enable and disbale usb access group policy

All replies

• 

  

  0

  Sign in to vote

  Using PowerShell you can do it as below
  http://stackoverflow.com/questions/12812078/disable-enable-usb-drivers-without-reboot-with-c-c-powershell-in-windows-7

  In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

  1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
      User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

  It specify read and write permission on all kinds of removable storage device.

  2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

  With device installation restrictions, the installation of removable storage device will be totally under control.

  More detailed information:

  Managing Hardware Restrictions via Group Policy

  http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx

  But the minimum client requirement is Windows vista/Win7.So this is no good for my Windows XP machines.

  If you have win2003 and WinXP clients for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo ADM template to DisableUSB OU and usb enabled policy ADM template to EnableUSB OU.

  Computer OU
  --USBEnable...Apply usb enabled policy(template)
  --USBDiable...Apply usb disable policy(template)

  Refer below link for the ADM template

  You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the diable policy will not work.Also set allow permission to usbstor.inf and usbstor.PNF file and attach the gpo to USbdisable and usbenable GPO accordingly.

  Computer Configuration\Windows setting\security settings\File system Add
  %SystemRoot%\inf\usbstor.inf
  %SystemRoot%\inf\usbstor.PNF
  set deny permission to administrator,authenticated user,everyone,SYSTEM,users.

  Simarly set allow permission to administrator,authenticated user,everyone,SYSTEM,users

  Referencelink:http://www.petri.co.il/disable_usb_disks_with_gpo.htm

  Once done you can move the computer to USBEnable or USBDisable OU.If there is requiremet to enable the USB or disable the conputer USB you can move the require computer object to appropiate OU to receieve the appropiate policy.However for setting to take effect you need to reboot the Computer.

  Hope this helps

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • Marked as answer by Technicalsupp Saturday, December 15, 2012 8:59 AM

  Saturday, December 15, 2012 8:26 AM
• 

  

  0

  Sign in to vote

  thanks;

  i have made two two one for usb enable and other is to disable, however how  can move computer account via powershell script

  ---

  Support@Mytechnet.me

  
  

  • Edited by Technicalsupp Saturday, December 15, 2012 9:01 AM

  Saturday, December 15, 2012 9:01 AM
• 

  

  0

  Sign in to vote

  The Easy Way to Use PowerShell to Move Computer Accounts
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/01/the-easy-way-to-use-powershell-to-move-computer-accounts.aspx

  Move computer account to a differenct ou using powershell
  http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/636f4f5b-0fdf-4492-994c-2932a13b9fee/

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Saturday, December 15, 2012 9:06 AM