USB mass storage, COM and LPT ports disabled for non-admins

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi all, my first post here...

I have a machine running Windows XP SP2; Administrators have no problems
using it. But non-admin users (incl. Power Users) get all COM ports (incl.
Bluetooth virtual ports), the LPT port and USB mass storage support disabled
at logon.
This is my personal laptop and I don't use any third party security
software. No viruses or malware (that I know of!). _I'm pretty sure this is
some trouble I inflicted on myself long ago, but just don't remember how to
undo it. Especially USB storage is needed for non-admin users.

I tried forcing the "Start" parameter for the USBSTOR driver to 4 (was 3 for
non admins). No dice. Uninstalled and let Windows reinstall the USB
mass.stor. drivers, no dice. Same behaviour as before.

Any help is much appreciated :)

Cheers!
/Oshadi
 
Hi CiPh3rT3kSt,

No, no ADM files. When I noticed this problem, I created an adm file for
disabling/enabling the USBSTOR driver (instructions from the net) and Enabled
the driver. But... no dice.
 
What were the steps you took during this procedure?
I would suggest first creating the .adm file and importing it into the group
policy that you are going to use. (I'm assuming you have already done this.)
Then in that same policy restrict access to the %SystemRoot%\Inf\Usbstor.pnf
and the %SystemRoot%\Inf\Usbstor.inf files. I am going to give you a
couple of links that you should look over and use as reference to completing
this task. Please feel free to post any other questions you may have; I check
back frequently.

Files to restrict access to:
http://support.microsoft.com/?kbid=823732

..ADM File:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555324&sd=rss&spid=3198


Thanks & Good Luck!

-- CiPh3rT3kSt
MCSE: Security 2003, CCNA, Security+
 
It certainly took a while but I found it!

This is a hp laptop with a TPM chip and some OEM tools from hp and Infineon
for management. The "HP ProtectTools Security Manager" has a section called
"Device Access Manager". In there, there is the "Simple Configuration"
option. From there you can disable USB devices for non-admins.

Apparently this isn't compatible with the popular group policy method of
doing things.

Case closed at long last.
 
Back
Top