Control USB storage devices using GPO
Properly Renaming a Domain Controller (Server 2012R2)
March 22, 2015How To Move FSMO roles
March 22, 2015Introduction
I was recently asked a question about my entry on this post
https://community.spiceworks.com/topic/430901-usb-lockdown-thoughts-ideas?page=1 regarding the method I use to lock down USB storage but still allow devices, such as smart phones and tablets, to charge on the USB ports.
Steps (4 total)
Open Active Directory Users and Computers and create two appropriately name security groups.
It might be useful to locate these groups in a dedicated container for GPO linking purposes however we will be using item level targeting so this is not a mandatory requirement.
Open Group Policy Editor and create your GPO””s.
Name them appropriately such as USB_LOCK and USB_OPEN.
You can use either user or computer based settings for this to work and there are advantages and disadvantages for each.
Edit each of the policies and navigate to item level targeting. Assign each respective policy to the corresponding security group. (USB_LOCK group is selected in USB_LOCK GPO).
Add the following registry key to each of the policies as appropriate.
USB_LOCK:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR]
“Start”=dword:00000004
USB_OPEN:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR]
“Start”=dword:00000003
You will need to either wait for GPUpdate to run in your environment, or force it to run before the settings take effect.
To remove a users (or pc””s) access to USB storage devices, place the user (or computer) object to the LOCK security group you created in step 1.
To allow access, place the user object into the OPEN group.
Conclusion
The above guide provides a simple and zero cost solution to regain control of storage device access in almost all circumstances in a BYOD world.
