ITPub博客

首页 > Linux操作系统 > Linux操作系统 > HOWTO: Use Group Policy to disable USB, CD-RO

HOWTO: Use Group Policy to disable USB, CD-RO

原创 Linux操作系统 作者:vcdone 时间:2008-03-12 12:06:28 0 删除 编辑

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

http://support.microsoft.com/kb/555324/en-us

SUMMARY Microsoft Group Policy allows the creation of customised ADM templates to apply registry settings that are not available by default. The ADM template in this article works by disabling the driver of the above devices.

SYMPTOMS By default, Group Policy does not offer a facility to easily disable drives containing removable media, such as USB ports, CD-ROM drives, Floppy Disk drives and high capacity LS-120 floppy drives. However, Group Policy can be extended to use customised settings by applying an ADM template. The ADM template in this article allows an Administrator to disable the respective drivers of these devices, ensuring that they cannot be used.

RESOLUTION Import this administrative template into Group Policy as a .adm file. See the link in the More Information section if you are unsure how to do this.   CLASS MACHINE CATEGORY !!category  CATEGORY !!categoryname   POLICY !!policynameusb    KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"    EXPLAIN !!explaintextusb      PART !!labeltextusb DROPDOWNLIST REQUIRED          VALUENAME "Start"        ITEMLIST         NAME !!Disabled VALUE NUMERIC 3 DEFAULT         NAME !!Enabled VALUE NUMERIC 4        END ITEMLIST      END PART    END POLICY   POLICY !!policynamecd    KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"    EXPLAIN !!explaintextcd      PART !!labeltextcd DROPDOWNLIST REQUIRED          VALUENAME "Start"        ITEMLIST         NAME !!Disabled VALUE NUMERIC 1 DEFAULT         NAME !!Enabled VALUE NUMERIC 4        END ITEMLIST      END PART    END POLICY   POLICY !!policynameflpy    KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"    EXPLAIN !!explaintextflpy      PART !!labeltextflpy DROPDOWNLIST REQUIRED          VALUENAME "Start"        ITEMLIST         NAME !!Disabled VALUE NUMERIC 3 DEFAULT         NAME !!Enabled VALUE NUMERIC 4        END ITEMLIST      END PART    END POLICY   POLICY !!policynamels120    KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"    EXPLAIN !!explaintextls120      PART !!labeltextls120 DROPDOWNLIST REQUIRED          VALUENAME "Start"        ITEMLIST         NAME !!Disabled VALUE NUMERIC 3 DEFAULT         NAME !!Enabled VALUE NUMERIC 4        END ITEMLIST      END PART    END POLICY  END CATEGORY END CATEGORY   [strings] category="Custom Policy Settings" categoryname="Restrict Drives" policynameusb="Disable USB" policynamecd="Disable CD-ROM" policynameflpy="Disable Floppy" policynamels120="Disable High Capacity Floppy" explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver" explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver" explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver" explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver" labeltextusb="Disable USB Ports" labeltextcd="Disable CD-ROM Drive" labeltextflpy="Disable Floppy Drive" labeltextls120="Disable High Capacity Floppy Drive" Enabled="Enabled" Disabled="Disabled"

 

MORE INFORMATION For more information about applying Administrative Template files, including instructions on how to use the above template, download the Microsoft White Paper 'Using Administrative Template Files with Registry-Based Group Policy' from here.   http://www.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847&displaylang=en   This template is considered a preference rather than a true policy and will tattoo the registry of client computers with its settings. If this template is moved out of scope of the Group Policy which applies it, the registry changes it makes will remain. If you wish to reverse the settings made by this template, simply reverse the options to re-enable the drivers.   Preference settings are hidden by default in the Group Policy template editor. When applying this template, follow these instructions to change the view settings that allow preferences to be viewed.   http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/e50f1e64-d7e5-4b6d-87ff-adb3cf874365.mspx

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/15453509/viewspace-485774/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2008-08-25

  • 博文量
    397
  • 访问量
    171249