Disable USB Storage Drive Page 1 of 2

United States (English) Sign in

Script Center Search TechNet with Bing  

  Home Library Learn Downloads Repository Forums

 
  Script Center Gallery Home My Contributions My Notifications Feedback

Script Center > Repository > Active Directory > Disable USB Storage Drive

Search the TechNet Script Center Repository

Script Repository
Each contribution is licensed to you under a License Agreement by its owner, not Microsoft. Microsoft does not Upload
guarantee the contribution or purport to grant rights to it.

Categories Disable USB Storage Drive (Community)

Active Directory Average Rating (0)
Computer Accounts 53 Rate it:
Created by ouaziz
Domains 21 Share it:
Published on 8/17/2009
Groups 42 Report Abuse to Microsoft
Tags: gpo, usb, adm
Monitoring 11
OUs 25
Searching Active 257 Description Discussions (1)
Directory
Sites and Subnets 23
this script help to disable USB storage devices entirely on all or some computers in the network.
User Accounts 182 He employs an ADM template in a group policy object that disables the USB storage driver
Applications (USBSTOR). The ADM template simply sets the registry value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start to 4 (Disable).
Backup and System Restore But his technique has a serious drawback. It only works if the USB storage driver is already
Databases installed. If it has not yet been installed, Windows' plug & play subsystem automatically resets
Desktop Management the Start value to 3 (Manual) when it installs USBSTOR after a USB storage device is plugged in
for the first time. In that case, USBSTOR remains enabled until the GPO is re-applied, usually at
Group Policy the next reboot. If the storage device is plugged in during that reboot, it will still be available
Hardware because the USBSTOR driver is started before any GPOs are processed.
Interoperability and Migration
HOW TO :
Local Account Management
Logs and monitoring 1. In Active Directory Users and Computers, open an existing GPO or create a new one and
Messaging & Communication open it. Use the security settings of that GPO to specify which computers it affects.
2. In that GPO, go to Computer Configuration – Windows Settings – Security Settings – File
Multimedia System and create a new entry (right-click File System and select Add File). Specify the
Networking location of USBSTOR.INF (usually SystemRoot%\Inf\USBSTOR.INF)
Office 3. Change the security settings of the new entry. The security settings that you specify here
will be enforced on the USBSTOR.INF of every computer to which the GPO is applied. This
Operating System process is not additive, which means that the previous security settings of USBSTOR.INF
Other Directory Services will be overwritten by the ones given in the GPO. It is therefore recommended to grant
Printing full control to SYSTEM and local administrators. But unlike in the default security settings
of USBSTOR.INF, you should not grant any priviledges to Everybody. You do not need to
Remote Desktop Services explicitly deny access – just omit an entry for Everybody. Optionally, you can grant read
Scripting Techniques access to a certain group. Members of this group will be able to use USB storage.
4. Repeat the above two steps for USBSTOR.PNF.
Security
5. Download USBSTOR.ADM.
Servers 6. Back in the GPO, right-click Administrative Templates under Computer Configuration and
SharePoint select Add/Remove Templates. Click Add and browse to the location of USBSTOR.ADM.
Storage Close the dialog.
7. You should now have an additional entry called Services and Drivers in Administrative
System Center Templates. Click on it. If it is empty, select View from the menu and uncheck Show
Using the Internet Policies Only. Click back on Services and Drivers in Administrative Templates. It should
now show the USB Storage policy. Double click it, select Enabled and pick Disabled from
Windows Update
the Startup Type drop down. Again, the policy must be enabled wheras Startup Type must
be Disabled.
8. Close the dialog as well as the GPO and boot/reboot one of your workstations. Make sure
no USB strorage device is connected to that computer. Log on with administrative
privileges and check the permissions of USBSTOR.INF and USBSTOR.PNF. Check the value
of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start. It
should be 4. It is also ok if the UsbStor key doesn't exist at all.
9. On the same workstation, log off and back on as a user that should not have access to
USB storage. Connect a USB memory stick or a similar device. Nothing should happen.
Remove the memory stick.
10. Log on as a user that should have access to USB storage and execute net start usbstor
in a command shell or at Start – Run before connecting the memory stick. The memory
stick should initialized and mapped to a drive letter. If USBSTOR fails to start, it's
probably because this is the first time a memory stick is plugged into the workstation in
which case USBSTOR is not yet installed. Nevertheless, the memory stick should be
initialized and mapped correctly but you need to reboot in order to reapply the
administrative template such that USBSTOR is disabled again. Alternatively, you can
disable it manually by downloading and double clicking USBSTOR.REG as well as executing

http://gallery.technet.microsoft.com/ScriptCenter/en-us/462d77b8-b712-4840-80e9-bc537... 7/28/2010
Disable USB Storage Drive Page 2 of 2

Script Code

Windows PowerShell Copy Code

CLASS MACHINE

CATEGORY "Services und Drivers"

POLICY "USB Storage"
KEYNAME "System\CurrentControlSet\Services\usbstor"
PART "Startup type" DROPDOWNLIST
VALUENAME "Start"
ITEMLIST
NAME "Boot" VALUE NUMERIC 0
NAME "System" VALUE NUMERIC 1
NAME "Auto Load" VALUE NUMERIC 2 DEFAULT
NAME "Load On Demand" VALUE NUMERIC 3
NAME "Disabled" VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY

Verified on the following platforms

Windows Server 2008 R2 No

Windows Server 2008 No

Windows Server 2003 Yes

Windows 7 No

Windows Vista No

Windows XP No

Windows 2000 Yes

This script is tested on these platforms by the author. It is likely to work on other platforms as well. If you try it
and find that it works on another platform, please add a note to the script discussion to let others know.

Online Peer Support

For online peer support, join The Official Scripting Guys Forum! To provide feedback or report bugs in
sample scripts, please start a new discussion on the Discussions tab for this script.

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are
provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without
limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of
the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its
authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages
whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business
information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation,
even if Microsoft has been advised of the possibility of such damages.

© 2010 Microsoft Corporation. All rights reserved.

Terms of Use | Trademarks | Privacy Statement | Contact Us

Version: 2010.7.14.2224

http://gallery.technet.microsoft.com/ScriptCenter/en-us/462d77b8-b712-4840-80e9-bc537... 7/28/2010