That makes a couple of Policies appear under Administrative Templates and System called USB Services (or at least it would if I hadn't made a typo above, so USB Storage Services).
It sets two registry values (Start) which determine whether a USB device will start up. Once the policy is applied it will simply stop the USB Devices loading on the Computers you apply the Policy to.
The Fully Managed thing is in the descriptions, but if you set the Policies to Enabled (to disable the device) it won't set back unless you reverse the Policy.
Disable the USB ports
This is a registry mod and vbscript that will do the following:
- Disable the USB ports on a computer
- Modifies the registry key from a hexadecimal value of 3 (enabled) to 4 (default)
- Can be used to manage a network environment by calling it from an existing login script or by adding it to the User Configuration section in a Group Policy (AD environment or local group policy)
- If you use the file in a group policy, make sure you use assign it from the "Computer" section, not the "User" section. This will prevent any problems from occurring if the user is not a local admin
Here is the reg file that you will need to use to disable MS Balloon Notifications (the batch file will be posted shortly)
- Can be used to manage a network environment by calling it from an existing login script or by adding it to the User Configuration section in a Group Policy (AD environment or local group policy)
- If you use the file in a login script, the user logging in has to be in the local administrators group. If the user isn't in that group or doesn't have admin rights, the script won't run.
- If you use the file in a group policy, make sure you use assign it from the "Computer" section, not the "User" section. This will prevent any problems from occurring if the user is not a local admin
Microsoft Balloon Notification Scripts
Basic Login Script
Scripts and Registry Files
502-710-1764
www.GeekMadeEasy.com
This is a basic login script which will do the following (meant to be used in a Windows Active Directory environment but can be easily modified to use in a Windows non-AD environment as well)
- Verify that the OS is a Windows version
- Verify that the OS is Windows XP
- Delete existing drive mappings
- Map the M drive to the server and shared folder which has the ifmember.exe (Get it here if you don't have it already)
- Map the N drive to the name of a shared folder based on whether the user is apart of the department listed
- Copy a shortcut to the user's desktop if the user doesn't already have the desktop listed
- Delete a shortcut from the user's desktop if the shortcut is on the user's desktop and copies a new shortcut to the desktop
- Map the S drive to a shared folder on the server that has the same name as the user's username
- Map T drive to a shared folder if the user is in the group listed
- Script exits
The script requires you to modify some of the entries in the script to work in your environment (remove the <<>> and then enter in the proper info)
For <<server.name>>, enter in the name of the server that you want the script to access or the server that has the folder you want the drive letter to map to
For <<shared.folder>>, enter in the name of the shared folder. The folder has to be shared out!
For <<domain name>>, enter in the name of your domain or workgroup.
For <<group.name>>, enter in the name of the group the user should be a member of.
When using ifmember: the ifmember.exe should be in a shared folder that the users can access. To test this, put the .exe file in a network share and from a user's workstation, browse to the network share. If you get errors, the login script won't work!
MS Fix-it file
If you will be using this in an Active Directory environment, do the following:
- Copy this into a file named USB.ADM (ignoring the Start and End lines).
- In order to see the Policy once you've loaded it you must select Administrative Templates, then View and Filtering and remove the Tick from:
>>Only show policy settings that can be fully managed-----------------------------------------------Start-----------------------------------------------
CLASS MACHINE
CATEGORY "System"
CATEGORY "USB Services"
POLICY "Disable Access to USB Storage Devices"
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
#if version >= 4
SUPPORTED !!SUPPORTED_Windows2000
#endif
#if version >= 3
EXPLAIN !!USBStorageCfg_Help
#endif
VALUENAME "Start"
VALUEOFF NUMERIC 3
VALUEON NUMERIC 4
END POLICY
POLICY "Disable Access to USB Hub Services"
KEYNAME "SYSTEM\CurrentControlSet\Services\USBHUB"
#if version >= 4
SUPPORTED !!SUPPORTED_Windows2000
#endif
#if version >= 3
EXPLAIN !!USBHUBCFG_Help
#endif
VALUENAME "Start"
VALUEOFF NUMERIC 3
VALUEON NUMERIC 4
END POLICY
END CATEGORY
END CATEGORY
[Strings]
SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"
USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."
USBHUBCFG_Help="Setting this policy to Enabled stops USB HUB Devices from loading.\n\nPlease note that this is not fully managed. Example: If this policy set to Not Configured the registry value will not return to its original state."
-----------------------------------------------End-----------------------------------------------
From Microsoft's site, fix-it 50061
