Disable usb in Domain Policy and usb in Domain Policy

Disable usb in Domain Policy and usb in Domain Policy

 

Documents and templates can be downloaded in http://pan.baidu.com/s/1qYTcjTy

Pro_usb_users.adm this template can be disabled to the specified drive letter, for user policy

Pro_usb_computers.adm this template is intended for computers. Generally, it is enough.

You can start from three aspects

 

In fact, the adm configuration file seems to have modified the local group policy. In fact, it is implemented by modifying the registry.

We only retain the ABCDE disk. Other drive letters cannot be viewed or read/write.

Server 2003 \

Client XPIs sp3, EDisk: Optical Drive, FDisk is UDisk

Method 1 (not recommended)

Two keys are required.

NoDrives disable display (not displayed on my computer. If NoViewOnDrive is set to access, you can directly access the full path)

NoViewOnDrive (In fact, it can be accessed through the command line),

 

If the value is 0, it is enabled. If the value is 1, it is not enabled.

You can edit the information you want to hide in excel, copy it to the calculator, and convert it to hexadecimal.

Result:3FFFFE0

 

 

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer]

"NoDrives" = dword: 03ffffe0

"NoViewOnDrive" = dword: 03ffffe0

 

In this way, other disks except ABCDE are not displayed and cannot be read/written (but can be accessed by the command line)

 

 

 

The second is to modify the current USB Hub (old system) USB stor system.

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ USBSTOR]

"Start" = dword: 00000004

 

[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ usbhub]

"Start" = dword: 00000004

 

Https://support.microsoft.com/zh-cn/kb/823732 official documentation

 

Note that

Modify HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ UsbStor

When the Start value is 4, each time a new device is connected, it will change to 3, only the policyRefresh againAfter that, the next time the USB is connected, it cannot be recognized.

Of course, if the USB trace is clearedRecognized again,For example, use the USB Viewer tool

 

If you know what the Registry has modified, we will start to write the adm file.

The https://support.microsoft.com/en-us/kb/555324 can download the template file, but note that it starts with class machine, that is, it is the computer configuration template, for the computer configuration, You need to restart the PC.

 

The first option is to disable the drive letter for the user, so you can log out of the user,AdmUse UCS-2 for file encoding,Otherwise, garbled characters will occur.

 

Previously, the hexadecimal format of the registry should be modified, and the adm file should be converted to the hexadecimal format.

 

Create a GPO user template on the domain control to reference this rule and save it as xx. adm.

 

---------------- Copy the following ----------------------------

CLASS USER

CATEGORY !! Category

CATEGORY !! Categoryname

KEYNAME "Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer"

POLICY !! PolicyNoDrives

EXPLAIN !! Explaindrives

PART !! Labeltextusb DROPDOWNLIST REQUIRED

 

VALUENAME "NoDrives"

ITEMLIST

NAME !! ABOnly value numeric 3

NAME !! COnly value numeric 4

NAME !! DOnly value numeric 8

NAME !! ABConly value numeric 7

NAME !! ABCDOnly value numeric 15

NAME !! ALLDrives VALUE numeric67108863 DEFAULT

In this example, all drive letters except ABCDE are hidden.

NAME !! Using tabcde value numeric 67108832

END ITEMLIST

END PART

END POLICY

POLICY !! PolicyNoViewOnDrives

EXPLAIN !! NoViewOnDrive_Help

PART !! NoDrivesDropdown DROPDOWNLIST NOSORT REQUIRED

VALUENAME "NoViewOnDrive"

ITEMLIST

NAME !! ABOnly value numeric 3

NAME !! COnly value numeric 4

NAME !! DOnly value numeric 8

NAME !! ABConly value numeric 7

NAME !! ABCDOnly value numeric 15

NAME !! ALLDrives VALUE numeric67108863 DEFAULT

; Low 26 bits on (1 bit per drive)

; All drive letters except ABCDE are disabled here

NAME !! Using tabcde value numeric 67108832

END ITEMLIST

END PART

END POLICY

END CATEGORY

END CATEGORY

 

[Strings]

ABOnly = "only restrict drive A and drive B"

ABCDOnly = "restrict only drive A, B, C, and D"

COnly = "restrict drive C only"

DOnly = "restrict drive D only"

ABConly = "restrict drive A, drive B, and drive C only"

ALLDrives = "restrict all drives"

Export tabcde = "restrict all drives except A, B, C, D, and E"

 

Category = "Disable drive letter"

Categoryname = "Restrict Drives"

PolicyNoDrives = "hide these drive letters in my computer"

Explaindrives = "select the drive letter to be disabled based on your situation"

Labeltextusb = "enable drive letter"

 

PolicyNoViewOnDrives = "preventing access to the drive from my computer"

NoViewOnDrive_Help = "prevents users from using my computer to access the content of the selected drive.

NoDrivesDropdown = "select one of the following combinations"

 

---------------- Copy the above ----------------------------

 

 

Then, enable disable "restrict all drives except A, B, C, D, and e", client gpupdate/force, and then rsop. msc to view the result of obtaining the policy

 

This policy is matched with HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ UsbStor.

Start is equal to 4 and can cope with general users.

 

--------------- Copy the following-this is a computer policy ----

CLASS MACHINE

CATEGORY !! Category

CATEGORY !! Categoryname

POLICY !! Policynameusb

KEYNAME "SYSTEM \ CurrentControlSet \ Services \ USBSTOR"

EXPLAIN !! Explaintextusb

PART !! Labeltextusb DROPDOWNLIST REQUIRED

 

VALUENAME "Start"

ITEMLIST

NAME !! Disabled value numeric 3 DEFAULT

NAME !! Enabled value numeric 4

END ITEMLIST

END PART

END POLICY

POLICY !! Allusb_usbhub

KEYNAME "SYSTEM \ ControlSet001 \ Services \ usbhub"

EXPLAIN !! Explain_USBSTOR

PART !! Labusb_USBSTOR DROPDOWNLIST REQUIRED

 

VALUENAME "Start"

ITEMLIST

NAME !! Disabled value numeric 3 DEFAULT

NAME !! Enabled value numeric 4

END ITEMLIST

END PART

END POLICY

POLICY !! Allusb_USBSTOR

KEYNAME "SYSTEM \ ControlSet001 \ Services \ USBSTOR"

EXPLAIN !! Explain_USBSTOR

PART !! Labusb_USBSTOR DROPDOWNLIST REQUIRED

 

VALUENAME "Start"

ITEMLIST

NAME !! Disabled value numeric 3 DEFAULT

NAME !! Enabled value numeric 4

END ITEMLIST

END PART

END POLICY

POLICY !! Policynammcm

KEYNAME "SYSTEM \ CurrentControlSet \ Services \ Cdrom"

EXPLAIN !! Explaintextcd

PART !! Labeltextcd DROPDOWNLIST REQUIRED

 

VALUENAME "Start"

ITEMLIST

NAME !! Disabled value numeric 1 DEFAULT

NAME !! Enabled value numeric 4

END ITEMLIST

END PART

END POLICY

POLICY !! Policynameflpy

KEYNAME "SYSTEM \ CurrentControlSet \ Services \ Flpydisk"

EXPLAIN !! Explaintextflpy

PART !! Labeltextflpy DROPDOWNLIST REQUIRED

 

VALUENAME "Start"

ITEMLIST

NAME !! Disabled value numeric 3 DEFAULT

NAME !! Enabled value numeric 4

END ITEMLIST

END PART

END POLICY

POLICY !! Policynamels120

KEYNAME "SYSTEM \ CurrentControlSet \ Services \ Sfloppy"

EXPLAIN !! Explaintextls120

PART !! Labeltextls120 DROPDOWNLIST REQUIRED

 

VALUENAME "Start"

ITEMLIST

NAME !! Disabled value numeric 3 DEFAULT

NAME !! Enabled value numeric 4

END ITEMLIST

END PART

END POLICY

END CATEGORY

END CATEGORY

 

[Strings]

Category = "Disable_USB"

Categoryname = "Restrict Drives"

Allusb_USBSTOR = "disable USBSTOR"

Allusb_usbhub = "disable usbhub"

Effecynameusb = "Disable USB"

Policynammcm = "Disable CD-ROM"

Policynameflpy = "Disable Floppy"

Policynamels120 = "Disable High Capacity Floppy"

Explaintextusb = "Disables the computers USB ports by disabling the USB stor. sys driver"

Explain_USBSTOR = "Disables usb"

Explaintextcd = "Disables the computers CD-ROM Drive by disabling the cdrom. sys driver"

Explaintextflpy = "Disables the computers Floppy Drive by disabling the flpydisk. sys driver"

Explaintextls120 = "Disables the computers High Capacity Floppy Drive by disabling the sfloppy. sys driver"

Labeltextusb = "Disable USB Ports"

Labusb_USBSTOR = "Disable USB Ports"

Labeltextcd = "Disable CD-ROM Drive"

Labeltextflpy = "Disable Floppy Drive"

Labeltextls120 = "Disable High Capacity Floppy Drive"

Enabled = "Enabled"

Disabled = "Disabled"

 

--------------- Copy the above ----------

 

You can also use batch processing to modify the Registry. If you prefer to write adm files, you can dynamically choose from them.

 

------------ User -------

Reg add "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer"/v NoDrives/t reg_dword/d 67108832/f

Reg add "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer"/v NoViewOnDrive/t reg_dword/d 67108832/f

 

----------- Computer ---------

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ USBSTOR"/v Start/t reg_dword/d 4/f

 

 

The second is to start with the driver, which should be placed in the computer configuration.

Disable the following two files from the file system:

(I only leave the groups "administrators" and "system" to be read. The other groups have no read permission,Be sure to joinEveryoneThis group, and read deniedPower user for common Domain Users)

% SystemRoot % \ inf \ usbstor. inf

% SystemRoot % \ inf \ usbstor. PNF

 

 

 

 

Then go to the client and check the result.

 

However, in this solution, if you change the usb keyboard, mouse, or printer, this form will also pop up. Enter the user and password with the permission to read the usb stor. inf and usb stor. PNF files.

 

 

 

 

Solution 2In win7Client.

But the first one canIn win7Effective under

 

 

After the computer configuration is enabled, you can disable usb on win7.

 

 

--------------------------I am a split line -----------------------------

Change

Server 2008 r2

Client xp sp3

 

Then, use a computer template to disable usb on xp.

 

 

 

In 2008 r2, we set a gpo for disabling the usb driver (for example)

 

 

The result set of XP takes effect, as shown in figure

 

 

 

However, when Windows 7 is used as the client, usb is not effectively disabled.

 

 

2008 r2 adds a new feature option for Mobile storage, which can be used to disable USB.

 

In this casePolicyHanging on user OU,(I am hanging on the computer OUUnder gpresult/vThe retrieval is successful)

 

 

XP can receive domain policies but cannot execute them. It is estimated that the version is too old to use this function.

 

 

However, win7 works well.

 

 

 

Therefore, it is better to Write template files if you want to be compatible with xp and win7 ..

 

Select the pro_usb_computers.adm template and stick it in the computer policy. Whether the server is 2003 or 2008 r2, the client is xp or win7 will take effect.