[gptalk] Re: ADM problem

  • From: Mathieu CHATEAU <gollum123@xxxxxxx>
  • To: "Gray Troutman" <jgraytroutman@xxxxxxxxx>
  • Date: Tue, 22 Aug 2006 18:17:12 +0200

Hello Gray,

I used the following methods with success:

Copy/paste from http://diaryproducts.net/about/operating_systems/windows/disable_usb_sticks

The Howto!

If we combine Mark Heitbrink's approach with the one outlined in knowledge base article 823732, we get a more reliable solution. Firstly, we need to prevent USBSTOR from being installed unless the currently logged on user is allowed to use USB storage. We do that by restricting access to USBSTOR.INF and USBSTORE.PNF in a GPO such that PNP can't automatically install the driver. This is possible because when PNP installs a driver, the installation is performed using the priviledges of the currently logged on user. Secondly, we need to make sure that USBSTOR is not started when a USB storage device is plugged in. For that we use Mark's ADM template. The only minor drawback of my solution is that users with access to USB storage need to manually start USBSTOR before connecting USB storage devices.

In Active Directory Users and Computers, open an existing GPO or create a new one and open it. Use the security settings of that GPO to specify which computers it affects. 

In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File System and create a new entry (right-click File System and select Add File). Specify the location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF

Change the security settings of the new entry. The security settings that you specify here will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This process is not additive, which means that the previous security settings of USBSTOR.INF will be overwritten by the ones given in the GPO. It is therefore recommended to grant full control to SYSTEM and local administrators. But unlike in the default security settings of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read access to a certain group. Members of this group will be able to use USB storage. 

Repeat the above two steps for USBSTOR.PNF


Back in the GPO, right-click Administrative Templates under Computer Configuration and select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM. Close the dialog. 

You should now have an additional entry called Services and Drivers in Administrative Templates. Click on it. If it is empty, select View from the menu and uncheck Show Policies Only. Click back on Services and Drivers in Administrative Templates. It should now show the USB Storage policy. Double click it, select Enabled and pick Disabled from the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must be Disabled. 

Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure no USB strorage device is connected to that computer. Log on with administrative privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It should be 4. It is also ok if the UsbStor key doesn't exist at all. 

On the same workstation, log off and back on as a user that should not have access to USB storage. Connect a USB memory stick or a similar device. Nothing should happen. Remove the memory stick. 

Log on as a user that should have access to USB storage and execute net start usbstor in a command shell or at Start – Run before connecting the memory stick. The memory stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's probably because this is the first time a memory stick is plugged into the workstation in which case USBSTOR is not yet installed. Nevertheless, the memory stick should be initialized and mapped correctly but you need to reboot in order to reapply the administrative template such that USBSTOR is disabled again. Alternatively, you can disable it manually by downloading and double clicking USBSTOR.REG as well as executing net stop usbstor

Instruct the users with access to USB storage that they need to execute net start usbstor before they can connect a USB storage device. 




Tuesday, August 22, 2006, 6:09:39 PM, you wrote:


sorry about that, I misstyped, it's NUMERIC.  I've tried running gpupdate /force and it didn't work.  I was just wondering if there was naything obviously wrong in my ADM that would keep the value from being presented properly.  I'll just keep at it. 

On 8/22/06, jpsalemi@xxxxxxxxxxxxxxxxxxx <jpsalemi@xxxxxxxxxxxxxxxxxxx > wrote:

Gary, you're not using NUMERICAL are you?  The policy says NUMERIC ?

It should be NUMERIC

It wouldn't apply during a policy refresh, but a reboot, policy change, or

a gpupdate /force it should.  You can try "always run registry policy

settings too" although that can cause some performance issues upon policy 


The idea being if someone has admin rights, and deletes the key, it won't

automagically come back.


             "Gray Troutman"

             < jgraytroutman@gm

             ail.com>                                                   To

             Sent by:                  gptalk@xxxxxxxxxxxxx 

             gptalk-bounce@fre                                          cc



                                       [gptalk] Re: ADM problem

             08/22/2006 10:51


             Please respond to



So if I have



Having it enabled should have put 1 into the value, but it didn't, and the

key didn't exist before the GPO was created.

But, more importantly, what you're telling me is that if I switch the

policy between enabled and disabled, it's not going to update the key to

the appropriate value?  If that's the case, I might as well just write a 

script that imports the appropriate registry value during logon.

On 8/22/06, Delaney, Doug <doug.delaney@xxxxxxx> wrote:

  If the value does not exist (previously) it should work.  This is 

  considered a "user preference" and a GPO will only apply it once.  It

  will not be "managed".

  Doug Delaney

  GM Desktop Engineering

  Global Client Engineering GM

  1075 W. Entrance Dr., MS 2B, Cube 2130 

  Auburn Hills, MI 48326

  Lab: 248-365-9187

  Tel: 248-754-7917

  Pg: 248-870-0306 pager

  Mail: Doug.Delaney@xxxxxxx

  Note: The information in this email is intended solely for the addressee. 

  Access to this email by anyone else is unauthorized. If you are not the

  intended recipient, any disclosure, copying, distribution or any action

  taken or omitted to be taken in reliance on it is prohibited. 

        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:

        gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gray Troutman 

        Sent: Tuesday, August 22, 2006 11:18 AM

        To: gptalk@xxxxxxxxxxxxx

        Subject: [gptalk] Re: ADM problem

  The thing is that if I create the key/dword and put in the value 1 in 

  manually, it works fine, write access to USB devices is disallowed.  If I

  use the ADM, though, it creates the key and dword, but doesn't put the

  correct value in, it stays 0.

  On 8/22/06, Tim Bolton < jsclmedave@xxxxxxxxx> wrote:

   We tried this numerous times, but certain USB sticks were still able

   to load and were accessible.

   hopefully Darren has the magic bullet for this.  I have heard of shops 

   actually putting epoxy in the ports...

   We use a product that took care of this.  If you want info on it

   please email me direct.

   I am very curious to see if there is a workable solution in GP... 


   On 8/22/06, Gray Troutman < jgraytroutman@xxxxxxxxx> wrote:

   > Hey folks,

   > I've implemented a few custom ADMs without any difficulty.  I have 


   > however, that doesn't seem to want to work properly.  It's one I found


   > over at thelazyadmin.com .  The ADM is supposed to disable write

   access to 

   > USB devices.  When I manually create the key and dword, everything


   > fine, but when I try to implement it through a GPO, it creates the key


   > dword, but doesn't place the appropriate value (1) into the registry. 


   > are the contents of the ADM:



   > CATEGORY "Removeable Storage Write Access"

   >  POLICY "USB Write Access"

   >   KEYNAME

   > "SYSTEM\CurrentControlSet\Control\StorageDevicePolicies"

   >    VALUENAME "WriteProtect"






   > As an additional note, I'll mention that this is the only machine


   > policy I'm trying to enforce within this GPO, everything else is on

   the user

   > side.  I had thought that maybe I had instituted a policy that was 


   > the key from being generated, but everything show up except for the

   > appropriate value.


   > Thanks in advance,

   > Gray



   Genius may have its limitations, but stupidity is not thus 

   handicapped. - Elbert Hubbard


   You can unsubscribe from gptalk by sending email to

   gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR 

   by logging into the freelists.org Web interface. Archives for the list

   are available at http://www.freelists.org/archives/gptalk/ 



You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/


*********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/ ************************

Other related posts: