• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1787
  • Last Modified:

Disabling USB Storage by Group Policy

Points of My Scenario:
1. I am admin of a Windows Server 2003 domain
2. Workstations have Windows XP Pro, SP3
3. I have implemented a group policy to prevent the use of USB storage as per Microsoft KB555324 (http://support.microsoft.com/default.aspx?scid=kb;en-us;555324)
4. It works ONLY if the workstation has been exposed to a USB flash drive and "gpupdate /force" command is executed.
MY CHALLENGE: Although the policy works, it only works to block the same flash drive used to expose the workstation to USB storage (see point #4): other flash drives still have access.
QUESTION: What can I do to ensure the policy blocks all USB storage media?
0
waforbes100
Asked:
waforbes100
  • 2
  • 2
2 Solutions
 
Dr. KlahnPrincipal Software EngineerCommented:
A very similar question was asked here September 2008.  The responses seem to parallel what you have already done.

Server has a GPO that does what you want, although I don't know if these policies are available in XP.  Certainly disabling all removable media would do the job, but this would also disable floppy disks, ZIP drives and CD/DVDs.

An alternate possibility is a hardware approach.  Disconnect the front panel USB connector(s) from the motherboard.

0
 
waforbes100Author Commented:
To DrKlahn: I need to retain USB input capability (e.g. mouse, keyboard). Additionally, I have disabled all media that the policy allows, but the problem persists.
0
 
Dr. KlahnPrincipal Software EngineerCommented:
Presumably the USB mouse and keyboard are attached through the back panel.  That is why I suggested disconnecting only the front panel USB connectors.
0
 
dhanraj114Commented:
I have tried the given KB on my Server 2003 and Windows XP Pro network. But it sometimes blocks and sometimes releases the USBs. More blocking from GP also blocks keyboard, mouse, printer and scanner also. I was not succeeded in this. Finally i have adopted a third party software named DeviceLock, which is the perfect software for a network. It allows user based permissions, and users are fetched from Domain. It works fine with me. I suggest you for any third party software.
0
 
waforbes100Author Commented:
My solution was to configure GPO to deny access to the USBSTOR.SYS file. In 100% of test workstations it worked!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now