Disable USB for some local users
Solution 1
When you do this, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
Locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
In the details pane, double-click Start.
In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
Exit Registry Editor.
If you want to enable again just change this value to 3.
Microsoft have a tool that you can download here to fix this.
Solution 2
Start gpedit.msc and make a new GPO. Set the filters so the admin user doesn´t execute this GP. Configure the read/write/execute items access under: Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
Edit: ok, i just reread the question : no local policies. It´s the best way to do it, though.
Solution 3
If a USB storage device is not already installed on the computer
If a USB storage device is not already installed on the computer, assign the user or the group and the local SYSTEM account Deny permissions to the following files:
%SystemRoot%\Inf\Usbstor.pnf %SystemRoot%\Inf\Usbstor.inf
When you do this, users cannot install a USB storage device on the computer.
To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:
Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
Right-click the Usbstor.pnf file, and then click Properties.
Click the Security tab.
In the Group or user names list, add the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
Note Also add the System account to the Deny list.
In the Group or user names list, select the SYSTEM account.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
Right-click the Usbstor.inf file, and then click Properties.
Click the Security tab.
In the Group or user names list, add the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.
In the Group or user names list, select the SYSTEM account.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
For further info: https://support.microsoft.com/kb/823732
Related videos on Youtube
magol
I'm working with a old data collection system from around 1980 in Swedish nuclear power plants. I develop most applications around these computers. Most are applications that convey information from and to other systems, but also tools of various kinds.
Updated on September 18, 2022Comments
-
magol over 1 year
Our customer wants that systems we deliver must fulfill these requirements:
- Only the admin user are able to access USB flash drivers.
- All other local users must not be able to access USB flash driver at all
Ideally, they want us not edit local policies. But if it is required, it is ok to use The computer is not connected to any domain controller.
I wonder if it is possible to meet these requirements?
-
MSalters over 10 yearsSo no USB mouse, no USB keyboard? That's going to be tricky nowadays.
-
magol over 10 yearshaha, you're right. It was a bit too harsh demands. It is of course USB flash drive I mean. Thank you for pointing out my mistake.
-
magol over 10 yearsThank you very much. But this does not solve my problem. This means that NO users can use USB, and what I want is to just limit it to a few accounts.
-
magol over 10 yearsThank you very much. But this does not solve my problem. This means that NO users can use USB, and what I want is to just limit it to a few accounts.
-
MSalters over 10 yearsWell, they can't have any global policies (no DC) and systemwide settings aren't acceptable either (Admin must have access), so there's not really much room left for an "ideally, they want..."
-
magol over 10 yearsThank you very much for you answer. If editing local policies is necessary, it is ok to edit them. But as MSalters said, we can not use GPO as we don't have any DC available. :-(
-
Jannis Alexakis over 10 yearsHow about MLGPOs?