How to disable USB in Windows 2003 Domain Controller Group Policy
1. Disable the USB registry directly.
Go
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/usbstor
There is a key value named start on the right.
Double-click it and change the value to 4 USB to disable it.
You only need to change 4 to 3 for the next recovery.
Ii. Copy the content in the lower slash to a text document and save it. ADM file, then open the ou group policy you want to restrict, expand "user configuration, manage template", right-click the management template, add/delete template, import the saved ADM file! Now all users under this ou cannot use USB storage devices! (Third-party software gfi languard portable storage control. V2.0 can also be used in the domain environment ).
//////////////////////////////////////// //////////////
Class user
CATEGORY !! Admdesc
Policy !! Mmc_devicemanagerx
Keyname "software/policies/Microsoft/MMC/{90087284-d6d6-11d0-8353-00a0c90640bf }"
# If version> = 4
Supported !! Supported_win2k
# Endif
Explain !! Mmc_restrict_explain
Valuename "restrict_run"
Valueon numeric 0
Valueoff numeric 1
End Policy
Policy !! Mmc_devicemanager
Keyname "software/policies/Microsoft/MMC/{74246bfc-4c96-11d0-abef-0020af6b0b7a }"
# If version> = 4
Supported !! Supported_win2k
# Endif
Explain !! Devmgr_restrict_explain
Valuename "restrict_run"
Valueon numeric 0
Valueoff numeric 1
End Policy
End category
Class Machine
CATEGORY !! Admdesc
Policy !! Usb_uhcd_params
Keyname "system/CurrentControlSet/services/uhcd"
Explain !! Startuptype_help
Part !! Startuptype numeric required
Valuename "start"
Min 3 max 4 default 3
End Part
End Policy
Policy !! Usb_uhci_params
Keyname "system/CurrentControlSet/services/usbuhci"
Explain !! Startuptype_help
Part !! Startuptype numeric required
Valuename "start"
Min 3 max 4 default 3
End Part
End Policy
Policy !! Usb_ehci_params
Keyname "system/CurrentControlSet/services/usbehci"
Explain !! Startuptype_help
Part !! Startuptype numeric required
Valuename "start"
Min 3 max 4 default 3
End Part
End Policy
Policy !! Usb_hub
Keyname "system/CurrentControlSet/services/usbhub"
Explain !! Startuptype_help
Part !! Startuptype numeric required
Valuename "start"
Min 3 max 4 default 3
End Part
End Policy
Policy !! Cd_rom
Keyname "system/CurrentControlSet/services/CDROM"
Explain !! Startuptype_help
Part !! Startuptype numeric required
Valuename "start"
Min 3 max 4 default 3
End Part
End Policy
Policy !! Floppy_disk
Keyname "system/CurrentControlSet/services/flpydisk"
Explain !! Startuptype_help
Part !! Startuptype numeric required
Valuename "start"
Min 3 max 4 default 3
End Part
End Policy
End category
[Strings]
Admdesc = "custom policy"
Mmc_devicemanagerx = "Device Manager extension"
Mmc_devicemanager = "Device Manager"
Supported_win2k = "at least Microsoft Windows 2000"
Mmc_restrict_explain = "Disable -- disable the Device Manager extension; Enable -- enable the Device Manager extension"
Devmgr_restrict_explain = "Disable -- disable the Device Manager; Enable -- enable the Device Manager"
Usb_uhcd_params = "USB universal master controller drive"
Startuptype_help = "Startup type, 3-manual, 4-Disabled"
Startuptype = "Startup Type"
Usb_ehci_params = "Microsoft USB 2.0 enhanced host controller miniport driver"
Usb_uhci_params = "Microsoft USB universal host controller miniport driver"
Usb_hub = "Microsoft USB standard hub driver"
Cd_rom = "Optical Drive"
Floppy_disk = "soft drive"
//////////////////////////////////////// //////////////////
3. Another method is to import a registry file to each sub-machine when the sub-machine starts up. The file content is:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/usbstor]
"Start" = DWORD: 00000004
Add the following information to ou's computer configuration-Windows Settings-Security Settings-registry:
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/usbstor
In the permission settings of this registry key, delete all users! Only domain/administrator users are left!
4. Disable and manage USB interfaces in Windows XP
1. No USB device is installed on the computer
In this case, you can set user control for the usbstor. PNF and usbstor. INF files under % SystemRoot % INF.
Limits.
Step 1: Right-click the two files and select "Properties> Security> advanced". On the "Permissions" Page, cancel the tasks that can be inherited from the parent
Permission items that use sub-objects, including those explicitly defined here.
Step 2: On the "Security" Page, select the user or user group to be blocked, select the "deny" check box in "full control", and then
Click OK ".
By assigning permissions, you can specify which users can use USB devices, which users cannot use USB devices, and
"General methods for Windows NT and above" have the same flexibility. Therefore, we recommend that you use this method to restrict the installation of USB devices.
2. a USB device is installed on the computer.
In this case, you can modify the registry. The method is to modify the Registry
The "start" value in hkey_local_machinesystemcurrentcontrolsetservicesusbstor is changed to hexadecimal
The value is "4 ".
After this method is modified, the USB storage device cannot run when you connect it to your computer.
V. general methods for Windows NT and above
Run registry editor, find the hkey_local_machinesystemcontrolset002servicesusbstor key, and cancel
All control of system. To assign control permissions, you only need to set control permissions for the corresponding users.
TIPS: to set the control permission for the registration table in Windows, you must use the regedt32.exe Registry Editor.