Solved

Disable USB storage using Windows 2003 AD and Windows 7 clients using Group Policy

Posted on 2011-09-20
7
3,438 Views
Last Modified: 2012-05-12
Hi there,

I want to be able to disable USB storage on Windows 7/XP/2003 machines but the GPO I've found doesn't seem to be working.

http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

These are the two articles I've tried, but it still seems to allow the USB drives.

I've got the GPO applied to computer objects using a Group in AD, but I'm not sure if it shouldn't be aimed at users. I tried with administrator and my account but I still seem to be able to access removable storage.
0
Comment
Question by:Tim Palmer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36571331
Since you have Windows 7 machines you can also use group policy preferences

http://blogs.technet.com/b/danstolts/archive/2009/01/21/disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx

Might be a little easier
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 36571363
Firstly, try testing the settings with a normal user with normal permissions.  Also, since this is getting applied to Computers via a Security Group in AD, verify that the Computers needing the policy are members of the group.  Then verify that the GPO is linked to the correct Computers OU and not a Users OU. Remember this isn't a standard group policy template in 2003, and it may act differently than expected.  Also note that Vista and above include a group policy for this, which mean this template will not work for them but the below will.

Then you'll want to update your Domain Schema to 2008 R2 for managing group policy for Windows 7 machines.  The management of these GPO's will need to be performed through the Windows 7 Admin Tools, or you can add a 2008 R2 DC to your domain and manage them from there.

Here's a link discussing the Schema update...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26826544.html?sfQueryTermInfo=1+10+2008+30+r2+yelbaglf

Here's a link to the different group policies available...
http://www.microsoft.com/download/en/details.aspx?id=25250
0
 

Expert Comment

by:Deepshinde123
ID: 36571503
Please check below link you will get some idea.

http://msdn.microsoft.com/en-us/library/bb530324.aspx
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Expert Comment

by:Deepshinde123
ID: 36571509
USB MASS STORAGE Write Protect from GPO.

Copy the below mention code into notepad and save as a "restrictusbdrives.adm" Import into GPO you will get custom option for as makinig usb storage as write protect.

*********************************************************************************************************************************************

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynamewriteprotect
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
EXPLAIN !!explaintextwriteprotect
PART !!labeltextwriteprotect DROPDOWNLIST REQUIRED

VALUENAME "WriteProtect"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 0 DEFAULT
NAME !!Enabled VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Write Protection"
policynamewriteprotect="Write Protect USB Removable Drives"
explaintextwriteprotect="Enfor ces write protection on all USB Removable Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. \n\nIn order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list."
labeltextwriteprotect="Write Protect USB Removable Drives status"
Enabled="On"
Disabled="Off"
**********************************************************************************************************************************************
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36571815
What I have done in the environment when I implement AD project for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo to DisableUSB OU and usb enabled policy to EnableUSB OU.

Computer OU
--USBEnable
--USBDiable

You have to apply the adm template in the GPO which you have already done.You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB any allow on the above file to enable the USB.I have attached the sample GPO for you reference.
FAN-USBDisable.htm
FAN-USBEnable.htm
0
 
LVL 3

Accepted Solution

by:
Tim Palmer earned 0 total points
ID: 36596415
Thanks for the feedback, however the easier solution for me was to use Kaspersky Enterprise to disable the required devices.

Thank you for the input anyway.
0
 
LVL 3

Author Closing Comment

by:Tim Palmer
ID: 36890342
Didn't use any AD solutions.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question