Solved

Disable USB storage using Windows 2003 AD and Windows 7 clients using Group Policy

Posted on 2011-09-20
7
3,401 Views
Last Modified: 2012-05-12
Hi there,

I want to be able to disable USB storage on Windows 7/XP/2003 machines but the GPO I've found doesn't seem to be working.

http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

These are the two articles I've tried, but it still seems to allow the USB drives.

I've got the GPO applied to computer objects using a Group in AD, but I'm not sure if it shouldn't be aimed at users. I tried with administrator and my account but I still seem to be able to access removable storage.
0
Comment
Question by:Tim Palmer
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36571331
Since you have Windows 7 machines you can also use group policy preferences

http://blogs.technet.com/b/danstolts/archive/2009/01/21/disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx

Might be a little easier
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 36571363
Firstly, try testing the settings with a normal user with normal permissions.  Also, since this is getting applied to Computers via a Security Group in AD, verify that the Computers needing the policy are members of the group.  Then verify that the GPO is linked to the correct Computers OU and not a Users OU. Remember this isn't a standard group policy template in 2003, and it may act differently than expected.  Also note that Vista and above include a group policy for this, which mean this template will not work for them but the below will.

Then you'll want to update your Domain Schema to 2008 R2 for managing group policy for Windows 7 machines.  The management of these GPO's will need to be performed through the Windows 7 Admin Tools, or you can add a 2008 R2 DC to your domain and manage them from there.

Here's a link discussing the Schema update...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26826544.html?sfQueryTermInfo=1+10+2008+30+r2+yelbaglf

Here's a link to the different group policies available...
http://www.microsoft.com/download/en/details.aspx?id=25250
0
 

Expert Comment

by:Deepshinde123
ID: 36571503
Please check below link you will get some idea.

http://msdn.microsoft.com/en-us/library/bb530324.aspx
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Expert Comment

by:Deepshinde123
ID: 36571509
USB MASS STORAGE Write Protect from GPO.

Copy the below mention code into notepad and save as a "restrictusbdrives.adm" Import into GPO you will get custom option for as makinig usb storage as write protect.

*********************************************************************************************************************************************

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynamewriteprotect
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
EXPLAIN !!explaintextwriteprotect
PART !!labeltextwriteprotect DROPDOWNLIST REQUIRED

VALUENAME "WriteProtect"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 0 DEFAULT
NAME !!Enabled VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Write Protection"
policynamewriteprotect="Write Protect USB Removable Drives"
explaintextwriteprotect="Enfor ces write protection on all USB Removable Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. \n\nIn order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list."
labeltextwriteprotect="Write Protect USB Removable Drives status"
Enabled="On"
Disabled="Off"
**********************************************************************************************************************************************
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36571815
What I have done in the environment when I implement AD project for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo to DisableUSB OU and usb enabled policy to EnableUSB OU.

Computer OU
--USBEnable
--USBDiable

You have to apply the adm template in the GPO which you have already done.You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB any allow on the above file to enable the USB.I have attached the sample GPO for you reference.
FAN-USBDisable.htm
FAN-USBEnable.htm
0
 
LVL 3

Accepted Solution

by:
Tim Palmer earned 0 total points
ID: 36596415
Thanks for the feedback, however the easier solution for me was to use Kaspersky Enterprise to disable the required devices.

Thank you for the input anyway.
0
 
LVL 3

Author Closing Comment

by:Tim Palmer
ID: 36890342
Didn't use any AD solutions.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question