Using Group policy Objects to disable USB and CD Rom Drives

Mar 16th, 2009

This came up in one of the Usenet forum, so I decided to seek a solution and post it on my blog. Courtesy to original KB555324 article by MVP Simon Geary. By default windows server 2003 group policies does not have the option where administrators can disable the USB and CD  drives for users in their domain. To get this accomplished, a customized .adm template to adjust registry settings will have to be created. Here are the steps on how to get this accomplished.This is a revised version from http://support.microsoft.com/kb/555324. I limited myself to just CD and USB drives. This post is AS IS, and if you decide to use it, apply first in testing environment and also read more about Using Administrative Template Files with Registry-Based Group Policy.

I -Copy the below  file and save it on your desktop as drive_enforce.adm
CLASS MACHINE
CATEGORY !!driveenforce
CATEGORY !!cdromset
  POLICY !!enforcecdrom
   KEYNAME “SYSTEM\CurrentControlSet\Services\Cdrom”
   EXPLAIN !!cdromexplainreason
     PART !!labeltextusb DROPDOWNLIST REQUIRED
       VALUENAME “Allow”
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 3 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
CATEGORY !!usbset
  POLICY !!enforceusb
   KEYNAME “SYSTEM\CurrentControlSet\Services\USBSTOR”
   EXPLAIN !!usbexplainreason
     PART !!labeltextcd DROPDOWNLIST REQUIRED
       VALUENAME “Allow”
       ITEMLIST
        NAME !!Disabled VALUE NUMERIC 1 DEFAULT
        NAME !!Enabled VALUE NUMERIC 4
       END ITEMLIST
     END PART
   END POLICY
 END CATEGORY
END CATEGORY
 
[strings]
driveenforce=”Media Drive Settings”
cdromset=”CDRom Settings”
usbset=”USB Settings”
enforcecdrom=”Disable CD-ROM”
enforceusb=”Disable USB”
cdromexplainreason=”Disables the CDROM drive. \n\nSelect “Allow” to Disabled or “Prevent” to enabled CDROM Drive”
usbexplainreason=”Disables the USB Flash Drive. \n\nSelect “Allow” to Disabled or “Prevent” to enabled USB Flash Drive”
labeltextcd=”cdrom.sys driver status”
labeltextusb=”usbstore.sys driver status”
Enabled=”Prevent”
Disabled=”Allow”

 

II -Copy\move the the .adm file into you %windir%\inf (c:\windows\inf)

disabledrives_gpo11III -Open the GPMC and select the container and policy where you want this applied to, in my case, I selected the  standard users OU, and choose edit to open the Group Policy Editor.

custom_gpo21

IV -Right click on the Administrative Settings on either the Computer or User configurations and select import new templates, add new,  browse to your %windir%\inf folder and select the drive_enforce.adm file and the close.

custom_gpo31

 

Browse Administrative tools to see new custom settings

USB Settings

usb Settings

CDROM Settings

CD Rom Settings

 

Related links: http://support.microsoft.com/kb/555324
Using Administrative Template Files with Registry-Based Group Policy

Be Sociable, Share!
  1. Gabe
    Mar 25th, 2009 at 20:02
    Reply | Quote | #1

    Wow! Awesome… I know just where to put this to use.

    Thank you. 🙂