Announcement

Collapse
No announcement yet.

disabling USB for certain users only via GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • disabling USB for certain users only via GPO

    The procedures for disabling USB sticks, floppy drives etc are well documented. However the custom adm template applies only to computers. We have a requirement to allow certain individuals within the company access to these devices regardless of which computer they log on to. Security group filtering and WMI scripting does not fit the bill. I know there are third party tools but before going down this, I suspect inevitable road would appreciate the collective wisdom of this forum in assisting me.

    Thanks in advance

  • #2
    Re: disabling USB for certain users only via GPO

    Originally posted by agedmcse View Post
    The procedures for disabling USB sticks, floppy drives etc are well documented. However the custom adm template applies only to computers. We have a requirement to allow certain individuals within the company access to these devices regardless of which computer they log on to. Security group filtering and WMI scripting does not fit the bill. I know there are third party tools but before going down this, I suspect inevitable road would appreciate the collective wisdom of this forum in assisting me.

    Thanks in advance
    Add a user gpo that applies this registry key. If you adjust the priority and enforce the user gpo it should override the adm template.
    Excerpts taken from: http://blogs.technet.com/danstolts/a...eferences.aspx, see the link for more detail.

    Code:
    HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start
    Disabled = 4
    Enabled = 3
    You could also alternatively use this method instead of the adm template for everyone and apply a different version for the users you want to have access no matter what.

    "User Configuration > Preferences > Windows Settings > Registry" Add a new entry.
    Code:
    Action: Replace 
    Hive: HKEY_LOCAL_MACHINE 
    Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR 
    Value Name: Start 
    Value Type: REG_DWORD 
    Value Data: 4
    Also, add "%SystemRoot%\inf\usbstore.inf" and ""%SystemRoot%\inf\usbstore.pnf" to "Computer Configuration > Policies > Windows Settings > Security Settings > File System" to disable access to the file so users can't double click the inf file to install the driver.
    Last edited by ahinson; 25th February 2009, 15:59.
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: disabling USB for certain users only via GPO

      Hi,
      Thanks for the valuable advice. In the end I went down the route suggested in the Dan Stolts blog and installed Group Policy Client Side Extensions on the XP workstations using WSUS.
      Unfortunately was unable to toggle between enable /disable as net start usbstor errored for Allow group user. My workaround was to create 2 Registry Items within the GPO at User Configuration\Preferences\Windows Settings\Registry The first with a value of 4 targetting the Deny security group I created. The second with a value of 3 targetting the Allow security group I created. Both of these groups populated the GPO at Computer Configuration\Windows Settings\Security Settings\File System\Object name with explicit deny for the Deny Group and explicit allow for the Allow Group.
      I shall be expanding the area of control to a small test group within the company to see if their are any further issues. Thanks again
      Last edited by agedmcse; 27th February 2009, 17:47.

      Comment


      • #4
        Re: disabling USB for certain users only via GPO

        Cool. Dan's website was informative for me as well. Hopefully it all works out.
        Cheers!
        Andrew

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment

        Working...
        X