Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use group policy to prohibit USB in domain controllers". The content is simple and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to use group policy to prohibit USB in domain controllers".

The method for Windows 2003 domain controllers to prohibit USB with group policy is as follows:

One: direct method, disable the registry method of usb

Navigate to

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/USBSTOR

There is a key called start on the right.

Double-click him to change the value to 4 usb and it is disabled.

The next time you want to recover, just change 4 to 3.

Second: indirect method

Copy the contents of the lower slash to a text document, save it as an .ADM file, then open the group policy of the OU you want to restrict, expand "user configuration, manage templates", right-click manage templates, add / remove templates, and then import the ADM file you just saved! Now all users under this OU will not be able to use USB storage devices! (third-party software GFI LANGuard Portable Storage Control.v2.0 can also be used in domain environments).

/ / /

CLASS USER CATEGORY! ADMDesc POLICY!! MMC_DeviceManagerX KEYNAME "Software/Policies/Microsoft/MMC/ {90087284-d6d6-11d0-8353-00a0c90640bf}" # if version > = 4 SUPPORTED!! SUPPORTED_Win2k # endif EXPLAIN!! MMC_Restrict_Explain valueNAME "Restrict_Run" valueON NUMERIC 0 valueOFF NUMERIC 1 END POLICY POLICY!! MMC_DeviceManager KEYNAME "Software/Policies/Microsoft/MMC/ {74246bfc-4c96-11d0-abef-0020af6b0b7a}" # if version > = 4 SUPPORTED! SUPPORTED_Win2k # endif EXPLAIN!! DEVMGR_Restrict_Explain valueNAME "Restrict_Run" valueON NUMERIC 0 valueOFF NUMERIC 1 END POLICY End CATEGORY CLASS MACHINE CATEGORY!! ADMDesc POLICY!! USB_UHCD_PARAMS KEYNAME "SYSTEM/CurrentControlSet/Services/uhcd" EXPLAIN!! STARTUPTYPE_HELP PART!! STARTUPTYPE NUMERIC REQUIRED valueNAME "START" MIN 3 MAX 4 DEFAULT 3 END PART END POLICY POLICY!! USB_UHCI_PARAMS KEYNAME "SYSTEM/CurrentControlSet/ Services/usbuhci "EXPLAIN!! STARTUPTYPE_HELP PART!! STARTUPTYPE NUMERIC REQUIRED valueNAME" START "MIN 3 MAX 4 DEFAULT 3 END PART END POLICY POLICY!! USB_EHCI_PARAMS KEYNAME" SYSTEM/CurrentControlSet/Services/usbehci "EXPLAIN!! STARTUPTYPE_HELP PART!! STARTUPTYPE NUMERIC REQUIRED valueNAME" START "MIN 3 MAX 4 DEFAULT 3 END PART END POLICY POLICY!! USB_HUB KEYNAME" SYSTEM/CurrentControlSet/Services/usbhub "EXPLAIN!! STARTUPTYPE_HELP PART ! STARTUPTYPE NUMERIC REQUIRED valueNAME "START" MIN 3 MAX 4 DEFAULT 3 END PART END POLICY POLICY!! CD_ROM KEYNAME "SYSTEM/CurrentControlSet/Services/cdrom" EXPLAIN!! STARTUPTYPE_HELP PART!! STARTUPTYPE NUMERIC REQUIRED valueNAME "START" MIN 3 MAX 4 DEFAULT 3 END PART END POLICY POLICY!! Floppy_Disk KEYNAME "SYSTEM/CurrentControlSet/Services/flpydisk" EXPLAIN!! STARTUPTYPE_HELP PART! STARTUPTYPE NUMERIC REQUIRED valueNAME "START" MIN 3 MAX 4 DEFAULT 3 END PART END POLICY End CATEGORY [strings] ADMDesc= "Custom Policy" MMC_DeviceManagerX= "device Manager extension" MMC_DeviceManager= "device Manager" SUPPORTED_Win2k= "at least use Microsoft Windows 2000" MMC_Restrict_Explain= "Disable-disable device Manager extension Enable-enable the device Manager extension "DEVMGR_Restrict_Explain=" Disable-disable device Manager Enable-enable device manager "USB_UHCD_PARAMS=" USB generic master controller drive "STARTUPTYPE_HELP=" boot type, 3-manual, 4-disable "STARTUPTYPE=" boot type "USB_EHCI_PARAMS=" Microsoft USB 2.0 Enhanced Host Controller Miniport Driver "USB_UHCI_PARAMS=" Microsoft USB Universal Host Controller Miniport Driver "USB_HUB=" Microsoft USB Standard Hub Driver "CD_ROM=" CD-ROM "Floppy_Disk=" floppy drive

/ / /

Three: another way is to import a registry file when each machine is powered on

The contents of the file are:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/USBSTOR] "start" = dword:00000004

Then add an entry to the OU computer configuration-windows Settings-Security Settings-Registry:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/USBSTOR

In the permission settings for the registry key, delete all users! Only domain/administrator users!

Disable and manage the USB interface in WindowsXP

1. The computer does not have a USB device installed

In this case, we can set the control of its users by setting the Usbstor.pnf and Usbstor.inf files under% SystemRoot%Inf.

Limit.

* * step: right-click the two files, select "Properties → Security → Advanced", and cancel the "inherit from the parent item that can be used" on the permissions page.

Use the permission items for child objects, including those explicitly defined here "check box.

Step 2: on the Security page, select the user or user group you want to block, select the deny check box in full Control, and then

Click OK.

By assigning permissions, you can specify which users can use USB devices and which users cannot use USB devices, and the following

The "general method for systems above Windows NT" has the same flexibility, so it is recommended to restrict users from installing USB devices.

two。 The computer has installed a USB device

This can be achieved by modifying the registry. The method is to modify the registry

The "Start" value under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR is changed to hexadecimal

The number "4".

After this method is modified, when the user connects the USB storage device to the computer, the device will not run.

5. General methods for systems above Windows NT

Run Registry Editor, locate the HKEY_LOCAL_ MACHINESYSTEMControlSet002ServicesUSBSTOR key, and cancel

All control of System. If you want to assign control, you only need to set control permissions on the appropriate user.

Tip: to set registry control permissions in Windows 2000, you need to use the Regedt32.exe Registry Editor.

The above is all the contents of the article "how to use Group Policy to disable USB in Domain controllers". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.