Solved

gpo

Posted on 2011-03-18
13
191 Views
Last Modified: 2012-05-11
Hi I am using a windows 2003 domain, I have a about 100 computers on my domain. I want to prevent my users from using USB removable disks on their computers. I want this to be done using Group Policy, but I am not too sure how to go about doing this? Help please. Thanks.
0
Comment
Question by:gmollineau
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
13 Comments
 
LVL 9

Accepted Solution

by:
meko72 earned 250 total points
ID: 35168665
0
 
LVL 6

Expert Comment

by:Lee_YCP
ID: 35168694
what skill level are you working with?  i.e. Have you ever created a GPO before?
0
 

Author Comment

by:gmollineau
ID: 35168903
Hi, No. But i have an idea from the reading I did.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 6

Assisted Solution

by:Lee_YCP
Lee_YCP earned 250 total points
ID: 35169050
Meko72 pretty much hit it on the head with his two links.

An alternative to using the ADM file would be to use a GPO to change a registry entry at HKLM\System\CurrentControlSet\Services\USBSTOR\"Start"=dword:00000003  or  4

see
http://support.microsoft.com/kb/823732 

Does this answer your question?
0
 

Author Comment

by:gmollineau
ID: 35171697
Meko 72:  I used the microsoft article above and created the .adm file. I copied the .adm file  to the path c:\winnt\inf on the server running the group policy management. What do I do next I am unsure. I created an OU with a few computers in it, these are the computers I want to control in terms of blocking the usb.

0
 

Author Comment

by:gmollineau
ID: 35180038
When I add the template, I am not seeing the settings, it is showing blank.I keep getting event ids 1030, 1058 on my server.
0
 

Author Comment

by:gmollineau
ID: 35183014
Ok i eventually got rid of the event ids, and I am now seeing the settings. I configured the disable usb setting as enabled, and the disable usb ports as disabled. I then linked and enforced this gpo to an OU. When I tested it on a computer I can still see my usb drive. Any suggestions?
0
 
LVL 9

Expert Comment

by:meko72
ID: 35183702
Can you access the USB device?
0
 

Author Comment

by:gmollineau
ID: 35184115
yes i can, I can copy a document to it.
0
 
LVL 9

Expert Comment

by:meko72
ID: 35190482
Have you ran gpupdate/force from the command line on the server?
0
 

Author Comment

by:gmollineau
ID: 35190608
yes I did.  I ran it on both the server and the few computers I am testing.
0
 

Author Comment

by:gmollineau
ID: 35198898
Lee Ycp: The article you posted above, can I put this registry change in a script or any other format in a gpo and link it to an OU?
0
 
LVL 6

Expert Comment

by:Lee_YCP
ID: 35218044
You can create the registry change directly in the GPO.
Open GPMC.
Create a new GPO.
Edit it. (right-click/Edit)
Navigate to Computer Configuration/Preferences/Windows Settings/Registry.
Right click in the right column and select "New/Registry Item"
Navigate to HKLM\System\CurrentControlSet\Services\USBSTOR\Start
Change the Value Data from "00000003" to "00000004" and click "OK".
CLose the GPME.
In the GPMC, link the GPO to your test OU.
Reboot or Run a force update on the test client.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question