Hi Ray,
I'll definitely try out your suggestion.
Presently these devices are disable vis Device Manager. But we are getting USB Pen Tablets, so obviously our present blocking method won't do. I liked the *Sanctuary Device Control, suggested by Tim, solution but getting the finance people to spend on it will take some convincing as this comes outside budget!
That's why we are looking for a GPO solution.
I'll let you know in a cople of days time...
regards Ananth.
Hi Anth
Depending on how you disabled the devices initially, I would just have the counteractions within login scripts. I had a similar scenario last year and I basically created two Login scripts – one for administrators (unrestricted) and one for Users (restricted)… Each script then points to an addition .reg file. For additional security, changing the permissions for the USBSTOR also came in handy although you will need to download SubInAcl.exe for this.
Here is an example....
*To Restrict *
First of all, create a .reg file and copy the following information:
*REGEDIT4*
* *
*[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]*
*"Start"=dword:00000004*
Now save the file into an accessible location – we'll use *C:\dword4.reg*in this example. Once you have obtained the SubInAcl file, I would position this in the same directory.
Within the logon script, type the following:
*:: *********DISABLE USB MASS STORAGE DEVICE*********
*regedit /s "\\SERVER\C$\dword4.reg" *
*"\\SERVER\C$\\subinacl.exe" /keyreg \system\currentcontrolset\services\usbstor /deny=system*
* *
* *
*To Enable *
* *
Again, create a .reg file and include the following:
*REGEDIT4*
* *
*[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]*
*"Start"=dword:00000003*
Save this file into an accessible location again – we'll use * C:\dword3.reg* in this example.
*:: *********ENABLE USB MASS STORAGE DEVICE*********
*regedit /s "\\SERVER\C$\dword3.reg" *
*"\\SERVER\C$\\subinacl.exe" /keyreg \system\currentcontrolset\services\usbstor /grant=system*
* *
* *
Hope this helps
Ray
------------------------------
*From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On Behalf Of *Ananth Rajagopal *Sent:* 17 October 2006 11:58 *To:* gptalk@xxxxxxxxxxxxx *Subject:* [gptalk] how to block removable USB storage devices
Hi,
This is my first query, won't be the last for sure...
I'm working in an Animation studio, we have a policy here of blocking all USB drives, along with FDD and CDD.
But we are getting some Pen Tablets, and all are USB devices, so obviously we will need to allow enable USB ports, is there any way to block users from connecting their removable drives and copying data using Group Policies?
Kindly advice..in detail :-)
regards anth