HOW TO disable USB drives via group policy
Disabling the USB drives is a popular action taken by most of the critical organizations now a days considering daily new virus threats and to maintain organizational confidentialy. The end user use there USB drives, flash drives to copy data to and from the business PC and inturn effecting it with viruses or copy critical organization data.
In this articale we will see on how to disable USB drive via group policy in windows 2003 active directory, USB drives means STORAGE only and not USB port hence USB keyboards and mice will still work fine.
Since this is a special requirement you need to extend an existing group policy object by using custom administrative template file (.adm) and apply it to the respective OU containing the computer accounts.
follow the below steps:
- Copy the custom administrative template (.adm) file file to %systemroot%\inf folder on a Domain Controller
- Create a new or edit existing group policy object linked to the OU of interest or at the domain level (OU containing machines where you want to set the registry).
- Right click ‘Administrative template’ under Computer Configuration and select ‘Add/Remove Templates…’
- Add the “DisableDrives and Write protect USB.adm” file (from %systemroot%\inf)
- You should now see “Restrict Drives”, under Computer configuration\ Administrative Templates
- (on Windows 2000 DC) From the View menu uncheck ‘View policies only’
- (on Windows Server 2003 DC) From View menu, click “Filtering” and uncheck “Only show policy settings that can be fully managed”.
- Now you will see policy setting “Disable the USB Drive” under “Restrict Drives”, which you can enable to apply the registry setting.
Note: I have also included some other policies in this ADM file to disable the CDROM or Floppy disks along with a policy that will make the USB storage disks “write protected”.
Custom .adm file
CLASS MACHINE
CATEGORY !!categorynamePOLICY !!policyname1
KEYNAME “SYSTEM\CurrentControlSet\Services\Cdrom”
VALUENAME “Start”
VALUEON NUMERIC 4
VALUEOFF NUMERIC 1
END POLICYPOLICY !!policyname2
KEYNAME “SYSTEM\CurrentControlSet\Services\USBSTOR”
VALUENAME “Start”
VALUEON NUMERIC 4
VALUEOFF NUMERIC 3
END POLICYPOLICY !!policyname3
KEYNAME “SYSTEM\CurrentControlSet\Services\Flpydisk”
VALUENAME “Start”
VALUEON NUMERIC 4
VALUEOFF NUMERIC 3
END POLICYPOLICY !!policyname4
KEYNAME “System\CurrentControlSet\Control\StorageDevicePolicies”
VALUENAME “WriteProtect”
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICYEND CATEGORY
[strings]
categoryname=”Restrict Drives”
policyname1=”Disable the CDROM Drive”
policyname2=”Disable the USB Drive”
policyname3=”Disable the Floppy Drive”
policyname4=”Write Protect all USB Drives”
Last 5 posts by Jalal Khan
- Active Directory 2003 Time synchronization - Quick Notes - October 12th, 2008
- Using Fiber to Copper Voice Transceivers in RightFax 9.0 - October 9th, 2008
- HOW TO broadcast fax in RightFax using mail merge - October 7th, 2008
- HOW TO schedule FTP file transfer - October 6th, 2008
- HOW TO delegate users in RightFax 9.0 - September 27th, 2008
Comments
Leave a Reply
-
Archives
-
Meta