Active Directory: How to Block USB Devices (dsforum2wiki)
If you want to prevent users from using USB devices, you can follow the steps in either of these articles:
1. Manually modify the registry key which is described in the KB article at http://support.microsoft.com/kb/823732
If the client computers run Windows 2000, you have to use this option. This article has a script for this: http://badzmanaois.blogspot.com/2008/09/disable-usb-storage-using-vbs-script_07.html
2. Using Group Policy as described in the KB article at http://support.microsoft.com/kb/555324
The procedures in KB article 555324 will not disable the USB ports for mouse or keyboard unless you select that option. You have the option to disable USB devices such as removable storage, CD ROM drives, floppy drives, or disable all USB ports.
Here is another article that covers how to configure this by using a GPO: http://www.petri.co.il/disable_usb_disks_with_gpo.htm
New Policies in Windows Vista and Windows Server 2008
In Windows Server 2008, there is a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage devices easier. To use these policies, the client computers must run Windows Vista or later. The following policies specify read and write permission on all kinds of removable storage devices:
1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
2. User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
The following policy controls the installation of removable storage device:
- Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions
More detailed information: Managing Hardware Restrictions via Group Policy at http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx
References
This article was derived from the DS Forum post at http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3255d483-1be6-41a2-b6e3-33317e7c4d13
Other Languages
This article is also available in the following languages: