Solved

Prevent people from using USB storage drives on a domain.

Posted on 2010-11-09
6
1,208 Views
Last Modified: 2012-05-10
I am looking for a custom Group Policy to prevent people from plugging USB flash drives, portable hard drives and Media Card Readers to transfer data from and to my windows machines managed on a windows 2003 domain.

I manage 20 machines, 13 are Windows XP, 5 are Windows Seven and 2 are Windows Vista. I'm trying to setup a custom Group Policy that disables:

USB flash drives
USB portable hard drives
Removable media cards (SD, CF) or USB card readers

...without disabling document scanners or printers or any other USB devices.

I already tried...

(("Open registry and navigate to the following registry key:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
 
Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3."))

... but I saw that it only disables portable USB hard drives, it does not disable reading from SD cards and I think it may have to be done on each machine.

Is there a problem when trying to set up group policies on a windows 2003 server to enable them on different windows clients (seven, vista and XP)?
0
Comment
Question by:carloslaso
6 Comments
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34097686
There is nothing wrong in trying it on server 2003 as long as it doesnt disrupt users. put a test machine or user in an OU create new policy link it to the OU. do gpupdate /force on client to see the immediate effetcs good luck
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 300 total points
ID: 34097770
A potentially easier, more comprehensive solution is to use a third party product like DriveLock - I have it at an attorney client I have and they like it.  Depending on who you log in as, they have the ability to copy everything they want to any USB device they want (the partners) OR they are denied access to copy the data to USB, CD, DVD, etc if they are the staff.  I believe DriveLock offers a trial and is AD based.
0
 
LVL 9

Expert Comment

by:djpazza
ID: 34097897
Here's the custom group policy you could use to block out USB and cd drives

http://support.microsoft.com/kb/555324
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:carloslaso
ID: 34099052
moon blue69: I already have a 2003 server and seven, vista and XP running, I thought that would not have been posible to implement.

leew: I like that option, I may have to try that if I don't find a custom group policy.

djpazza: I already tried that custom GP but I am having problems with the SD/CF cards
0
 
LVL 2

Assisted Solution

by:mitrum
mitrum earned 200 total points
ID: 34104787
I use  third party product called GFI EndPointSecurity  for the same, but it is not free. One free tool I tried was NetWrix USB Blocker witch provided free of charge (limited 50 managed computers) for use by organizations and individuals.
0
 
LVL 9

Expert Comment

by:djpazza
ID: 34111676
For the other devices how about this:

http://technet.microsoft.com/en-us/library/cc730808%28WS.10%29.aspx

Create a custom class based on the sd/cf guid's
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now