Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Disabling USB drives

  • Filter
  • Time
  • Show
Clear All
new posts

  • Disabling USB drives

    I am trying to create a policy that disables USB drives for SOME users only.

    I've found the .adm (online here) that disables USB drives but it changes settings in the computer configuration section of the GPO and only seems to work if I put a computer account into that OU vs a user account.

    I've put all the computers normally used by the users who are not allowed to use USB drives into an OU and the restriction works perfectly.

    The problem is that if a user who is not allowed to use a USB drive, logs onto someone else's PC who is allowed to use a USB drive, the restriction is not applied.

    Maybe I don't totally understand how GP's are applied. Is the Computer Configuration section of a GP applied only to computer accounts in the OU, and User Configuration section applied only to the user accounts?

    I don't really care if the setting needs to be reset if a restricted user uses a non-restricted user's PC, I can deal with that.

    Any help would be greatly appreciated



  • #2
    Re: Disabling USB drives

    Here's what I did to disable access to USB External Storage. I disabled just the access. if we fully disable usb the mouse and keyboards won't work. it took me some good time to get this worked out, But heres my GPO.

    Put this GPO in OU you want it applied to.

    I did mine under computer level.

    Computer Configuration (Enabled)
    Administrative Templates
    Setting State
    Software\Policies\Microsoft\Windows\RemovableStora geDevices\Deny_Execute 1 > ON
    Software\Policies\Microsoft\Windows\RemovableStora geDevices\Deny_Read 1 > On
    Software\Policies\Microsoft\Windows\RemovableStora geDevicesDeny_Write 1 >On

    Must work. You can try this using a usb drive, the drive will install, but when trying to access it will say access denied and not work.


    • #3
      Re: Disabling USB drives

      install the GPP extensions on each client and manage the group policies using a vista or win7 computer. then you can add registry keys per user to disable/enable USB

      fairly sure this will require a restart before it takes effect though so you may want to test it
      Last edited by Gruelius; 27th October 2011, 00:46.