At Ask Me Help Desk you can ask questions in any topic and have them
answered for free by our experts. To ask questions or participate in
answering them you must register for a free account. By registering you
will be able to:
Get free answers from experts in any of our 300+
topics.
My IT boys have been looking for a way to do this for a while. I don't think it is currently possible in a Windows world though I believe a future add-on is coming to deal with that.
I know you can do it at a machine level by changing the default hardware profile.
As for using GPO it is possible with 2003 enterprise server, pain in the bottom to find though.
You can perform this with a GPO and it would NOT disable all other USB devices. By setting the permissions on each local PC to three files:
Set DENY Permissions for Domain Users to:
%SYSTEMROOT%\INF\USBSTOR.INF
%SYSTEMROOT%\INF\USBSTOR.PNF
%SYSTEMROOT%\SYSTEM32\DRIVERS\USBSTOR.SYS
This will have to be added to the Security templates in the Machine part of the GPO.
By denying permissions to these files, the user will not be able run the USB Mass Storage Driver. This will effect ANY storage device connected by USB.
On my small network clients I use a program called ScriptLogic. It basically a graphical gpo editor but its very easy to use and lets you set lots of things that you wouldn't even have thought to set through GPO, including no allowing usb drives.
Added complication: just spoke with them and I see why they haven't implemented anything yet. Disabling all USB ports would be disastrous since many devices use them: mice, cameras, printers, keyboards. Apparently they are testing a solution that is device-aware. If I find out what that is I'll let you know.
Scriptlogic is device aware. The amount of stuff you can configure with a few mouse clicks is pretty neat and for small offices the overhead that it cuts in administration time is definitely worth the price.
Linear Mode
