Hello Gray,
I used the following methods with success:
Copy/paste from http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks
The Howto!
If we combine Mark Heitbrink's approach with the one outlined in knowledge base article 823732, we get a more reliable solution. Firstly, we need to prevent USBSTOR from being installed unless the currently logged on user is allowed to use USB storage. We do that by restricting access to USBSTOR.INF and USBSTORE.PNF in a GPO such that PNP can't automatically install the driver. This is possible because when PNP installs a driver, the installation is performed using the priviledges of the currently logged on user. Secondly, we need to make sure that USBSTOR is not started when a USB storage device is plugged in. For that we use Mark's ADM template. The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices.
In Active Directory Users and Computers, open an existing GPO or create a new one and open it. Use the security settings of that GPO to specify which computers it affects.
In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File System and create a new entry (right-click File System and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)
Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings of USBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore recommended to grant full control to SYSTEM and local administrators. But unlike in the default security settings of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read access to a certain group. Members of this group will be able to use USB storage.
Repeat the above two steps for USBSTOR.PNF.
Download USBSTOR.ADM.
Back in the GPO, right-click Administrative Templates under Computer Configuration and select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM. Close the dialog.
You should now have an additional entry called Services and Drivers in Administrative Templates. Click on it. If it is empty, select View from the menu and uncheck Show Policies Only. Click back on Services and Drivers in Administrative Templates. It should now show the USB Storage policy. Double click it, select Enabled and pick Disabled from the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must be Disabled.
Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure no USB strorage device is connected to that computer. Log on with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all.
On the same workstation, log off and back on as a user that should not have access to USB storage. Connect a USB memory stick or a similar device. Nothing should happen. Remove the memory stick.
Log on as a user that should have access to USB storage and execute net start usbstor in a command shell or at Start – Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking USBSTOR.REG as well as executing net stop usbstor.
Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device.
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
Tuesday, August 22, 2006, 6:09:39 PM, you wrote:
|
> |
sorry about that, I misstyped, it's NUMERIC. I've tried running gpupdate /force and it didn't work. I was just wondering if there was naything obviously wrong in my ADM that would keep the value from being presented properly. I'll just keep at it. On 8/22/06, jpsalemi@xxxxxxxxxxxxxxxxxxx <jpsalemi@xxxxxxxxxxxxxxxxxxx > wrote: Gary, you're not using NUMERICAL are you? The policy says NUMERIC ? It should be NUMERIC It wouldn't apply during a policy refresh, but a reboot, policy change, or a gpupdate /force it should. You can try "always run registry policy settings too" although that can cause some performance issues upon policy re-application. The idea being if someone has admin rights, and deletes the key, it won't automagically come back. John "Gray Troutman" < jgraytroutman@gm ail.com> To Sent by: gptalk@xxxxxxxxxxxxx gptalk-bounce@fre cc Subject [gptalk] Re: ADM problem 08/22/2006 10:51 AM Please respond to gptalk@freelists. org So if I have VALUEON NUMERICAL 1 VALUEOFF NUMERICAL 0 Having it enabled should have put 1 into the value, but it didn't, and the key didn't exist before the GPO was created. But, more importantly, what you're telling me is that if I switch the policy between enabled and disabled, it's not going to update the key to the appropriate value? If that's the case, I might as well just write a script that imports the appropriate registry value during logon. On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote: If the value does not exist (previously) it should work. This is considered a "user preference" and a GPO will only apply it once. It will not be "managed". Doug Delaney GM Desktop Engineering Global Client Engineering GM 1075 W. Entrance Dr., MS 2B, Cube 2130 Auburn Hills, MI 48326 Lab: 248-365-9187 Tel: 248-754-7917 Pg: 248-870-0306 pager Mail: Doug.Delaney@xxxxxxx Note: The information in this email is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited. From: gptalk-bounce@xxxxxxxxxxxxx [mailto: gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman Sent: Tuesday, August 22, 2006 11:18 AM Subject: [gptalk] Re: ADM problem The thing is that if I create the key/dword and put in the value 1 in manually, it works fine, write access to USB devices is disallowed. If I use the ADM, though, it creates the key and dword, but doesn't put the correct value in, it stays 0. On 8/22/06, Tim Bolton < jsclmedave@xxxxxxxxx> wrote: We tried this numerous times, but certain USB sticks were still able to load and were accessible. hopefully Darren has the magic bullet for this. I have heard of shops actually putting epoxy in the ports... We use a product that took care of this. If you want info on it please email me direct. I am very curious to see if there is a workable solution in GP... TB On 8/22/06, Gray Troutman < jgraytroutman@xxxxxxxxx> wrote: > Hey folks, > I've implemented a few custom ADMs without any difficulty. I have one, > however, that doesn't seem to want to work properly. It's one I found it > over at thelazyadmin.com . The ADM is supposed to disable write access to > USB devices. When I manually create the key and dword, everything works > fine, but when I try to implement it through a GPO, it creates the key and > dword, but doesn't place the appropriate value (1) into the registry. Here > are the contents of the ADM: > > CLASS MACHINE > CATEGORY "Removeable Storage Write Access" > POLICY "USB Write Access" > KEYNAME > "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies" > VALUENAME "WriteProtect" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > END CATEGORY; > > As an additional note, I'll mention that this is the only machine specific > policy I'm trying to enforce within this GPO, everything else is on the user > side. I had thought that maybe I had instituted a policy that was keeping > the key from being generated, but everything show up except for the > appropriate value. > > Thanks in advance, > Gray > -- Genius may have its limitations, but stupidity is not thus handicapped. - Elbert Hubbard *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ |
