How to Prevent Users from Connecting to a USB Storage Device by Group Policy


بسم الله الرحمن الرحيم

To prevent users from connecting to USB storage devices by group policy

 If a USB storage device is already installed on the computer:

  1.  Click Start –  All programs  – Administrative Tools – Group Policy Management.
  2. Create or Edit Group Policy Objects
  3. Expand Computer ConfigurationPreferencesWindows Settings.
  4. Right click RegistryNewRegistry Item.
  5. General Tab.
  • Action : Update
  • Hive : HKEY_LOCAL_MACHINE
  • Key path : SYSTEM\CurrentControlSet\Services\UsbStor
  • Value name : Start
  • Value type : REG_DWORD
  • Value data : 00000004

Notes: You can apply this method on User Configration too.

If a USB storage device is not already installed on the computer:

  1. Click Start –  All programs  – Administrative Tools – Group Policy Managment.
  2. Create or Edit Group Policy Objects
  3. Expand Computer ConfigurationPolice Windows Settings – Security Settings .
  4. Right click File SystemAdd file or folder.
  5. Browse to this file
  • %SystemRoot%\Inf\Usbstor.pnf
  • assign the user or the group and the local SYSTEM account Deny permissions.

6. Browse to this file too.

  • %SystemRoot%\Inf\Usbstor.inf
  • assign the user or the group and the local SYSTEM account Deny permissions.

     

Advertisements

About Mohamed Abd Elhamid

Microsoft System Administrator

Posted on September 10, 2011, in Group Policy, HOW TO ? and tagged , , , . Bookmark the permalink. 13 Comments.

  1. Essalamo Alaykum Akhi,
    Baraka allaho feekom.
    Akhok Essadek Amine
    This is my Website: http://algnet.net
    my blog website: http://blog.algnet.net

  2. Walykoum Alsalam Akhi
    Thanks for your comment

  3. what if i need to give some computers to access usb …how should i get this done……thanks for post..

    • Hi Thanks for comment
      1- if i need to give some computers to access usb Temporary time
      you can access the computer local and change •Value data : 00000004 to •Value data : 00000003 to open it manual and if you want close it again by return •Value data : 00000004 or leave it the policy will apply again after 90-120 Min

      2- if i need to give some computers to access usb Always put these computers in OU and don’t apply or don’t link this GPO ( sepreate computer in another OU)

  4. Good post. I certainly appreciate this site. Continue the good work!

  5. very useful information , thanks alot and contiue good work

  6. I tried your method… but i did not work out…. I installed GPP for xp already…. and also on my Xp sp3 it is not working

  7. Hello Mohamed. I have an issue where I cannot access any removable media. I always get “Location not available. E:\ is not accessible. Access is denied”.

    My computer has Windows 7 Enterprise Edition with service pack 1.

    Couldn’t check the %SystemRoot%\Inf\Usbstor.pnf because my gpedit.msc does not show Policies -> Windows Settings.

    Is there an email I can contact you on to show you screenshots of my computer?

    Thanks in advance for your help.

  8. Sir ,

    i am system admin in a small company having 30 systems. i am using windows server 2012 , client systems are using windows 7 i faced a problem now. my management said block USB ports to some particular users .

    i created a OU added those users to that OU . i appled GPO to that OU

    1) user configuration > Administrative templates > system > removal storage access > removal disk deny read access > enabled

    2) user configuration > Administrative templates >start menu & task bar > disable games icon in start menu > enabled

    gpupdate /force

    turn off all client machines & turned on

    only one system had applied all GPO policy remaining all applied only 2) GPO (games icon)

    on that machine which applied all GPO’s . if we open any user in OU all GPOs applied.

    but at thier own computers USB blocking is not applied

    what is the reason..?

    Please help me sir

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: