HOWTO: Enable/Disable USB interface and/or USB storage devices using Group Policy in Windows XP

TheMSsForum.com: The Microsoft Software Forum

Hello from Istanbul/Turkey,

In Windows 2000 or 2003 Active Directory and Windows XP workstation
environment, you can enable or disable all the USB interface or just
USB storage devices using group policy. Just follow:

1. Create a custom adm file, you can name it usb.adm with the
following content:

; Beginning of the file
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLASS MACHINE ;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CATEGORY !!USB
POLICY !!REstrictUSB
KEYNAME "System\CurrentControlSet\Services\usbuhci"
PART !!RestrictionValue NUMERIC
VALUENAME Start
END PART
END POLICY
POLICY !!REstrictUSBStorage
KEYNAME "System\CurrentControlSet\Services\USBSTOR"
PART !!RestrictionValueStorage NUMERIC
VALUENAME Start
END PART
END POLICY

END CATEGORY

#endif

[strings]

USB="Restrict USB Access"
RestrictUSB="USB Interface Restriction"
RestrictionValue="Enter 4 to restrict USB interface, 3 to enable"
RestrictUSBStorage="USB Storage Restriction"
RestrictionValueStorage="Enter 4 to restrict USB storage, 3 to enable"

; End of the file

2. Put this file in C:\Windows\Inf in one of your Domain Controllers
(DC).
3. On this DC, run AD Users and Computers, select the Organizational
Unit (OU) you want to enable or disable USB. Open Group Policy (GP)
for this OU.
4. Select Administrative Templates under Computer Configuration. Right
click and select Add/Remove Templates, click add and select usb.adm
and click open, then close Add Remove Templates window.
5. Now you can see "Restrict USB Access" category under Administrative
Templates. To see its contents, you should click Administrative
Templates and on View menu clik Filtering. Clear "Only show policy
settings that can be fully manages" option. Click OK.
6. Click Restrict USB Access. There are two policies here, USB
Interface Restriction (UIR) and USB Storage Restriction (USR).
7. If you want to fully enable full USB, enable two of the policies
and enter the value of 3. If you want to enable USB interface but
disable USB storages, enter 3 for UIR, 4 for USR. If you want to
disable USB all, enter 4 for both values.

PS: Because this registry setting is considered as a preference, even
if you remove the policy, the setting remains there. So you should
enable this settings in all your organizational units.

I've tried this in Windows 2003 and Windows XP environments and saw it
works. I didn't try in Windows 2000, but i guess it works there too. I
hope this helps you too.
Top

Re: HOWTO: Enable/Disable USB interface and/or USB storage devices using Group Policy in Windows XP by wintech_c

wintech_c
Wed Dec 08 11:45:01 CST 2004

Hey,

First of all, I would like to thank you for sharing this code. However,
following your instructions and adding it to Administrative Template, I
received error message said " The following error occurred in
c:\winodws\system32\GroupPolicy\Adm\usb.adm on line 25: Error 63 An
unmatched interpreter directive was found. Found: #endif The file can
not be loaded."
Any idea what could it be caused this issue?
Thank you for your time on reviewing it.

Top