Download the USB_removable_drives_ADM file (2kb)

After downloading the .ADM file, read Adding New Administrative Templates to a GPO.

You might also be interested in reading Disable Writing to USB Disks with GPO.

Note: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.

Follow these steps:

1. In GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.

1. Click to un-select the "Only show policy settings that can be fully managed" check-box. Click Ok.

1. Now you will be able to see the new settings in the right pane:

1. You can now configure any of the above settings:

An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.

You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.

Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account.

Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail... Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files.

Adding .ADM files to the Administrative Templates in a GPOIn order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.

Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs to be separately installed. You can download GPMC from the following link (Download GPMC), yet remember it can only be used effectively on Windows Server 2003-based Active Directory.

If you do not have GPMC or cannot install it then you'll need to edit the GPO via the regular means, i.e. from Active Directory Users and Computers management tool (dsa.msc).

2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.

3. Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and right-click it. Select Add/Remove Templates.

4. In the Add/Remove Templates window click Add.

5. Browse to the location of the required .ADM file and click Open.

6. In the Add/Remove Templates window notice that the new .ADM file is listed, then clickClose.

Now re-open the Administrative Templates section and browse to the new settings location.

Disabling GPO settings filteringMany custom Administrative Templates require you to remove the requirement to show policy settings that can be fully managed in the GPO editor. To do so follow the next steps:

1. After completing the above procedure, browse to the newly added Administrative Template section.

Note that the section is indeed listed, however in the right-pane is empty.

2. Right-click an empty spot in the right pane and select View > Filtering.

3. In the Filtering window click to un-mark the "Only show policy settings that can be fully managed" option. Then click Ok.

4. Notice how the available options are now displayed in the right pane.

You can now configure these options as you please.

However, if the .ADM files were added, for example, when sitting on DC1, how do you make sure they are also replicated to DC2, DC3 and so on?

Please let me know if I can solve this any other way or if im doing something wrong.

Creating a GPO in Windows 2003 to block USB drives in Windows XP computerThis GPO is going to block the usage of USB removable disks, while allowing mouse and keyboards to work.Creating and enabling .ADM filecopy and paste the script in note pad written under the instructions and save them with .ADM format.Log into RADDC02 go to Start>>Administrative Tools>>Group Policy Management

on the left pane select Computer Configuration>>Administrative Templates. Right Click Administrative Templates and select Add/ Remove Templates.Click on ADD go to the folder where you saved the .ADM file and add it to the Add/Remove TemplatesIn GPEdit.msc (or any other GPO Editor window you're using) click on View > Filtering.Click to un-select the "Only show policy settings that can be fully managed" check-box. Click OkClick on Computer Configuration>>Administrative templates>>Custom Policy Settings>>Restrict Drives>>Disable USBRemovable DriversSelect Enabled from the drop down menu for usbstore.sys driver status select StoppedCreating a new registry entry in the local computer through GPOgo to Computer Configuration>>Windows Settings>>Registry. Right Click select Add Key select MACHINE>>SYSTEM/CurrentControlSet>>Services>>USBSTOR>Security then click OKunder object name double click on Machine\SYSTEM\CurrentControlSet\Services\USBSTOR\Security click on Edit SecurityClick on the desired Group or User names select and Deny permissions for users Note: Alternatively you could just add the name of the user or group you want to prevent from using USB #storage devices.. Click YES to the security warning. Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a #file so we don’t need to worry about inheritance from this object.Modifying USBSTOR files. Go to Computer Configuration>>Administrative Templates>>File System. Right click and Add File and go to the following paths “C:\Windows\Inf\Usbstor.pnf and “C:\Windows\Inf\Usbstor.inf. Double click both of the folders and follow the instructions.Click on the desired Group or User names select and Deny permissions for users Note: Alternatively you could just add the name of the user or group you want to prevent from using USB #storage devices.Click YES to the security warning. Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly #to a file so we don’t need to worry about inheritance from this object.go to run and type cmd, in the cmd window type "gpupdate /force" this will push the GPO out to the computers right away instead of waiting for 90 minutes, which is when the GPO checks for update by default.http://support.microsoft.com/kb/823732http://www.grouppolicy.biz/2010/02/how-to-use-group-policy-to-disable-usb-drives-on-windows-xpCLASS MACHINECATEGORY !!categoryCATEGORY !!categorynamePOLICY !!policynameusbKEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"EXPLAIN !!explaintextusbPART !!labeltextusb DROPDOWNLIST REQUIREDVALUENAME "Start"ITEMLISTNAME !!Disabled VALUE NUMERIC 3 DEFAULTNAME !!Enabled VALUE NUMERIC 4END ITEMLISTEND PARTEND POLICYPOLICY !!policynamecdKEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"EXPLAIN !!explaintextcdPART !!labeltextcd DROPDOWNLIST REQUIREDVALUENAME "Start"ITEMLIST

NAME !!Disabled VALUE NUMERIC 1 DEFAULTNAME !!Enabled VALUE NUMERIC 4END ITEMLISTEND PARTEND POLICYPOLICY !!policynameflpyKEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"EXPLAIN !!explaintextflpyPART !!labeltextflpy DROPDOWNLIST REQUIREDVALUENAME "Start"ITEMLISTNAME !!Disabled VALUE NUMERIC 3 DEFAULTNAME !!Enabled VALUE NUMERIC 4END ITEMLISTEND PARTEND POLICYPOLICY !!policynamels120KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"EXPLAIN !!explaintextls120PART !!labeltextls120 DROPDOWNLIST REQUIREDVALUENAME "Start"ITEMLISTNAME !!Disabled VALUE NUMERIC 3 DEFAULTNAME !!Enabled VALUE NUMERIC 4END ITEMLISTEND PARTEND POLICYEND CATEGORYEND CATEGORY

[strings]category="Custom Policy Settings"categoryname="Restrict Drives"policynameusb="Disable USB"policynamecd="Disable CD-ROM"policynameflpy="Disable Floppy"policynamels120="Disable High Capacity Floppy"explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"labeltextusb="Disable USB Ports"labeltextcd="Disable CD-ROM Drive"labeltextflpy="Disable Floppy Drive"labeltextls120="Disable High Capacity Floppy Drive"Enabled="Enabled"Disabled="Disabled"