Hello,

I am trying to implement a GPO that will disable users from being able to plug in USB flash drives into designated workstations. I have looked at a majority of the other popular articles to no avail.

I have created a test environment. I have created an OU that has blocked inheritance. Inside that OU there is a folder labeled Computer and one labeled User. I created a new user account and dropped it into the User folder and I migrated a test machine into the Computer folder. I then linked both the Computer and User to the test GPO and enabled.

The GPO itself has everything configured under Computer Configuration > Windows Settings > Security Settings > File System to deny full access to usbstor.inf and usbstor.PNF for the SYSTEM and COMPUTER NAME\USER accounts. As far as I can tell this works fine...

The real problem is with the registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start. The GPO is set under User Configuration > Preferences > Windows Settings > Registry with the following entry:

Action: Replace

Hive: HKEY_LOCAL_MACHINE

Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR

Value name: Start

Value type: REG_DWORD

Value data: 4

Base: Hexadecimal

When I log into the test PC with the test user account I can go into the registry and see that the value is still set for 3!

I have tried to change the Action: Replace to Action: Update. I have also tried to implement the .adm file listed here: Support page for:

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

This did not work either.

I am able to manually change the value to a 4 and then it properly disables the ability to use a flash drive.

It seems to be an issue with permissions or something. Any ideas?