my manager is that for unauthorized users the usb storage be disabled & for authorized users they just have to log on & it works. I cannot implement a solution where authorized users have to do anything except stick the thumb drive into the usb slot.
DonNetwork AdministratorCommented:
I still stand by my comment that it cannot be done per user, it can only be done per computer and cannot be done via logon scripts.
pbtechAuthor Commented:
dstewartjr, I know there are security products available that can accomplish this task exactly as I have stated it, the problem is we don't have a budget for this right now because of the economy. My question to you would be if you don't think its possible then how are these software packages able to accomplish this task ?
DonNetwork AdministratorCommented:
I have lost interest in this argument
pbtechAuthor Commented:
Wow, I didn't realize we were arguing. Can you please explain in more detail why a logon / logoff script deployed through a GPO would be unable to accomplish this task? It seems to me that if it disables the file permissions & sets up the registry correctly then the unauthorized user, after the batch runs at logon, would be denied the use of a usb storage device & conversely when an authorized user logs on a batch file runs that sets the file permissions & the registry to the correct stae to enable the use of a usb storage device then a batch file runs at logoff to re-disable it. Please tell me why this won't work, & I'm not being patronizing or sarcastic, I genuinely wan to know why this will fail.
pbtechAuthor Commented:
The registry & file permission changes that would be implemented by the batch file running when the user logs on would not require the computer to be rebooted to take effect....So what is the reason this strategy would fail?
DonNetwork AdministratorCommented:

The main reason it fails is that usbstor.sys needs to be loaded to enable usb which is loaded during startup.

In our environment we disable usb as below
DonNetwork AdministratorCommented:

two things to note:

hklm<<<machine setting
and driver on boot

Start = 4 (Disabled)  Dont start the driver on boot
Start = 3 (Enabled)   Start the driver on boot
DonNetwork AdministratorCommented:
Ok take a look here and goto the downloads and try usb disabler pro
make file       usbdisable.vbs             contents following:
Dim Wshshell
Set Wshshell=wscript.Createobject
   ("") "cmd /C echo y | cacls
      c:\windowsinfusbstor.inf /p system:n" "cmd /C echo y | cacls
c:\windowsinfusbstor.pnf /p system:n"
Set WshShell=Nothing

Gpedit User Config \ window settings \ Scripts Logon Add Domain Sysvol Domain Script Choose the above created vbs file.  Note change N to F to allow device.
DonNetwork AdministratorCommented:

before you post a comment is wise to read others comments
DonNetwork AdministratorCommented:
your comment is a repeat of second comment in this thread
pbtechAuthor Commented:
Thank you for all your help with this issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.