The document provides instructions for adding a .ADM file to Group Policy Objects (GPOs) to disable USB removable drives on Windows computers. It describes downloading the .ADM file, adding it to a GPO, and configuring the policy settings to stop the usbstor.sys driver and deny permissions to the USBSTOR service. The steps also include modifying the security permissions of the USBSTOR files and running gpupdate to push the GPO changes to computers.
1. Download the USB_removable_drives_ADM file (2kb)
After downloading the .ADM file, read Adding New Administrative
Templates to a GPO.
You might also be interested in reading Disable Writing to USB Disks with
GPO.
Note: In order to successfully view and configure the new .ADM file
settings you will need to change the default filtering view for the GPO
Editor (or GPedit.msc). Unless you change these settings, the right pane
will appear empty, even though it has the settings in it.
Follow these steps:
1.
In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.
1.
Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.
2. 1.
Now you will be able to see the new settings in the right pane:
4. An additional step that needs to be performed before the above tip will
work has to do with modifying the file access permissions for 2 files. You
need to remove the SYSTEM access permissions from
the usbstor.sys and usbstor.inf files.
You can do so by right clicking these files > Properties, then going to the
Security tab. There you need to remove the line for the SYSTEM account.
5. Note: Under some circumstances, the SYSTEM should have write access
to these files during Service Pack installation. For example, when the SP
is installed via GPO or SMS, the installation runs under the SYSTEM
Account.
Service Pack needs to replace the files to a new version and without
proper write access to the file, installation will fail... Therefore, before
each SP deployment we need to allow access to the SYSTEM account for
these files.
Adding .ADM files to the Administrative Templates in
a GPO
In order to add additional .ADM files to the existing Administrative
Templates section in GPO please follow the next steps:
6. 1. Open the Group Policy Management Console (or GPMC) from the
Administrative Tools folder in the Stat menu, or by typing gpmc.msc in
the Run command.
Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs
to be separately installed. You can download GPMC from the following link
(Download GPMC), yet remember it can only be used effectively on
Windows Server 2003-based Active Directory.
If you do not have GPMC or cannot install it then you'll need to edit the
GPO via the regular means, i.e. from Active Directory Users and
Computers management tool (dsa.msc).
2. Right-click an existing GPO (or create an new GPO, then right-click on
it) and select Edit.
7.
8.
9. 3. Expand either the Computer settings or Users settings sections of the
GPO. Go to the appropriate Administrative Templates section and rightclick it. Select Add/Remove Templates.
10. 4. In the Add/Remove Templates window click Add.
11. 5. Browse to the location of the required .ADM file and click Open.
12. 6. In the Add/Remove Templates window notice that the new .ADM file is
listed, then clickClose.
Now re-open the Administrative Templates section and browse to the new
settings location.
Disabling GPO settings filtering
Many custom Administrative Templates require you to remove the
requirement to show policy settings that can be fully managed in the GPO
editor. To do so follow the next steps:
1. After completing the above procedure, browse to the newly added
Administrative Template section.
13. Note that the section is indeed listed, however in the right-pane is empty.
2. Right-click an empty spot in the right pane and select View > Filtering.
3. In the Filtering window click to un-mark the "Only show policy settings
that can be fully managed" option. Then click Ok.
4. Notice how the available options are now displayed in the right pane.
You can now configure these options as you please.
However, if the .ADM files were added, for example, when sitting on DC1,
how do you make sure they are also replicated to DC2, DC3 and so on?
Please let me know if I can solve this any other way or if im doing something wrong.
Creating a GPO in Windows 2003 to block USB drives in Windows XP computer
This GPO is going to block the usage of USB removable disks, while allowing mouse and keyboards to work.
Creating and enabling .ADM file
copy and paste the script in note pad written under the instructions and save them with .ADM format.
Log into RADDC02 go to Start>>Administrative Tools>>Group Policy Management
14. on the left pane select Computer Configuration>>Administrative Templates. Right Click Administrative Templates and
select Add/ Remove Templates.
Click on ADD go to the folder where you saved the .ADM file and add it to the Add/Remove Templates
In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.
Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok
Click on Computer Configuration>>Administrative templates>>Custom Policy Settings>>Restrict Drives>>Disable
USB
Removable Drivers
Select Enabled from the drop down menu for usbstore.sys driver status select Stopped
Creating a new registry entry in the local computer through GPO
go to Computer Configuration>>Windows Settings>>Registry. Right Click select Add Key select
MACHINE>>SYSTEM/CurrentControlSet>>Services>>USBSTOR>Security then click OK
under object name double click on MachineSYSTEMCurrentControlSetServicesUSBSTORSecurity click on Edit
Security
Click on the desired Group or User names select and Deny permissions for users Note: Alternatively you could just
add the name of the user or group you want to prevent from using USB #storage devices.
. Click YES to the security warning. Note: Remember that deny permission take precedence so inherited permission
will not have any affect and that we are applying the permission directly to a #file so we don’t need to worry about
inheritance from this object.
Modifying USBSTOR files
. Go to Computer Configuration>>Administrative Templates>>File System. Right click and Add File and go to the
following paths “C:WindowsInfUsbstor.pnf and “C:WindowsInfUsbstor.inf. Double click both of the folders and
follow the instructions.
Click on the desired Group or User names select and Deny permissions for users Note: Alternatively you could just
add the name of the user or group you want to prevent from using USB #storage devices.
Click YES to the security warning. Note: Remember that deny permission take precedence so inherited permission
will not have any affect and that we are applying the permission directly #to a file so we don’t need to worry about
inheritance from this object.
go to run and type cmd, in the cmd window type "gpupdate /force" this will push the GPO out to the computers right
away instead of waiting for 90 minutes, which is when the GPO checks for update by default.
http://support.microsoft.com/kb/823732
http://www.grouppolicy.biz/2010/02/how-to-use-group-policy-to-disable-usb-drives-on-windows-xp
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEMCurrentControlSetServicesUSBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEMCurrentControlSetServicesCdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
15. NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEMCurrentControlSetServicesFlpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEMCurrentControlSetServicesSfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"