USB Devices

[Wayne Blosat]

We have Windows XP Prof computers with no floopy and no cd rom in them. We
would like to prevent them from pluging in and installing any USB device
such as a memory stick.

We currently use the Group Policies to prohibit them from accessing the
desktop and other things. We tested plugging in a Memory Stick in the usb
port and the new hardware was found and installed. This is not a good thing
for us. Is there a place in the Group Policy that would prohibit them from
installing any new USB devices.

Thanks.

 

[Doug Knox MS-MVP]

Yes, you can use the Group Policy under User Configuration, Administrative Templates, Windows Components, Windows Explorer, Prevent access to drives from My Computer. However, the choices offered are limited.

To enforce this manually, and restrict all but specific drives, the required value is stored in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

The value is: NoViewOnDrive

This a REG_DWORD type value. The number entered here is computed using binary math.

A = 1
B = 2
C = 4
D = 8
E = 16

and so on. Add up the numbers that correspond to the drive letters, you wish to prevent access to. The maximum decimal value is

Copy and paste the following into a Notepad file and save it with a REG extension. This sample prevents the user from accessing all drives but A, B, C and D. Add a line to your logon script that uses the command:

REGEDIT /S yourfile.reg

to import the REG file into the user's registry at logon.

------------ Copy below this line -------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewOnDrive"=dword:3fffff0

---------- Copy above this line, including the blank line ---------------------------

 

[Wayne Blosat]

Thanks. The second solution works better.

Wayne


Yes, you can use the Group Policy under User Configuration, Administrative
Templates, Windows Components, Windows Explorer, Prevent access to drives
from My Computer. However, the choices offered are limited.

To enforce this manually, and restrict all but specific drives, the required
value is stored in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

The value is: NoViewOnDrive

This a REG_DWORD type value. The number entered here is computed using
binary math.

A = 1
B = 2
C = 4
D = 8
E = 16

and so on. Add up the numbers that correspond to the drive letters, you wish
to prevent access to. The maximum decimal value is

Copy and paste the following into a Notepad file and save it with a REG
extension. This sample prevents the user from accessing all drives but A,
B, C and D. Add a line to your logon script that uses the command:

REGEDIT /S yourfile.reg

to import the REG file into the user's registry at logon.

------------ Copy below this line -------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewOnDrive"=dword:3fffff0

---------- Copy above this line, including the blank
line ---------------------------

 

[Doug Knox MS-MVP]

You're welcome. Too bad its such a pain to implement manually.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

Thanks. The second solution works better.

Wayne


Yes, you can use the Group Policy under User Configuration, Administrative
Templates, Windows Components, Windows Explorer, Prevent access to drives
from My Computer. However, the choices offered are limited.

To enforce this manually, and restrict all but specific drives, the required
value is stored in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

The value is: NoViewOnDrive

This a REG_DWORD type value. The number entered here is computed using
binary math.

A = 1
B = 2
C = 4
D = 8
E = 16

and so on. Add up the numbers that correspond to the drive letters, you wish
to prevent access to. The maximum decimal value is

Copy and paste the following into a Notepad file and save it with a REG
extension. This sample prevents the user from accessing all drives but A,
B, C and D. Add a line to your logon script that uses the command:

REGEDIT /S yourfile.reg

to import the REG file into the user's registry at logon.

------------ Copy below this line -------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewOnDrive"=dword:3fffff0

---------- Copy above this line, including the blank
line ---------------------------

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

We have Windows XP Prof computers with no floopy and no cd rom in them.
We
would like to prevent them from pluging in and installing any USB device
such as a memory stick.

We currently use the Group Policies to prohibit them from accessing the
desktop and other things. We tested plugging in a Memory Stick in the usb
port and the new hardware was found and installed. This is not a good
thing
for us. Is there a place in the Group Policy that would prohibit them from
installing any new USB devices.

Thanks.