1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Locking USB Storage Devices

Discussion in 'Software' started by hippy, Feb 27, 2008.

  1. hippy

    hippy Kilobyte Poster


    Ive made a GPO to lock USB storage devices for users.

    The following vbcode i insert into the login script i created already (maps network drives, home folder, printers per OU etc..)

    ---------------lock usb.vbs----------------------
    'Disable/Enable USB
    Option Explicit

    Dim CurrentUser, WshShell, strADUser, objADSysInfo, strGroup

    Set objADSysInfo = CreateObject("ADSystemInfo")

    strADUser = objADSysInfo.UserName

    Set WshShell = CreateObject("WScript.Shell")
    Set CurrentUser = GetObject("LDAP://" & strADUser)
    strGroup = LCase(Join(CurrentUser.MemberOf))

    Const User_Group = "cn=Domain Users"
    Const Admin_Group = "cn=Domain Admins"
    Const Admins = "cn=Administrators"

    If InStr(strGroup, lcase(Admin_Group)) or InStr(strGroup, lcase(Admins)) Then
    WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start", 3, "REG_DWORD"
    ElseIf InStr(strGroup, lcase(User_Group)) Then
    WshShell.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start", 4, "REG_DWORD"
    End If

    Set WshShell = Nothing

    In the GPO i have inserted the security settings of:

    Computer Config:


    Each has full access for Domain Admins and IT
    Deny access to System.

    The Registry Key of:


    is set to allow users to modify it (because of the logon script)

    Now it does stop users using USB Storage devices and allows Admins/IT to use them still. The problem I have is if someone in IT or an Admin uses a USB storage device, leaves it in the machine, logs off and then a users logs on they can use that usb storage device. The registy key I change is for the Removable Storage Service, so if device is left in the service is still being used and so the service cant be stopped? Is there anyway around this? I want to take human error out of the equation.
  2. zebulebu

    zebulebu Terabyte Poster

    Niiiice script. Kudos - I've never managed to get a script to do this remotely as well as you are. In fact, I think if you are running in an environment secure enough to demand this, then you should seriously look at putting in DeviceWall or something similar. Every time I've configured this sort of restriction through GPOs I've had similar problems to what you describe and, tbh, I don't think there's an easy way round it. You can get a free utility called DeviceLock that will do what you want on a per-user basis, but I'm not sure about user error - this might be one of those things that you can't legislate for in a GPO. if you do find a workable solution, let us know - I'd love to test it on my home network as it will certainly come in useful for me in the future.
    Certifications: A few
    WIP: None - f*** 'em

Share This Page