active directory making all usb drives read-only


  • A new client has an old 2003 SBS (not r2) and a few vista and windows 7 workstations sometime this week it changed the usb settings on all computers to Read Only and they use usb drive to transfer files to outside employees

    if i change  Reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies from 1 to 0 it will be switched back shortly there after however the flash drives will work during that time

    i checked the Group Policies and do not see any changes in the last 2+ years and none that point to being the read only setting

    only thing that has changed in this network in the last 2 weeks is replacing an old xp with a new win 7
    there was also some updates done and i will review if any of them should have made the change but i do not think that is it

    what would be a way i could override the servers wanting to move everyone on the domain to read only removable storage
    ps the server usb drives will work - but no workstation
    Saturday, September 14, 2013 5:15 PM

All replies

  • If nothing has changed on the AD side, especially around Group Policies it could be something client side, eg Anti Virus. In the company I have recently been assisting we implemented Sophos to do exactly what you are suggesting.

    Incidentally the following guide details how to implement read only USB keys. you could implement this in reverse.

    Saturday, September 14, 2013 8:13 PM
  • I have seen that guide and tried it however the problem is the guide does not line up with the servers settings for GP and even if i take the changes as i think they should be it never asks me for a value of a key only the security permission (ie who can change it)

    sadly no av or of the kind change has taken place in a long time and there is 3 av at that location which over time i plan on moving to one but av it cant be as it is not same system wide

    and how can it be client side when we went from all working to all having same issue in less then 1 week system wide with the server being the only one without the issue

    Sunday, September 15, 2013 9:28 PM
  • In windows 7, use RAST, then replace the registry value (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies ) to 0 in GPP.

    configure registry item, refer to:



    Sunday, September 22, 2013 4:26 PM