locked
Group Policy.. Block USB RRS feed

  • Question

  • Hi ,

     

    I don't know is it a ryt place for email to you, if its not then guide me plz///.........

     

    any way I want to block usb mass storage devices(Pen Drive) on all users. from the Group Policy can i block for all users, and in future if some 1 ask me to enable it then changes will happen in a group or for a single user,,,

     

    Or Can i block manually on all computers ?

     

     I am trying to block it, but if after restart a pc when i plug another 1 it become enable again...

     

     

     

    Regards,

    Sami 

    Monday, August 6, 2007 1:18 PM

Answers

All replies

  • You have 2 options:

    1. Manually modify the registry key which is described in following KB article:

    http://support.microsoft.com/kb/823732

    2. Using Group Policy as descrbed in following KB article:

    http://support.microsoft.com/kb/555324

    You can use security filtering in the GPO to apply the policy on certain group of computers.
    Monday, August 6, 2007 1:30 PM
  • HI Guyz!!,,,,,,

     

    Appreciate ur help and quick responce, I successfully can block USB now on a single workstation. Now If I want to implement a policy on my Domain controller 2003 for all users , wot to do then same procedure or any changes????

     

    thx in advance again..

     

    Regards,

    Sami. 

     

    Saturday, August 11, 2007 6:47 AM
  • You can implement the setting using GPO as mention in the second link provided in my earlier post. You need to make sure that the GPO is link to OU where the workstation's computer account is placed.

    Saturday, August 11, 2007 3:39 PM
  • Dear Sir,

     

    Good Day..............

     

    Thanks & appreciate ur quick responce and help...I add .adm file as mentioned in ur 2nd link and disable USB, then run a command gpupdate / force,, plus restart my server tooo but when i plug USB 1st time for the members in OU, its not showing successfully block but same time when unplug my usb on member's workstation and plug another USB stick it starts working.....head eache hooooooffffff....

     

    need a soloution plz......

     

    Thx in advance ..

     

    Regards,

    Sami

     

    Sunday, August 12, 2007 8:48 AM
  • Try to run rsop.msc to verify whether the policy had successfully applied. If not, you might want to verify that the GPO is link to the computer account's OU and not security/WMI filtering at the GPO that filter out the computer account. 

    Sunday, August 12, 2007 10:25 AM
  • Hi Dear,

     

    Appreciated again, I run the command rsop.msc, but when it opens.. there is red cross on -Computer Configuration.

     

    2 days left only to implement this policy, i don't know wot to do with it..you are the 1 only who is answering my questions,,, really appreciate and thnks for ur support...

     

    can u plz tell me where I am doing mistakes, and wot to do ryt now for it...

     

    regards.

    Sami

    Sunday, August 12, 2007 12:34 PM
  • The cross mean the policy didn't apply successfully.

    It's very difficult to figure out what causing the problem with limited information that we have.

    You might want to refer to following Microsoft KB article for steps to troubleshoot this issue:

    http://support.microsoft.com/kb/250842/en-us

    Monday, August 13, 2007 2:18 PM
  • Dear All,

     

    Do can you help me how to block application from run/setup and change/remove in "Control Panel"  using GPO.

     

    Thanks you in inadvance.

     

     

    Saturday, October 6, 2007 1:44 AM
  •  

    Dear,

     

    go to start>run and type gpedit.msc

     

    after appearing new windows u can define ur policies, for further info check this link out:

     

    http://support.microsoft.com/kb/325351/en-us

     

    at least u'll get an idea how to implement policies.

     

    Regards,

    Sami

     

    Saturday, October 6, 2007 7:56 AM
  •  

     

     Check > If anti virus on each desktop asking to user wehter to add this change in registry or not.

     I really hate anti virus thing sometimes. It's a big bug in some anti virus systems. When you make changes via GPO, and the GPO is about to get applied on client machines, anti virus popups and nicely asks if you want to enable and ofcourse no user will say yes. He/she want t conenct there Nokia handsets,i pods and pen drive.

     

    Make sure you have edited the readymade adm template for USB blocking. You can do 1 thing. I hope you have already installed gpmc.msc . Move the policy at top and enforced it.  Depending on network traffic changes replicates to client machines.

     

    Check "event viewer" on your domain if it's throwing any GPO related error's. Do manual replication from all DC's.

    Some genius users try to edit registry. I disabled resgitry access now.....

    Wednesday, October 31, 2007 6:02 AM
  •  

    http://support.microsoft.com/kb/555324

     

    I tried contents in this URL by copying in .adm file and uploaded in GPO. It get uploaded successfully but in Group editr admin template its showing only upto \adm template\custom policy setting\restrict drives.

     

    It goes only upto this showing nothing else. Please guide me how to solve the issue.

    Thursday, November 29, 2007 11:12 AM
  • Take a look at "Redmond Roundup: Automating the Desktop" article http://redmondmag.com/features/article.asp?editorialsid=2370.
    As I understood the winner of this test was desktop authority by scriptlogic.
    It seems like this solution has powerful usb security features for blocking unauthorized usb storage access.
    Thursday, December 6, 2007 3:10 PM
  • These option, will block all USB device (mouse, keyboard, etc) no just pen drives. It´snt?

    Thursday, January 17, 2008 8:31 PM
  • No.

     

    Only USB Storage  Devices.

     

    as u r blocking USBSTOR.

     

    HTH,

    Tarek

     

    _____________________________

    Tarek Majdalani
    Computer Engineer, CIW, MCSA: Security 2000/2003, TS: Windows Vista
    MVP -- ISA Firewalls
    Website : http://www.elmajdal.net/ISAServer

     

    Friday, January 18, 2008 7:18 PM
  • Hi Sami

     

     

    have a look at the link below should help you achieve this.

    thanks

    Junaid

     

    http://www.petri.co.il/disable_usb_disks_with_gpo.htm

    Friday, January 25, 2008 10:02 AM
  • Hi,

     

    Thanks for your posts. Yes, I agree with acchong and the methods should work.

     

    Just for your information, there is a new policy for this purpose in Windows Server 2008.  In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

     

    1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

     

        User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

     

    It specify read and write permission on all kinds of removable storage device.

     

    2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

     

    With device installation restrictions, the installation of removable storage device will be totally under control.

     

    More detailed information:

     

    Managing Hardware Restrictions via Group Policy

    http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx

     

    Thanks.

     

    Miles Li

    Microsoft Online Community Support

     

     

    Friday, February 1, 2008 1:31 AM
  • Thats super cool !!

     

    >> Removable Storage Access

     

    This means external DVDs, USBs, Firewalls , PDAs, Mobils ?

    _____________________________

    Tarek Majdalani
    Computer Engineer, CIW, MCSA: Security 2000/2003, TS: Windows Vista
    MVP -- ISA Firewalls
    Website : http://www.elmajdal.net/Win2k8

    Friday, February 1, 2008 8:02 AM
  • I did create a small and tiny tools with autoit for this..
    :)
    Sunday, June 8, 2008 6:44 PM
  • I am having trouble with the same policy. It shows the policy as being enables in the rsop and I can see the registry values changeing on the client computer but it still allows the driver to load for the usb drive.

    Brian Jack
    Friday, October 10, 2008 3:56 PM
  • acchong said:

    You have 2 options:

    1. Manually modify the registry key which is described in following KB article:

    http://support.microsoft.com/kb/823732

    2. Using Group Policy as descrbed in following KB article:

    http://support.microsoft.com/kb/555324

    You can use security filtering in the GPO to apply the policy on certain group of computers.



    i do have another curious question sir.
    if we implement the option#2 by importing that .adm template, will those USB mouse/keyboard still be available but only USB storage drive is disabled?
    thanks!
    Tuesday, November 4, 2008 3:54 PM
  • option 2 (http://support.microsoft.com/kb/555324) will not disable the usb ports unless selected, it gives you the option to disable usb devices such as removable storage, cd roms, floppy and even all the usb ports.
    Tuesday, November 4, 2008 4:29 PM
  • Yes since the policy is only restricting the USBSTOR and the other storage services (like CDROM and floppy disks). This adm file should work for Windows XP and above (a more robust and scalable, though a bit tougher to implement, blocking through device ID and device setup blocking is available for Vista/Server 2008); however, if you are going to implement this for Windows 2000, you have to go with option 1. Here's a script I've created to tackle this issue (using SubinACL and reg.exe):

    http://badzmanaois.blogspot.com/2008/09/disable-usb-storage-using-vbs-script_07.html

    Regards,

    Salvador Manaois III
    MCSE MCSA CEH MCITP | Enterprise/Server Admin
    Bytes & Badz : http://badzmanaois.blogspot.com
    Tuesday, November 4, 2008 4:34 PM
  • Alexxxxxx said:

    option 2 (http://support.microsoft.com/kb/555324) will not disable the usb ports unless selected, it gives you the option to disable usb devices such as removable storage, cd roms, floppy and even all the usb ports.



    so... what if i need open the authority for an USB mouse whichever USB port it going to plug-in, but disable all other USB drives.
    will this template do such way? i don't think so...
    Tuesday, November 4, 2008 4:34 PM
  • Just for your information, there is a new policy for this purpose in Windows Server 2008.  In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

     

    1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

     

        User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

      It specify read and write permission on all kinds of removable storage device

     

    2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

     

    With device installation restrictions, the installation of removable storage device will be totally under control.

     

    Miles Li

    Microsoft Online Community Support

     

     

    Hello

     

    So, as long as you have Windows Server 2008, you can use those policies to affect client machines that are running Windows XP ?

    Wednesday, July 21, 2010 3:40 AM
  • Hello

     

    So, as long as you have Windows Server 2008, you can use those policies to affect client machines that are running Windows XP ?

    Nevermind, i checked and all those policies have this in the Description:

    Requirements:

    At least Windows Vista.

     

    So this is no good for my Windows XP machines.

    Wednesday, July 21, 2010 11:44 PM
  • Hi,

    I have used this thread to create a new topic on the TechNet Wiki, How to block USB devices (DSForum2Wiki) at http://social.technet.microsoft.com/wiki/contents/articles/how-to-block-usb-devices-dsforum2wiki.aspx.

    The Wiki is a great place to roll up answers for the community to improve an article (versus threads).  Take a look and share your feedback.

    Justin Hall, MSFT

    Monday, November 1, 2010 9:04 PM
  • Hi!  thanks for your answer, but i have a doubt about its functioning...

     

    Does it affect the active directory policies? and all computers and user in it....?

     

    Thanks for your help...

     

     

    Cesar Villa

    Tuesday, February 1, 2011 4:27 PM
  • I use to use a gpo but the problem with this approach is some people that you want to be able to use their usb drives cant. so we found some software called usb drive guard that you just install the client and it manages it by the serial number thats unique to the drive. you approve the ones that are allowed and if its not on that list then it wont work. we have nearly 900 pc's and people take their drives from department to department and its been working great. we buy thumb drives with enrcyption too just in case they loose them.
    Saturday, May 7, 2011 8:48 PM
  • Hi This is Atul Palambe

     

     

    for usb block through gpedit in server 2008 visit below link: working..


    atul
    Tuesday, January 10, 2012 12:10 PM
  • I have an issue as mention below.

    OS: Windows 2008 R2 with Domain Controller / Terminal Server on the same Server

    Want to disable USB Pen Drive

    Try to disable pen driver via GPO it gets disable for all users including Admins.

    Want to disable for few users and allow to admins.

    Friday, December 21, 2012 8:17 AM