最佳解答者
Disable USB via GPO

問題
-
Dear Sir/madam,
According to these web site http://support.microsoft.com/kb/555324/en-us and http://windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html setting I created a policy called " Disable USB" for my company. Under the security filtering section of it, I added the Domain Computers as scope, so that none of PCs can access USB in Domain.
Now I want some PCs can access USB and some do not, would you tell me clearly how?
My server is runing windows server 2003 r2 with sp2 and runing winpro XP sp3 on clients.
Thank you very much.
Best Regards,
Mike
2010年4月30日 上午 07:23
解答
-
Dear Customer,
I understand your issue to be: You would like to know how to disable the USB Storage device via group policy. I therefore would like to provide the following information for your reference:
There is no GPO to disable USB storage devices directly. However, you can try the following workarounds:
Scenario 1: A USB Storage Device Is Not Already Installed on the Clients.
===================
If a USB storage device is not already installed on the clients, we can configure the group policy to deny access to the following files:
- %SystemRoot%\Inf\Usbstor.pnf
- %SystemRoot%\Inf\Usbstor.inf
Then when a USB storage device is connected to the computer, the required driver files will be unable to access and as a result, the USB storage device cannot be used.
To configure permissions to the Usbstor.pnf and Usbstor.inf files via Group Policy, please follow these steps:
- Open the appropriate Group Policy on the domain controller.
- Browse to:
Computer Configuration\Windows Settings\Security Settings\File System
- Right click "File System" and choose "Add file".
- Input "%SystemRoot%\Inf\Usbstor.inf" (without the quotation marks).
- Then a new window appears. Add the users group or user accounts into the Security list, and select the check box for "Full Control" on the "Deny" column. (Therefore, the related users group will be unable to access this file.)
- Click OK twice to accept the default setting on the wizard.
- Use the same steps to add "%SystemRoot%\Inf\Usbstor.pnf" and ensure Everyone will be unable to access this file.
- Close the Group Policy window and restart the Windows 2000/XP client to apply this setting.
- After rebooting, please ensure that the user cannot open the "%SystemRoot%\Inf\Usbstor.inf" file. If an "Access Is Denied" error appears, it indicates that the group policy has been applied successfully. Please connect a new USB storage device (that has never been connected to this computer before) to this client and check how it works.
Scenario 2: A USB Storage Device Is Already Installed on the Clients.
===================
If a USB storage device is already installed on the computer, we need to disable the "USB Mass Storage Driver" service. To do so, we can set the "Start" value in the following registry key to 4:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor]
We can also use Group Policy to simply the operations:
- Create a text file named USBSTOR.adm with the following content:
CLASS MACHINE
CATEGORY !!USBSTOR_Start
POLICY !!SET_USBSTOR_START
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!USBSTOR_START_HELP
PART !!DISABLE NUMERIC REQUIRED
VALUENAME "START"
MIN 3 MAX 4 DEFAULT 4
END PART
END POLICY
END CATEGORY
[Strings]
DISABLE="USBSTOR Start Value"
USBSTOR_Start="USB Mass Storage"
SET_USBSTOR_START="Disable USB Mass Storage Devices"
USBSTOR_START_HELP="Setting this value to 4 will disable USB Mass Storage
Devices. Setting it to 3 will enable them."
- Open the appropriate Group Policy object on the DC.
- Under Computer Configuration, right-click on Administrative Templates. Select Add/Remove templates and click Add.
- Double-click on the USBSTOR.adm file and click Close.
- On the View menu, uncheck "Show Policies Only".
(Note: If the DC is Windows Server 2003, please use these steps: Select the Administrative Templates folder. Right-click on it and select View->Filtering. Uncheck the "Only show policy settings that can be fully managed" check box and click OK.)
- Expand "Administrative Templates" and select "USB Mass Storage".
- Double-click "Disable USB Mass Storage Devices".
- Click "Enabled". The "Start Value" should default to 4. Click OK.
- Close the GPO.
Please connect a USB storage device (that has ever been connected to this computer before) and check how it works now.
For more information, please refer to the following document:
How to disable the use of USB storage devices
http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
I hope this helps. If you have any questions or concerns, please do not hesitate to let me know. I am happy to be of further assistance. Thank you for your time and cooperation!
Tom Zhang
Tom Zhang – MSFT- 已提議為解答 Ken Lin, MSMVP for .NET (2003-2017), rMVP 2010年5月5日 上午 07:07
- 已取消提議為解答 Fan Yuen 2010年5月10日 上午 08:02
- 已標示為解答 Fan Yuen 2010年5月10日 上午 08:02
2010年5月3日 上午 07:34版主