Hello,
I am trying to implement a GPO that will disable users from being able to plug in USB flash drives into designated workstations. I have looked at a majority of the other popular articles to no avail.
I have created a test environment. I have created an OU that has blocked inheritance. Inside that OU there is a folder labeled Computer and one labeled User. I created a new user account and dropped it into the User folder and I migrated a test machine into the Computer folder. I then linked both the Computer and User to the test GPO and enabled.
The GPO itself has everything configured under Computer Configuration > Windows Settings > Security Settings > File System to deny full access to usbstor.inf and usbstor.PNF for the SYSTEM and COMPUTER NAME\USER accounts. As far as I can tell this works fine...
The real problem is with the registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start. The GPO is set under User Configuration > Preferences > Windows Settings > Registry with the following entry:
Action: Replace
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR
Value name: Start
Value type: REG_DWORD
Value data: 4
Base: Hexadecimal
When I log into the test PC with the test user account I can go into the registry and see that the value is still set for 3!
I have tried to change the Action: Replace to Action: Update. I have also tried to implement the .adm file listed here: Support page for:
HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers
This did not work either.
I am able to manually change the value to a 4 and then it properly disables the ability to use a flash drive.
It seems to be an issue with permissions or something. Any ideas?
Other recent topics
