0
Our customer wants that systems we deliver must fulfill these requirements:
Ideally, they want us not edit local policies. But if it is required, it is ok to use The computer is not connected to any domain controller.
I wonder if it is possible to meet these requirements?
magol
Posted 2014-01-15T10:35:51.173
Reputation: 200
2
When you do this, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:
Locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
In the details pane, double-click Start.
In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
Exit Registry Editor.
If you want to enable again just change this value to 3.
Microsoft have a tool that you can download here to fix this.
Butzke
Posted 2014-01-15T10:35:51.173
Reputation: 527
1Thank you very much. But this does not solve my problem. This means that NO users can use USB, and what I want is to just limit it to a few accounts. – magol – 2014-01-16T09:42:33.610
1
If a USB storage device is not already installed on the computer
If a USB storage device is not already installed on the computer, assign the user or the group and the local SYSTEM account Deny permissions to the following files:
%SystemRoot%\Inf\Usbstor.pnf %SystemRoot%\Inf\Usbstor.inf
When you do this, users cannot install a USB storage device on the computer.
To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:
Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
Right-click the Usbstor.pnf file, and then click Properties.
Click the Security tab.
In the Group or user names list, add the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
Note Also add the System account to the Deny list.
In the Group or user names list, select the SYSTEM account.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
Right-click the Usbstor.inf file, and then click Properties.
Click the Security tab.
In the Group or user names list, add the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
In the Group or user names list, select the SYSTEM account.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
For further info: https://support.microsoft.com/kb/823732
Gaurav Joseph
Posted 2014-01-15T10:35:51.173
Reputation: 1 503
Thank you very much. But this does not solve my problem. This means that NO users can use USB, and what I want is to just limit it to a few accounts. – magol – 2014-01-16T09:42:56.923
1
Start gpedit.msc and make a new GPO. Set the filters so the admin user doesn´t execute this GP. Configure the read/write/execute items access under: Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
Edit: ok, i just reread the question : no local policies. It´s the best way to do it, though.
Jannis Alexakis
Posted 2014-01-15T10:35:51.173
Reputation: 241
Well, they can't have any global policies (no DC) and systemwide settings aren't acceptable either (Admin must have access), so there's not really much room left for an "ideally, they want..." – MSalters – 2014-01-16T10:20:04.410
Thank you very much for you answer. If editing local policies is necessary, it is ok to edit them. But as MSalters said, we can not use GPO as we don't have any DC available. :-( – magol – 2014-01-16T10:35:19.360
How about MLGPOs? – Jannis Alexakis – 2014-01-16T12:30:11.363
2So no USB mouse, no USB keyboard? That's going to be tricky nowadays. – MSalters – 2014-01-16T10:17:00.040
haha, you're right. It was a bit too harsh demands. It is of course USB flash drive I mean. Thank you for pointing out my mistake. – magol – 2014-01-16T10:30:50.623