+ Reply to Thread
Results 1 to 2 of 2

Thread: USB Storage Devices

  1. #1
    jwilliams is offline Getting Started on GPanswers.com
    Join Date
    Dec 1969
    Posts
    4

    Default

    I know I am new to GP, but I am really puzzled. I have been able to set
    up many GPO to control how the users can use their PCs very
    successfully, but am stymied about this one issue. USB Storage use!
    I have been trying to shut down USB Storage use for some time with GP,
    but to no avail. I have created a No USB GPO with the .adm templates
    from several downloads, but whenever I attach it to a OU in the Active
    Directory, it does NOT prevent the USB sticks from working! If I go to
    the PC and edit the Registry manually, I can shut down its use. Not
    what I want to do. Attached are the adm file and GPO that I have
    created. Can you simply tell me where my logic is in error? Hopefully,
    it is obvious to someone else, but I am going blind.
    Thanks for any help,
    Jim

    ***********************************
    CLASS MACHINE
    CATEGORY !!category
    CATEGORY !!categoryname
    POLICY !!policynameusb
    KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
    EXPLAIN !!explaintextusb
    PART !!labeltextusb DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    POLICY !!policynamecd
    KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
    EXPLAIN !!explaintextcd
    PART !!labeltextcd DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 1 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    POLICY !!policynameflpy
    KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
    EXPLAIN !!explaintextflpy
    PART !!labeltextflpy DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    POLICY !!policynamels120
    KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
    EXPLAIN !!explaintextls120
    PART !!labeltextls120 DROPDOWNLIST REQUIRED

    VALUENAME "Start"
    ITEMLIST
    NAME !!Disabled VALUE NUMERIC 3 DEFAULT
    NAME !!Enabled VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY
    END CATEGORY
    END CATEGORY

    [strings]
    category="Custom Policy Settings"
    categoryname="Restrict Drives"
    policynameusb="Disable USB Removable Drives"
    policynamecd="Disable CD-ROM"
    policynameflpy="Disable Floppy"
    policynamels120="Disable High Capacity Floppy"
    explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list. \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list."
    explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list."
    explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list."
    explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list."
    labeltextusb="usbstore.sys driver status"
    labeltextcd="cdrom.sys driver status"
    labeltextflpy="flpydisk.sys driver status"
    labeltextls120="sfloppy.sys driver status"
    Enabled="Stopped"
    Disabled="Started"
    **********************************

  2. #2
    Robert_IT is offline Getting Started on GPanswers.com
    Join Date
    Feb 2010
    Posts
    1

    Default ADM Templates / Disable USB

    I will assume your machines are capable of having the ADM templates applied. With that said, read this support KB from Microsoft and ensure you have verified you have things setup as suggested.

    Recommendations for managing Group Policy administrative template (.adm) files - ADM template article

    What your trying to accomplish is not easy to manage, audit, or verify that it has applied successfully. Disabling USBs is one thing, but tracking whose plugging in the devices is quite another.

    Even with Windows 7 and newer group policy in Windows 2008 R2 this task is better left to third party tools. Microsoft does not have any interface to easily control and manage this option.

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Search Engine Friendly URLs by vBSEO