I believe that in enterprise management, this is a problem that many administrators want to know. After several days of exploration, the method is as follows.
There are two cases, both of which must be implemented at the same time.
1. If the client has not installed a USB device:
In this case, the USB driver is not loaded in windows. In this case, you must disable the client's permission to load the driver. Practice:
Add the security settings of the following two files to the security settings file system of the Group Policy.
% SystemRoot % \ INF \ usbstor. inf
% SystemRoot % \ INF \ usbstor. PNF
Set these two file system users and domain users to deny access.
2. If the client has been installed with a USB device
At this time, because the driver has been installed in windows, the previous method is not feasible.
The solution is as follows:
Class Machine
CATEGORY !! Category
CATEGORY !! Categoryname
Policy !! Policynameusb
Keyname "SYSTEM \ CurrentControlSet \ Services \ usbstor"
Explain !! Explaintextusb
Part !! Labeltextusb dropdownlist required
Valuename "start"
Itemlist
Name !! Disabled value numeric 3 default
Name !! Enabled value numeric 4
End itemlist
End Part
End Policy
End category
End category
[Strings]
Category = "Mobile storage device policy"
Categoryname = "Removable Drive"
Effecynameusb = "Disable USB"
Policynamicd = "Disable Optical Drive"
Policynameflpy = "Disable soft drive"
Policynamels120 = "Disable high-density soft drive"
Explaintextusb = "disabling USB ports on a computer by disabling the USB stor. sys Driver file"
Explaintextcd = "disables the computers CD-ROM drive by disabling the CDROM. SYS driver"
Explaintextflpy = "disables the computers floppy drive by disabling the flpydisk. SYS driver"
Explaintextls120 = "disables the computers high capacity floppy drive by disabling the sfloppy. SYS driver"
Labeltextusb = "Disable USB port"
Labeltextcd = "Disable CD-ROM drive"
Labeltextflpy = "Disable Floppy Drive"
Labeltextls120 = "Disable high capacity Floppy Drive"
Enabled = "Activate"
Disabled = "disabled"
Save the above content as an ADM suffix file and load this file in the Group Policy template. In this way, an additional policy will be added to your group policy. Note: If you do not see it, select view. In the filter, remove the policy that only allows you to view the details. Then you can publish this policy.
This template should be loaded in the template set on the computer because it modifies the registry of localmaching.
For detailed working principles, see
Http://support.microsoft.com/default.aspx? SCID = KB ;...