• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

Script to Edit Group Policy for USB Drive Discovery

Hello,  
 I am an administrator for a large organization and I am in need of a solution to a problem I am having. Current group policy is set so that the USBSTOR registry key value is set to 4, making USB storage device discovery unavailable. Some of my users requuire the use of authorized USB storage devices. I have been averting policy by simply editing the USBSTOR registry value with my admin credentials. Of course every time the machine is re-started group policy is pushed back down and the registry value is reset. Can anyone help me with a script that will use my admin credentials to edit the USBSTOR registry value each time the user logs in? I would really appreciate it! Thank you.
0
BoxunloX
Asked:
BoxunloX
  • 3
  • 3
1 Solution
 
merowingerCommented:
Why don't you create a AD with all users which require USB support.
Then create a 2nd group policy which writes the "allow usb" key and give the AD group permissons to apply this policy. Additionally deny these group the permissons on the orignial policy
0
 
BoxunloXAuthor Commented:
It seems that it would just be easier from an administrative/overhead standpoint to just have a logon script that could be edited for each user. That is really what I am trying to do. I just need to add arguments to the current user's logon script that will edit the USBSTOR value using admin credentials upon login.
0
 
merowingerCommented:
In my opinion it's less overhead to create a allow policy for a specific ad group and a deny policy for the remaining user instead of creating a script which has to be run as a  user logon script and execute tasks with admin creddentials. You will have to store your admin credentials in the script!! -> Security Risk!
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
BoxunloXAuthor Commented:
I agree. The credentials would be local admin, not domain. Still a risk I understand. This is the way the security officer told me to go.
0
 
merowingerCommented:
check out below!
runas /user:Administrator reg add HKLM\SYSTEM\CurrentControlSet\services\USBSTOR /v "Start" /t "REG_DWORD" /d 4 /f < password.txt

Open in new window

0
 
BoxunloXAuthor Commented:
Great solution from an obviously very knowledgeable expert!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now