?
Solved

USB disable / enable group policy logon script

Posted on 2009-12-28
23
Medium Priority
?
2,429 Views
Last Modified: 2012-05-08
Hi, I need to know if it is possible to use a logon script deployed through group policy to either disable or enable the use of usb storage devices on a computer based on which user is currently loggod in ? The average user in our organization will not be authorized to use USB storage devices but the IT staff & management need to be able to use a USB storage device on any computer in the domain. If someone could give me fairly explicit instrutions on how to accomplish this it would be much appreciated as my vbs & group policy skills are not well developed at this point. Thanks!
0
Comment
Question by:pbtech
  • 10
  • 6
  • 4
  • +3
23 Comments
 
LVL 13

Expert Comment

by:jaynir
ID: 26134724
Well,

I have implemented this. Basically, in my case, it disabled USB storage devices on all computers no matter if it's domain admin or user.
When I (admin) have to access the USB storage device or give someone temporary access, all i do is to go to c:\windows\inf file and give full permission to usbstor.inf and usbstor.pnf then i go t registry editor HLM_System_CurrentControlSet_services and click on USBSTOR, modify the value "START".


HOpe this helps.

0
 
LVL 5

Expert Comment

by:geeked
ID: 26134738
This Microsoft Knowledge base article should shed a bit more light onto what you want to do.
http://support.microsoft.com/kb/555324 
0
 
LVL 13

Expert Comment

by:jaynir
ID: 26134742
Also, if you want to know how to implement GP for that, here's a good link http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26134762
This cannot be done, as the drivers implemented in the process of enabling/disabling usb are loaded during the startup phase(needs to be rebooted to turn on or off)
0
 
LVL 13

Accepted Solution

by:
jaynir earned 2000 total points
ID: 26134772


doesn't need to be rebooted. You can gpupdate to make it to work.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26134809
gpupdate doesnt load drivers
0
 
LVL 13

Expert Comment

by:jaynir
ID: 26134826
It works for me without restarting computer.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26135009
0
 

Author Comment

by:pbtech
ID: 26135730
There has got to be a way to make it so that when an unauthorized user logs on a batch file runs to disable file permissions to usbstor.inf & usbstor.pnf & changes the registry value for usb storage devices that disables any existing or newly introduced usb storage device. Conversely an authorized user should have a batch file run when they log on that enables the file permissions & the registry & a log off batch file that automatically runs to disables usb storage devices when they leave. I just need the right vbs code to make the 3 batch files, 1 to disable on log on, 1 to enable on log on, & 1 to disable on log off. I also need guidance of how to create the GPO that deploys these logon / logoff scripts so that I can attatch them to the appropriate OU's that contain authorized users in 1 OU & unauthorized users in a diffent OU. Thanks!
0
 

Author Comment

by:pbtech
ID: 26135747
The directive I have been given by my manager is that for unauthorized users the usb storage be disabled & for authorized users they just have to log on & it works. I cannot implement a solution where authorized users have to do anything except stick the thumb drive into the usb slot.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26135753
I still stand by my comment that it cannot be done per user, it can only be done per computer and cannot be done via logon scripts.
0
 

Author Comment

by:pbtech
ID: 26135778
dstewartjr, I know there are security products available that can accomplish this task exactly as I have stated it, the problem is we don't have a budget for this right now because of the economy. My question to you would be if you don't think its possible then how are these software packages able to accomplish this task ?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26135790
I have lost interest in this argument
0
 

Author Comment

by:pbtech
ID: 26135828
Wow, I didn't realize we were arguing. Can you please explain in more detail why a logon / logoff script deployed through a GPO would be unable to accomplish this task? It seems to me that if it disables the file permissions & sets up the registry correctly then the unauthorized user, after the batch runs at logon, would be denied the use of a usb storage device & conversely when an authorized user logs on a batch file runs that sets the file permissions & the registry to the correct stae to enable the use of a usb storage device then a batch file runs at logoff to re-disable it. Please tell me why this won't work, & I'm not being patronizing or sarcastic, I genuinely wan to know why this will fail.
0
 

Author Comment

by:pbtech
ID: 26135851
The registry & file permission changes that would be implemented by the batch file running when the user logs on would not require the computer to be rebooted to take effect....So what is the reason this strategy would fail?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26135881
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_21536907.html

The main reason it fails is that usbstor.sys needs to be loaded to enable usb which is loaded during startup.

In our environment we disable usb as below


http://windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26135892

two things to note:

hklm<<<machine setting
and driver on boot

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
Start = 4 (Disabled)  Dont start the driver on boot
Start = 3 (Enabled)   Start the driver on boot
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26135925
Ok take a look here and goto the downloads and try usb disabler pro


http://www.intelliadmin.com/index.php/2007/01/disable-usb-flash-drives/
0
 
LVL 10

Expert Comment

by:tmoore1962
ID: 26141796
make file       usbdisable.vbs             contents following:
Dim Wshshell
Set Wshshell=wscript.Createobject
   ("Wscript.shell")
WshShell.run "cmd /C echo y | cacls
      c:\windowsinfusbstor.inf /p system:n"
WshShell.run "cmd /C echo y | cacls
c:\windowsinfusbstor.pnf /p system:n"
Set WshShell=Nothing

Gpedit User Config \ window settings \ Scripts Logon Add Domain Sysvol Domain Script Choose the above created vbs file.  Note change N to F to allow device.
0
 
LVL 2

Expert Comment

by:pathakhemant
ID: 26143358
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26143367
pathakhemant

before you post a comment is wise to read others comments
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 26143372
your comment is a repeat of second comment in this thread
0
 

Author Comment

by:pbtech
ID: 26177319
Thank you for all your help with this issue.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question