Solved

Disable USB storage using Windows 2003 AD and Windows 7 clients using Group Policy

Posted on 2011-09-20
7
3,508 Views
Last Modified: 2012-05-12
Hi there,

I want to be able to disable USB storage on Windows 7/XP/2003 machines but the GPO I've found doesn't seem to be working.

http://support.microsoft.com/default.aspx?scid=kb;en-us;555324
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

These are the two articles I've tried, but it still seems to allow the USB drives.

I've got the GPO applied to computer objects using a Group in AD, but I'm not sure if it shouldn't be aimed at users. I tried with administrator and my account but I still seem to be able to access removable storage.
0
Comment
Question by:Tim Palmer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36571331
Since you have Windows 7 machines you can also use group policy preferences

http://blogs.technet.com/b/danstolts/archive/2009/01/21/disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx

Might be a little easier
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 36571363
Firstly, try testing the settings with a normal user with normal permissions.  Also, since this is getting applied to Computers via a Security Group in AD, verify that the Computers needing the policy are members of the group.  Then verify that the GPO is linked to the correct Computers OU and not a Users OU. Remember this isn't a standard group policy template in 2003, and it may act differently than expected.  Also note that Vista and above include a group policy for this, which mean this template will not work for them but the below will.

Then you'll want to update your Domain Schema to 2008 R2 for managing group policy for Windows 7 machines.  The management of these GPO's will need to be performed through the Windows 7 Admin Tools, or you can add a 2008 R2 DC to your domain and manage them from there.

Here's a link discussing the Schema update...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26826544.html?sfQueryTermInfo=1+10+2008+30+r2+yelbaglf

Here's a link to the different group policies available...
http://www.microsoft.com/download/en/details.aspx?id=25250
0
 

Expert Comment

by:Deepshinde123
ID: 36571503
Please check below link you will get some idea.

http://msdn.microsoft.com/en-us/library/bb530324.aspx
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Expert Comment

by:Deepshinde123
ID: 36571509
USB MASS STORAGE Write Protect from GPO.

Copy the below mention code into notepad and save as a "restrictusbdrives.adm" Import into GPO you will get custom option for as makinig usb storage as write protect.

*********************************************************************************************************************************************

CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynamewriteprotect
KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"
EXPLAIN !!explaintextwriteprotect
PART !!labeltextwriteprotect DROPDOWNLIST REQUIRED

VALUENAME "WriteProtect"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 0 DEFAULT
NAME !!Enabled VALUE NUMERIC 1
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Write Protection"
policynamewriteprotect="Write Protect USB Removable Drives"
explaintextwriteprotect="Enfor ces write protection on all USB Removable Drives. \n\nSelect the ENABLED radiobox, then select ON for the Write Protect USB Removable Drives status in the drop-down list. \n\nIn order to disable write protection on USB Removable Drives select OFF for the Write Protect USB Removable Drives status in the drop-down list."
labeltextwriteprotect="Write Protect USB Removable Drives status"
Enabled="On"
Disabled="Off"
**********************************************************************************************************************************************
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36571815
What I have done in the environment when I implement AD project for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo to DisableUSB OU and usb enabled policy to EnableUSB OU.

Computer OU
--USBEnable
--USBDiable

You have to apply the adm template in the GPO which you have already done.You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB any allow on the above file to enable the USB.I have attached the sample GPO for you reference.
FAN-USBDisable.htm
FAN-USBEnable.htm
0
 
LVL 3

Accepted Solution

by:
Tim Palmer earned 0 total points
ID: 36596415
Thanks for the feedback, however the easier solution for me was to use Kaspersky Enterprise to disable the required devices.

Thank you for the input anyway.
0
 
LVL 3

Author Closing Comment

by:Tim Palmer
ID: 36890342
Didn't use any AD solutions.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question