服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 在某些用户上使用Active Directory在Windows上启用/禁用USB设备
Intereting Posts
取消SQL Server 2000中的表devise更改 在CentOs 7上使用Wildfly 10 Mgmt控制台,不需要重新login 远程桌面到Amazon EC2实例 查明IPv6前缀是否在一定范围内? 挂起LVM操作的复制 无法更改ldap客户端密码(RHEL 7) 带有DKIM签名的邮件通过SpamAssassin获取T_DKIM_INVALID标志 如何创build全文目录作为默认目录? 所有索引上的DBCC CHECKTABLE的语法? NTUSER.DAT和UsrClass.dat文件由数千build立,为什么我可以删除? Pure-FTPD:chroot不chroot 使用MAXNAN来帮助聚合多个rrd数据库 什么是您监视的系统pipe理员相关的博客和邮件列表? 在configuration经authentication的SSL证书时发出 nginx没有正确的提供子域名

在某些用户上使用Active Directory在Windows上启用/禁用USB设备

由于信息披露的原因,我被要求禁止在Windows机器上访问USB设备。

虽然这可以通过Active Directory来完成,问题是解决scheme应该允许我们在有限的授权期限内对某些用户启用访问。

Active Directory如何做到这一点(如果可能的话)?

如果没有,我可以使用哪个软件来做到这一点?

您正在讨论的是应用于计算机的设置,而不是用户。 如果您不介意将其应用于计算机,则可以创build一个安全组,并将计算机放入不受“限制”的计算机中。 修改您应用这些限制的组策略对象的权限,使其包含您创build的计算机组的“拒绝应用组策略”,并且这些设置不再适用于这些计算机。 您可以根据需要将计算机移入和移出组,但是我相当肯定您会被卡住,重新启动计算机以使限制与非限制的更改生效。

从我所听到的,环氧树脂是这个问题非常stream行的解决scheme。

如何防止用户使用违反安全性的USB驱动器

物理端口locking以太网,USB,电话等?

实际上,GP看起来是最好的答案:

http://windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html

我在我上一个公司设置了一个ADM,并将GP设置为某些组。 启用海量存储并禁用海量存储。 如果组更改,他们需要重新启动。 它的registry更改基本上禁用USB海量存储驱动程序。

这是我使用的ADM。 从几年前的谷歌抓住它。 

CLASS MACHINE CATEGORY !!category CATEGORY !!categoryname POLICY !!policynameusb KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR" EXPLAIN !!explaintextusb PART !!labeltextusb DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamecd KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom" EXPLAIN !!explaintextcd PART !!labeltextcd DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 1 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynameflpy KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk" EXPLAIN !!explaintextflpy PART !!labeltextflpy DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY POLICY !!policynamels120 KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy" EXPLAIN !!explaintextls120 PART !!labeltextls120 DROPDOWNLIST REQUIRED VALUENAME "Start" ITEMLIST NAME !!Disabled VALUE NUMERIC 3 DEFAULT NAME !!Enabled VALUE NUMERIC 4 END ITEMLIST END PART END POLICY END CATEGORY END CATEGORY [strings] category="Custom Policy Settings" categoryname="Restrict Drives" policynameusb="Disable USB Removable Drives" policynamecd="Disable CD-ROM" policynameflpy="Disable Floppy" policynamels120="Disable High Capacity Floppy" explaintextusb="Disables the USB Removable Drives capability by disabling the usbstor.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the usbstore.sys driver status in the drop-down list. \n\nNote that this will only prevent usage of newly plugged-in USB Removable Drives or Flash Drives, devices that were plugged-in while this option was not configured will continue to function normally. Also, devices that use the same device or hardware ID (for example - 2 identical Flash Disks made by the same manufacturer) will still function if one of them was plugged-in prior to the configuration of this setting. In order to successfully block them you will need to make sure no USB Removable Drive is plugged-in while you set this option. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the usbstore.sys driver status in the drop-down list." explaintextcd="Disables the CD-ROM Drive by disabling the cdrom.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the cdrom.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the cdrom.sys driver status in the drop-down list." explaintextflpy="Disables the Floppy Drive by disabling the flpydisk.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the flpydisk.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the flpydisk.sys driver status in the drop-down list." explaintextls120="Disables the High Capacity Floppy Drive by disabling the sfloppy.sys driver. \n\nSelect the ENABLED radiobox, then select STOPPED for the sfloppy.sys driver status in the drop-down list. \n\nIn order to re-enable the usage of USB Removable Drives select STARTED for the sfloppy.sys driver status in the drop-down list." labeltextusb="usbstore.sys driver status" labeltextcd="cdrom.sys driver status" labeltextflpy="flpydisk.sys driver status" labeltextls120="sfloppy.sys driver status" Enabled="Stopped" Disabled="Started"

如果在Windows7中使用gpedit禁用USB大容量存储设备

  1. 重置gpeditconfiguration设置所有可移动存储类别:拒绝所有访问未configuration
  2. 然后Gpupdate
  3. 驱动程序安装
    设备pipe理器 – >更新驱动程序 – >浏览:c – > windows – > inf-> usbsstore.disabled(将usbstore.disabled重命名为usbstore.inf,然后selectusbstore.inf) – > next Finish
  4. 重新启动机器