Script to Edit Group Policy for USB Drive Discovery

Hello,  
 I am an administrator for a large organization and I am in need of a solution to a problem I am having. Current group policy is set so that the USBSTOR registry key value is set to 4, making USB storage device discovery unavailable. Some of my users requuire the use of authorized USB storage devices. I have been averting policy by simply editing the USBSTOR registry value with my admin credentials. Of course every time the machine is re-started group policy is pushed back down and the registry value is reset. Can anyone help me with a script that will use my admin credentials to edit the USBSTOR registry value each time the user logs in? I would really appreciate it! Thank you.
LVL 1
BoxunloXAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

merowingerCommented:
Why don't you create a AD with all users which require USB support.
Then create a 2nd group policy which writes the "allow usb" key and give the AD group permissons to apply this policy. Additionally deny these group the permissons on the orignial policy
0
BoxunloXAuthor Commented:
It seems that it would just be easier from an administrative/overhead standpoint to just have a logon script that could be edited for each user. That is really what I am trying to do. I just need to add arguments to the current user's logon script that will edit the USBSTOR value using admin credentials upon login.
0
merowingerCommented:
In my opinion it's less overhead to create a allow policy for a specific ad group and a deny policy for the remaining user instead of creating a script which has to be run as a  user logon script and execute tasks with admin creddentials. You will have to store your admin credentials in the script!! -> Security Risk!
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

BoxunloXAuthor Commented:
I agree. The credentials would be local admin, not domain. Still a risk I understand. This is the way the security officer told me to go.
0
merowingerCommented:
check out below!
runas /user:Administrator reg add HKLM\SYSTEM\CurrentControlSet\services\USBSTOR /v "Start" /t "REG_DWORD" /d 4 /f < password.txt

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BoxunloXAuthor Commented:
Great solution from an obviously very knowledgeable expert!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.