Here's the template file, ControlUSB.ADM:
CLASS MACHINE
CATEGORY !!WindowsSystemCat
CATEGORY !!USBControlCat
POLICY !!ConfigureUSBDeviceStatus
KEYNAME "System\CurrentControlSet\Control\StorageDevicePolicies"
VALUENAME "WriteProtect"
VALUEON Numeric "1"
VALUEOFF Numeric "0"
#if version >= 3
EXPLAIN !!USBUpdateCfg_Help
#endif
END POLICY
END CATEGORY ;; USBControlCat
END CATEGORY ;; END CATEGORY ;; WindowsSystemCat
[strings]
WindowsSystemCat="System"
USBControlCat="USB Device Control"
ConfigureUSBDeviceStatus="Set ALL USB Devices on this System to Read Only"
SUPPORTED_WindowXPSP2="Windows XP SP2"
USBUpdateCfg_Help="Specifies whether this system's USB Drives are Read Only or Read Write"
To use this policy - first save it away with your other templates (%systemroot%\inf). Next open up either your local or the group policy editor, import the policy and away you go.
There is one small issue here that caused me to scratch my head. When I first imported the template, I could see the node in the MMC console tree, but the policy did not appear in the results window. I scratched my head for several hours, then got some help from my Greek MCT buddy Dimitris. He pointed out that I had to change the setting in the MMC (View/Filtering and de-select the 'Only show policy settings that can be fully manaThis happens because the registry key that is used for this setting is not part of Policy sub-key. If you apply this setting to a machine, then remove the policy, the setting will remain on your system (unless you reverse it, or take the registry key out). Once you change the view settings, the MMC tool even tells you this!
No comments:
Post a Comment