[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3680
  • Last Modified:

Disable USB storage using Windows 2003 AD and Windows 7 clients using Group Policy

Hi there,

I want to be able to disable USB storage on Windows 7/XP/2003 machines but the GPO I've found doesn't seem to be working.

http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

These are the two articles I've tried, but it still seems to allow the USB drives.

I've got the GPO applied to computer objects using a Group in AD, but I'm not sure if it shouldn't be aimed at users. I tried with administrator and my account but I still seem to be able to access removable storage.
0
Tim Palmer
Asked:
Tim Palmer
1 Solution
 
Mike KlineCommented:
Since you have Windows 7 machines you can also use group policy preferences

http://blogs.technet.com/b/danstolts/archive/2009/01/21/disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx

Might be a little easier
0
 
yelbaglfCommented:
Firstly, try testing the settings with a normal user with normal permissions.  Also, since this is getting applied to Computers via a Security Group in AD, verify that the Computers needing the policy are members of the group.  Then verify that the GPO is linked to the correct Computers OU and not a Users OU. Remember this isn't a standard group policy template in 2003, and it may act differently than expected.  Also note that Vista and above include a group policy for this, which mean this template will not work for them but the below will.

Then you'll want to update your Domain Schema to 2008 R2 for managing group policy for Windows 7 machines.  The management of these GPO's will need to be performed through the Windows 7 Admin Tools, or you can add a 2008 R2 DC to your domain and manage them from there.

Here's a link discussing the Schema update...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26826544.html?sfQueryTermInfo=1+10+2008+30+r2+yelbaglf

Here's a link to the different group policies available...
http://www.microsoft.com/download/en/details.aspx?id=25250
0
 
Deepshinde123Commented:
Please check below link you will get some idea.

http://msdn.microsoft.com/en-us/library/bb530324.aspx
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Deepshinde123Commented:
USB MASS STORAGE Write Protect from GPO.

Copy the below mention code into notepad and save as a "restrictusbdrives.adm" Import into GPO you will get custom option for as makinig usb storage as write protect.

*********************************************************************************************************************************************

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynamewriteprotect
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
EXPLAIN !!explaintextwriteprotect
PART !!labeltextwriteprotect DROPDOWNLIST REQUIRED

VALUENAME "WriteProtect"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 0 DEFAULT
NAME !!Enabled VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Write Protection"
policynamewriteprotect="Write Protect USB Removable Drives"
explaintextwriteprotect="Enfor ces write protection on all USB Removable Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. \n\nIn order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list."
labeltextwriteprotect="Write Protect USB Removable Drives status"
Enabled="On"
Disabled="Off"
**********************************************************************************************************************************************
0
 
SandeshdubeyCommented:
What I have done in the environment when I implement AD project for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo to DisableUSB OU and usb enabled policy to EnableUSB OU.

Computer OU
--USBEnable
--USBDiable

You have to apply the adm template in the GPO which you have already done.You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB any allow on the above file to enable the USB.I have attached the sample GPO for you reference.
FAN-USBDisable.htm
FAN-USBEnable.htm
0
 
Tim PalmerLevel 3 Escalation TechAuthor Commented:
Thanks for the feedback, however the easier solution for me was to use Kaspersky Enterprise to disable the required devices.

Thank you for the input anyway.
0
 
Tim PalmerLevel 3 Escalation TechAuthor Commented:
Didn't use any AD solutions.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now