How to disable USB using a group policy in the domain controller

How to disable USB in Windows 2003 Domain Controller Group Policy
1. Disable the USB registry directly.

Go

HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/usbstor

There is a key value named start on the right.

Double-click it and change the value to 4 USB to disable it.

You only need to change 4 to 3 for the next recovery.

Ii. Copy the content in the lower slash to a text document and save it. ADM file, then open the ou group policy you want to restrict, expand "user configuration, manage template", right-click the management template, add/delete template, import the saved ADM file! Now all users under this ou cannot use USB storage devices! (Third-party software gfi languard portable storage control. V2.0 can also be used in the domain environment ).

//////////////////////////////////////// //////////////

Class user

CATEGORY !! Admdesc

Policy !! Mmc_devicemanagerx

Keyname "software/policies/Microsoft/MMC/{90087284-d6d6-11d0-8353-00a0c90640bf }"

# If version> = 4

Supported !! Supported_win2k

# Endif

Explain !! Mmc_restrict_explain

Valuename "restrict_run"

Valueon numeric 0

Valueoff numeric 1

End Policy

Policy !! Mmc_devicemanager

Keyname "software/policies/Microsoft/MMC/{74246bfc-4c96-11d0-abef-0020af6b0b7a }"

# If version> = 4

Supported !! Supported_win2k

# Endif

Explain !! Devmgr_restrict_explain

Valuename "restrict_run"

Valueon numeric 0

Valueoff numeric 1

End Policy

End category

Class Machine

CATEGORY !! Admdesc

Policy !! Usb_uhcd_params

Keyname "system/CurrentControlSet/services/uhcd"

Explain !! Startuptype_help

Part !! Startuptype numeric required

Valuename "start"

Min 3 max 4 default 3

End Part

End Policy

Policy !! Usb_uhci_params

Keyname "system/CurrentControlSet/services/usbuhci"

Explain !! Startuptype_help

Part !! Startuptype numeric required

Valuename "start"

Min 3 max 4 default 3

End Part

End Policy

Policy !! Usb_ehci_params

Keyname "system/CurrentControlSet/services/usbehci"

Explain !! Startuptype_help

Part !! Startuptype numeric required

Valuename "start"

Min 3 max 4 default 3

End Part

End Policy

Policy !! Usb_hub

Keyname "system/CurrentControlSet/services/usbhub"

Explain !! Startuptype_help

Part !! Startuptype numeric required

Valuename "start"

Min 3 max 4 default 3

End Part

End Policy

Policy !! Cd_rom

Keyname "system/CurrentControlSet/services/CDROM"

Explain !! Startuptype_help

Part !! Startuptype numeric required

Valuename "start"

Min 3 max 4 default 3

End Part

End Policy

Policy !! Floppy_disk

Keyname "system/CurrentControlSet/services/flpydisk"

Explain !! Startuptype_help

Part !! Startuptype numeric required

Valuename "start"

Min 3 max 4 default 3

End Part

End Policy

End category

[Strings]

Admdesc = "custom policy"

Mmc_devicemanagerx = "Device Manager extension"

Mmc_devicemanager = "Device Manager"

Supported_win2k = "at least Microsoft Windows 2000"

Mmc_restrict_explain = "Disable -- disable the Device Manager extension; Enable -- enable the Device Manager extension"

Devmgr_restrict_explain = "Disable -- disable the Device Manager; Enable -- enable the Device Manager"

Usb_uhcd_params = "USB universal master controller drive"

Startuptype_help = "Startup type, 3-manual, 4-Disabled"

Startuptype = "Startup Type"

Usb_ehci_params = "Microsoft USB 2.0 enhanced host controller miniport driver"

Usb_uhci_params = "Microsoft USB universal host controller miniport driver"

Usb_hub = "Microsoft USB standard hub driver"

Cd_rom = "Optical Drive"

Floppy_disk = "soft drive"

//////////////////////////////////////// //////////////////

3. Another method is to import a registry file to each sub-machine when the sub-machine starts up. The file content is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/usbstor]

"Start" = DWORD: 00000004

Add the following information to ou's computer configuration-Windows Settings-Security Settings-registry:

HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/usbstor

In the permission settings of this registry key, delete all users! Only domain/administrator users are left!

4. Disable and manage USB interfaces in Windows XP

1. No USB device is installed on the computer

In this case, you can set user control for the usbstor. PNF and usbstor. INF files under % SystemRoot % INF.

Limits.

Step 1: Right-click the two files and select "Properties> Security> advanced". On the "Permissions" Page, cancel the tasks that can be inherited from the parent

Permission items that use sub-objects, including those explicitly defined here.

Step 2: On the "Security" Page, select the user or user group to be blocked, select the "deny" check box in "full control", and then

Click OK ".

By assigning permissions, you can specify which users can use USB devices, which users cannot use USB devices, and

"General methods for Windows NT and above" have the same flexibility. Therefore, we recommend that you use this method to restrict the installation of USB devices.

2. a USB device is installed on the computer.

In this case, you can modify the registry. The method is to modify the Registry

The "start" value in hkey_local_machinesystemcurrentcontrolsetservicesusbstor is changed to hexadecimal

The value is "4 ".

After this method is modified, the USB storage device cannot run when you connect it to your computer.

V. general methods for Windows NT and above

Run registry editor, find the hkey_local_machinesystemcontrolset002servicesusbstor key, and cancel

All control of system. To assign control permissions, you only need to set control permissions for the corresponding users.

TIPS: to set the control permission for the registration table in Windows, you must use the regedt32.exe Registry Editor.