Disable USB for some local users

Solution 1

When you do this, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.

3. Locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

4. In the details pane, double-click Start.

5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.

6. Exit Registry Editor.

If you want to enable again just change this value to 3.

Microsoft have a tool that you can download here to fix this.

Source

Solution 2

Start gpedit.msc and make a new GPO. Set the filters so the admin user doesn´t execute this GP. Configure the read/write/execute items access under: Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.

Edit: ok, i just reread the question : no local policies. It´s the best way to do it, though.

Solution 3

If a USB storage device is not already installed on the computer

If a USB storage device is not already installed on the computer, assign the user or the group and the local SYSTEM account Deny permissions to the following files:

%SystemRoot%\Inf\Usbstor.pnf %SystemRoot%\Inf\Usbstor.inf

When you do this, users cannot install a USB storage device on the computer.

To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:

Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.

Right-click the Usbstor.pnf file, and then click Properties.

Click the Security tab.

In the Group or user names list, add the user or group that you want to set Deny permissions for.

In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.

Note Also add the System account to the Deny list.

In the Group or user names list, select the SYSTEM account.

In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

Right-click the Usbstor.inf file, and then click Properties.

Click the Security tab.

In the Group or user names list, add the user or group that you want to set Deny permissions for.

In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control.

In the Group or user names list, select the SYSTEM account.

In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

For further info: https://support.microsoft.com/kb/823732

Related videos on Youtube

02 : 58

How to Enable or Disable USB Ports In Windows 10/8/7 [Tutorial]

MDTechVideos

143

03 : 17

How to Disable USB Devices Using Group Policy

MSFT WebCast

66

03 : 06

Disable USB for some local users (3 Solutions!!)

Roel Van de Paar

11

03 : 55

How to block USB port in windows 10 using group policy

Multi Care Technical

7

04 : 38

How to Disable USB External Storage Devices on Client Computers From the Domain Server 2019

DO IT / mostafa ahmed

1

Author by

magol

I'm working with a old data collection system from around 1980 in Swedish nuclear power plants. I develop most applications around these computers. Most are applications that convey information from and to other systems, but also tools of various kinds.

Updated on September 18, 2022