Solved

Prevent people from using USB storage drives on a domain.

Posted on 2010-11-09
6
1,223 Views
Last Modified: 2012-05-10
I am looking for a custom Group Policy to prevent people from plugging USB flash drives, portable hard drives and Media Card Readers to transfer data from and to my windows machines managed on a windows 2003 domain.

I manage 20 machines, 13 are Windows XP, 5 are Windows Seven and 2 are Windows Vista. I'm trying to setup a custom Group Policy that disables:

USB flash drives
USB portable hard drives
Removable media cards (SD, CF) or USB card readers

...without disabling document scanners or printers or any other USB devices.

I already tried...

(("Open registry and navigate to the following registry key:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
 
Now in the right pane, double-click Start and type 4 in the Value data box (Hexadecimal) and quite the registry editor. To enable the USB storage devices, change the Start value back to 3."))

... but I saw that it only disables portable USB hard drives, it does not disable reading from SD cards and I think it may have to be done on each machine.

Is there a problem when trying to set up group policies on a windows 2003 server to enable them on different windows clients (seven, vista and XP)?
0
Comment
Question by:carloslaso
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34097686
There is nothing wrong in trying it on server 2003 as long as it doesnt disrupt users. put a test machine or user in an OU create new policy link it to the OU. do gpupdate /force on client to see the immediate effetcs good luck
0
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 300 total points
ID: 34097770
A potentially easier, more comprehensive solution is to use a third party product like DriveLock - I have it at an attorney client I have and they like it.  Depending on who you log in as, they have the ability to copy everything they want to any USB device they want (the partners) OR they are denied access to copy the data to USB, CD, DVD, etc if they are the staff.  I believe DriveLock offers a trial and is AD based.
0
 
LVL 9

Expert Comment

by:djpazza
ID: 34097897
Here's the custom group policy you could use to block out USB and cd drives

http://support.microsoft.com/kb/555324
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:carloslaso
ID: 34099052
moon blue69: I already have a 2003 server and seven, vista and XP running, I thought that would not have been posible to implement.

leew: I like that option, I may have to try that if I don't find a custom group policy.

djpazza: I already tried that custom GP but I am having problems with the SD/CF cards
0
 
LVL 2

Assisted Solution

by:mitrum
mitrum earned 200 total points
ID: 34104787
I use  third party product called GFI EndPointSecurity  for the same, but it is not free. One free tool I tried was NetWrix USB Blocker witch provided free of charge (limited 50 managed computers) for use by organizations and individuals.
0
 
LVL 9

Expert Comment

by:djpazza
ID: 34111676
For the other devices how about this:

http://technet.microsoft.com/en-us/library/cc730808%28WS.10%29.aspx

Create a custom class based on the sd/cf guid's
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question