The ad domain controller prohibits USB devices through Group Policy

Question: How do I disable a USB port device in a domain environment?

The first: In the traditional way, disable USB in the BIOS.

The second type:

Microsoft Technical Support Answer: According to your needs, Windows recognized USB device mainly through two files, one is USBSTOR.PNF, the other is Usbstor.inf, when the computer first use USB device before disabling these two files can reach our goal.
1. Open Active Directory Users and Computers;
2, select the OU that need to disable the USB device, and click the right mouse button to Group Policy;
3. Create a GPO for USB and click Edit to open the Group Policy Editor;
4. Enter the Group Policy Editor and expand Computer Configuration, Windows settings, security settings, and file system.
5, right click "Add Files", pop "Add Files and Folders", enter "%systemroot%\inf\usbstor.inf" in the "Folder" field, OK; You see articles from Active Directory SEO/http/ Gnaw0725.blog.51cto.com/156601/d-1
6, in "Database Security settings", delete all users, and add "Everyone", remove the default Allow "Read and execute", "List Folder Contents", "read", add deny "Full Control";
7, the "Add Objects" window, the default current settings, to re-edit security permissions, you can click on "Edit Security Settings" to re-set, confirm, exit settings;
8, in addition, repeat 5, 6, 7 steps, to "%systemroot%\inf\usbstor." PNF "to set up;
9. Close the Group Policy Editor;
10, use "Gpupdate/force", forcibly refresh the policy.

The above method can only be used for computers that have not been using USB to take effect, if some computers in the enterprise have used a USB flash drive and other devices, it will also need to modify the registry to achieve the purpose. Registry key values that need to be modified are located at:
Hkey_local_machine\system\currentcontrolset\services\usbstor
Under Windows 2000, the key value is Hkey_local_machine\system\currentcontrolset\services\usbhub,
Open the registry location above, we can see the key value of start, we need to modify the key value to 4, by default 3 (3 means manual, 2 is automatic, 4 means deactivate), to use Group Policy to deploy, you need to use a script to run it.

In addition, the following Microsoft documentation provides information about:
823732: How to disable the USB storage device
Http://support.microsoft.com/kb/823732/zh-cn

Zhao (Ken Zhao) Microsoft Global Technical Support Center

The ad domain controller prohibits USB devices through Group Policy