+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
How do you do....it? Thread, Disable USB Pen Drives for Exam Accounts in Technical; Anyone know how to do this? I found something on MS which had a .adm file, but that doesn't seem ...
  1. #1
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,490
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76

    Disable USB Pen Drives for Exam Accounts

    Anyone know how to do this? I found something on MS which had a .adm file, but that doesn't seem to do anything (or doesn't like being filtered to only apply to specific user groups); some other sites talk about changing permissions on usbstor.sys and usbstor.inf, but I don't see how to do that via GPO (also I think that blocks USB keyboards and mice too, which is no good).

  2. #2


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,417
    Thank Post
    243
    Thanked 2,825 Times in 2,084 Posts
    Rep Power
    814
    Quote Originally Posted by enjay View Post
    doesn't like being filtered to only apply to specific user groups
    The ADM disables the USBSTOR service, so it would be a per-machine setting.

  3. #3

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,234
    Thank Post
    894
    Thanked 1,780 Times in 1,534 Posts
    Blog Entries
    12
    Rep Power
    462
    You could make a logon script to stop the USBSTOR service and then a log off one to start it again.

  4. #4


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,417
    Thank Post
    243
    Thanked 2,825 Times in 2,084 Posts
    Rep Power
    814
    Also worth mentioning...

    If you disable the ability of the usbstor.sys driver to run on the computer, you will in fact block the computer's means of discovering the flash drive and loading the appropriate driver. This does not disable USB devices that aren't for storage.

    Note that this will only prevent usage of newly plugged-in USB Removable Drives or flash drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example, two identical flash drives made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. (Source)

  5. #5

    Join Date
    Dec 2007
    Posts
    882
    Thank Post
    92
    Thanked 165 Times in 140 Posts
    Rep Power
    49
    An alternative method would be to use USBDLM combined with an appropriate usbdlm.ini configuration (e.g. no USB Drive Letters) that can be copied across (via script or GPP for example) during logon so this can be user based.

    You may also have to stop/restart the usbdlm service..not got notes to hand but check out the following:

    USBDLM Main Website
    USB Drive Letter Manager - USBDLM

    USBDLM Configuration Options
    USB Drive Letter Manager - USBDLM
    USBDLM Help

  6. #6
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,490
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    So, no simple way of doing this then? Back in CC3 land, I just prevented access to drive letters D-H on the usertype, 10 seconds, job done - anyone know what this actually did, and how I can replicate it on a vanilla network?

  7. #7

    Join Date
    Mar 2007
    Posts
    1,836
    Thank Post
    90
    Thanked 312 Times in 239 Posts
    Rep Power
    89
    use usbdlm to assign the drive letter, then use group policy to hide the drive.

  8. #8
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,490
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Quote Originally Posted by strawberry View Post
    use group policy to hide the drive.
    That's the bit I'm unclear on - how do you do that?

  9. #9


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,417
    Thank Post
    243
    Thanked 2,825 Times in 2,084 Posts
    Rep Power
    814
    HideCalc is one way to do it. It even lets you create ADMX/ADM files.


  10. 3 Thanks to Arthur:

    enjay (8th March 2012), FN-GM (8th March 2012), strawberry (8th March 2012)

  11. #10
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,490
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Quote Originally Posted by Arthur View Post
    HideCalc is one way to do it. It even lets you create ADMX/ADM files.
    Awesome, thank you so much. That does exactly what I was after (funny name, though!)

  12. #11

    Join Date
    Mar 2007
    Posts
    1,836
    Thank Post
    90
    Thanked 312 Times in 239 Posts
    Rep Power
    89
    Quote Originally Posted by enjay View Post
    That's the bit I'm unclear on - how do you do that?
    Ta Da! Using Group Policy Objects to hide specified drives

  13. #12
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,490
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Thanks Strawberry, I'd missed that. One question though - it can be used to "Restrict A, B, C and D drives", so what happens if someone plugs in two pen drives - wouldn't the second be E: and therefore accessible?

  14. #13

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,731
    Thank Post
    344
    Thanked 520 Times in 488 Posts
    Rep Power
    180
    Quote Originally Posted by enjay View Post
    Thanks Strawberry, I'd missed that. One question though - it can be used to "Restrict A, B, C and D drives", so what happens if someone plugs in two pen drives - wouldn't the second be E: and therefore accessible?
    You can edit the file to add more rules, just means not using the default settings I think.

    Steve

  15. #14

    Join Date
    Mar 2007
    Posts
    1,836
    Thank Post
    90
    Thanked 312 Times in 239 Posts
    Rep Power
    89
    You can select the first 3 extra drives that will be assigned to usb, for instaance k,l and m. You then use GP to block those drives.

  16. #15
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,490
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Quote Originally Posted by Steve21 View Post
    You can edit the file to add more rules, just means not using the default settings I think.
    Yes, it uses numeric values to represent each combination of drive letters, but doesn't suggest how to calculate those values; I think it is actually doing the same thing as HideCalc (linked above) but not in quite such a friendly way.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 2
    Last Post: 10th December 2007, 07:12 PM
  2. USB Pen Drive shuts down laptop
    By Mr_M_Cox in forum Windows
    Replies: 9
    Last Post: 7th November 2007, 04:30 PM
  3. USB Ports asking for Admin Account
    By Psymon in forum Windows
    Replies: 16
    Last Post: 14th October 2007, 10:49 PM
  4. USB Pen Drive Hell
    By Gatt in forum Windows Vista
    Replies: 10
    Last Post: 8th February 2007, 09:05 PM
  5. Responsible use of USB pen drives?
    By DRogers in forum School ICT Policies
    Replies: 0
    Last Post: 15th February 2006, 09:07 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •