Solved

Prevent people from using USB storage drives on a domain.

Posted on 2010-11-09
6
1,211 Views
Last Modified: 2012-05-10
I am looking for a custom Group Policy to prevent people from plugging USB flash drives, portable hard drives and Media Card Readers to transfer data from and to my windows machines managed on a windows 2003 domain.

I manage 20 machines, 13 are Windows XP, 5 are Windows Seven and 2 are Windows Vista. I'm trying to setup a custom Group Policy that disables:

USB flash drives
USB portable hard drives
Removable media cards (SD, CF) or USB card readers

...without disabling document scanners or printers or any other USB devices.

I already tried...

(("Open registry and navigate to the following registry key:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
 
Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3."))

... but I saw that it only disables portable USB hard drives, it does not disable reading from SD cards and I think it may have to be done on each machine.

Is there a problem when trying to set up group policies on a windows 2003 server to enable them on different windows clients (seven, vista and XP)?
0
Comment
Question by:carloslaso
6 Comments
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34097686
There is nothing wrong in trying it on server 2003 as long as it doesnt disrupt users. put a test machine or user in an OU create new policy link it to the OU. do gpupdate /force on client to see the immediate effetcs good luck
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 300 total points
ID: 34097770
A potentially easier, more comprehensive solution is to use a third party product like DriveLock - I have it at an attorney client I have and they like it.  Depending on who you log in as, they have the ability to copy everything they want to any USB device they want (the partners) OR they are denied access to copy the data to USB, CD, DVD, etc if they are the staff.  I believe DriveLock offers a trial and is AD based.
0
 
LVL 9

Expert Comment

by:djpazza
ID: 34097897
Here's the custom group policy you could use to block out USB and cd drives

http://support.microsoft.com/kb/555324
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:carloslaso
ID: 34099052
moon blue69: I already have a 2003 server and seven, vista and XP running, I thought that would not have been posible to implement.

leew: I like that option, I may have to try that if I don't find a custom group policy.

djpazza: I already tried that custom GP but I am having problems with the SD/CF cards
0
 
LVL 2

Assisted Solution

by:mitrum
mitrum earned 200 total points
ID: 34104787
I use  third party product called GFI EndPointSecurity  for the same, but it is not free. One free tool I tried was NetWrix USB Blocker witch provided free of charge (limited 50 managed computers) for use by organizations and individuals.
0
 
LVL 9

Expert Comment

by:djpazza
ID: 34111676
For the other devices how about this:

http://technet.microsoft.com/en-us/library/cc730808%28WS.10%29.aspx

Create a custom class based on the sd/cf guid's
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now