+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
How do you do....it? Thread, Disable USB Pen Drives for Exam Accounts in Technical; Anyone know how to do this? I found something on MS which had a .adm file, but that doesn't seem ...
  1. #1
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,456
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75

    Disable USB Pen Drives for Exam Accounts

    Anyone know how to do this? I found something on MS which had a .adm file, but that doesn't seem to do anything (or doesn't like being filtered to only apply to specific user groups); some other sites talk about changing permissions on usbstor.sys and usbstor.inf, but I don't see how to do that via GPO (also I think that blocks USB keyboards and mice too, which is no good).

  2. #2


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,113
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    Quote Originally Posted by enjay View Post
    doesn't like being filtered to only apply to specific user groups
    The ADM disables the USBSTOR service, so it would be a per-machine setting.

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,390
    Thank Post
    797
    Thanked 1,587 Times in 1,390 Posts
    Blog Entries
    10
    Rep Power
    427
    You could make a logon script to stop the USBSTOR service and then a log off one to start it again.

  4. #4


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,113
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    Also worth mentioning...

    If you disable the ability of the usbstor.sys driver to run on the computer, you will in fact block the computer's means of discovering the flash drive and loading the appropriate driver. This does not disable USB devices that aren't for storage.

    Note that this will only prevent usage of newly plugged-in USB Removable Drives or flash drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example, two identical flash drives made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. (Source)

  5. #5

    Join Date
    Dec 2007
    Posts
    847
    Thank Post
    86
    Thanked 160 Times in 135 Posts
    Rep Power
    47
    An alternative method would be to use USBDLM combined with an appropriate usbdlm.ini configuration (e.g. no USB Drive Letters) that can be copied across (via script or GPP for example) during logon so this can be user based.

    You may also have to stop/restart the usbdlm service..not got notes to hand but check out the following:

    USBDLM Main Website
    USB Drive Letter Manager - USBDLM

    USBDLM Configuration Options
    USB Drive Letter Manager - USBDLM
    USBDLM Help

  6. #6
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,456
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    So, no simple way of doing this then? Back in CC3 land, I just prevented access to drive letters D-H on the usertype, 10 seconds, job done - anyone know what this actually did, and how I can replicate it on a vanilla network?

  7. #7

    Join Date
    Mar 2007
    Posts
    1,669
    Thank Post
    72
    Thanked 249 Times in 199 Posts
    Rep Power
    64
    use usbdlm to assign the drive letter, then use group policy to hide the drive.

  8. #8
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,456
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by strawberry View Post
    use group policy to hide the drive.
    That's the bit I'm unclear on - how do you do that?

  9. #9


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,113
    Thank Post
    203
    Thanked 2,385 Times in 1,765 Posts
    Rep Power
    703
    HideCalc is one way to do it. It even lets you create ADMX/ADM files.


  10. 3 Thanks to Arthur:

    enjay (8th March 2012), FN-GM (8th March 2012), strawberry (8th March 2012)

  11. #10
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,456
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by Arthur View Post
    HideCalc is one way to do it. It even lets you create ADMX/ADM files.
    Awesome, thank you so much. That does exactly what I was after (funny name, though!)

  12. #11

    Join Date
    Mar 2007
    Posts
    1,669
    Thank Post
    72
    Thanked 249 Times in 199 Posts
    Rep Power
    64
    Quote Originally Posted by enjay View Post
    That's the bit I'm unclear on - how do you do that?
    Ta Da! Using Group Policy Objects to hide specified drives

  13. #12
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,456
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Thanks Strawberry, I'd missed that. One question though - it can be used to "Restrict A, B, C and D drives", so what happens if someone plugs in two pen drives - wouldn't the second be E: and therefore accessible?

  14. #13

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,656
    Thank Post
    324
    Thanked 506 Times in 474 Posts
    Rep Power
    177
    Quote Originally Posted by enjay View Post
    Thanks Strawberry, I'd missed that. One question though - it can be used to "Restrict A, B, C and D drives", so what happens if someone plugs in two pen drives - wouldn't the second be E: and therefore accessible?
    You can edit the file to add more rules, just means not using the default settings I think.

    Steve

  15. #14

    Join Date
    Mar 2007
    Posts
    1,669
    Thank Post
    72
    Thanked 249 Times in 199 Posts
    Rep Power
    64
    You can select the first 3 extra drives that will be assigned to usb, for instaance k,l and m. You then use GP to block those drives.

  16. #15
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,456
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by Steve21 View Post
    You can edit the file to add more rules, just means not using the default settings I think.
    Yes, it uses numeric values to represent each combination of drive letters, but doesn't suggest how to calculate those values; I think it is actually doing the same thing as HideCalc (linked above) but not in quite such a friendly way.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 2
    Last Post: 10th December 2007, 07:12 PM
  2. USB Pen Drive shuts down laptop
    By Mr_M_Cox in forum Windows
    Replies: 9
    Last Post: 7th November 2007, 04:30 PM
  3. USB Ports asking for Admin Account
    By Psymon in forum Windows
    Replies: 16
    Last Post: 14th October 2007, 10:49 PM
  4. USB Pen Drive Hell
    By Gatt in forum Windows Vista
    Replies: 10
    Last Post: 8th February 2007, 09:05 PM
  5. Responsible use of USB pen drives?
    By DRogers in forum School ICT Policies
    Replies: 0
    Last Post: 15th February 2006, 09:07 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •