Solved

Disable USB storage using Windows 2003 AD and Windows 7 clients using Group Policy

Posted on 2011-09-20
7
3,336 Views
Last Modified: 2012-05-12
Hi there,

I want to be able to disable USB storage on Windows 7/XP/2003 machines but the GPO I've found doesn't seem to be working.

http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

These are the two articles I've tried, but it still seems to allow the USB drives.

I've got the GPO applied to computer objects using a Group in AD, but I'm not sure if it shouldn't be aimed at users. I tried with administrator and my account but I still seem to be able to access removable storage.
0
Comment
Question by:Tim Palmer
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36571331
Since you have Windows 7 machines you can also use group policy preferences

http://blogs.technet.com/b/danstolts/archive/2009/01/21/disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx

Might be a little easier
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 36571363
Firstly, try testing the settings with a normal user with normal permissions.  Also, since this is getting applied to Computers via a Security Group in AD, verify that the Computers needing the policy are members of the group.  Then verify that the GPO is linked to the correct Computers OU and not a Users OU. Remember this isn't a standard group policy template in 2003, and it may act differently than expected.  Also note that Vista and above include a group policy for this, which mean this template will not work for them but the below will.

Then you'll want to update your Domain Schema to 2008 R2 for managing group policy for Windows 7 machines.  The management of these GPO's will need to be performed through the Windows 7 Admin Tools, or you can add a 2008 R2 DC to your domain and manage them from there.

Here's a link discussing the Schema update...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26826544.html?sfQueryTermInfo=1+10+2008+30+r2+yelbaglf

Here's a link to the different group policies available...
http://www.microsoft.com/download/en/details.aspx?id=25250
0
 

Expert Comment

by:Deepshinde123
ID: 36571503
Please check below link you will get some idea.

http://msdn.microsoft.com/en-us/library/bb530324.aspx
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Expert Comment

by:Deepshinde123
ID: 36571509
USB MASS STORAGE Write Protect from GPO.

Copy the below mention code into notepad and save as a "restrictusbdrives.adm" Import into GPO you will get custom option for as makinig usb storage as write protect.

*********************************************************************************************************************************************

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynamewriteprotect
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
EXPLAIN !!explaintextwriteprotect
PART !!labeltextwriteprotect DROPDOWNLIST REQUIRED

VALUENAME "WriteProtect"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 0 DEFAULT
NAME !!Enabled VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Write Protection"
policynamewriteprotect="Write Protect USB Removable Drives"
explaintextwriteprotect="Enfor ces write protection on all USB Removable Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. \n\nIn order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list."
labeltextwriteprotect="Write Protect USB Removable Drives status"
Enabled="On"
Disabled="Off"
**********************************************************************************************************************************************
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36571815
What I have done in the environment when I implement AD project for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo to DisableUSB OU and usb enabled policy to EnableUSB OU.

Computer OU
--USBEnable
--USBDiable

You have to apply the adm template in the GPO which you have already done.You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB any allow on the above file to enable the USB.I have attached the sample GPO for you reference.
FAN-USBDisable.htm
FAN-USBEnable.htm
0
 
LVL 3

Accepted Solution

by:
Tim Palmer earned 0 total points
ID: 36596415
Thanks for the feedback, however the easier solution for me was to use Kaspersky Enterprise to disable the required devices.

Thank you for the input anyway.
0
 
LVL 3

Author Closing Comment

by:Tim Palmer
ID: 36890342
Didn't use any AD solutions.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now