Only disable USB memory and open other USB devices (1)

        Group Policy allows the system to use the USB interface but not flash. The author is the system administrator of the unit, managing about 50 computers. Because there are many computers and there are not enough people. For the convenience of management, the floppy drive and CD-ROM drive of the computer are all removed, and the cable of the front USB port is also removed, and in the BIOS. The USB port is disabled, the password is set, and the USB port cannot be used. Although the department staff is controlled to use the flash memory to some extent, but the USB port is disabled, the USB mouse, printer, etc. cannot be used. Recently, some departments have requested the use of laser printers and handwriting boards. Laser printers have barely found a COM port that can be connected, while tablet devices can only use the USB interface. I want to prevent the use of USB devices (printers, tablets) without using USB memory. What should I do? First, the commonly used method is not feasible I first tried the following two methods commonly used by many people, the conclusion is not feasible. 1. Use USB control software. I downloaded several USB control software, such as myusbonly, USB control master, etc., but the trial effect is not satisfactory. Myusbonly's control ability is good, but there is a disadvantage, that is, when the flash memory is inserted, the flash drive letter will appear, and the drive letter will disappear after a delay of about a few seconds. If someone copies a file or uses a flash with a virus in these few seconds, the consequences can be severe. 2. Hide disk partitions. If you can hide and block access to the disk partition, you can achieve the effect I want. The unit uses domain management. Clients with lower privilege log in to the domain, and most operations are restricted. The client computer hard disk has a total of 3 partitions. The C drive and the D drive are forbidden to access. Only the E drive can be used freely by the operator. In addition, there is a network drive P drive to store the public files that need to be accessed. However, the seven options for hiding the disk in the group policy do not meet my requirements, and can not achieve the effect of only accessing the E disk and the P disk (Figure 1). Second, modify the group policy file to hide the drive, and occasionally searched the Microsoft website page "Use Group Policy Object to hide the specified drive" (page link: http://support.microsoft.com/kb/231289/zh-cn) The article mentioned the effect of modifying the group policy file to achieve the effect of hiding and disabling disk partitioning, so I immediately refer to the operation. To achieve the goal, the method is as follows. 1. Determine the relationship between numbers and drive letters. Because I need to hide and disable disk partitions other than E and P disks, according to the article, the value of the drive that needs to be hidden is set to 1, and the value of the drive that is not hidden is 0, then the correspondence between the number and the drive letter is as follows: Next, convert the 11111111110111111111101111 string to a decimal number. This can be done with the calculator that comes with Windows. The converted decimal number is 67079079.

2. Modify the system.adm file Search the system.adm file under the domain controller C drive, search for several, and distribute it in different folders, the same size and modification date. Just copy one of the files and open it with Notepad, look for “Nodrives” and “Noviewdrives”, add a line to the ITEMLIST section “NAME !! ABCDFGHIJKLMNOQRSTUVWXYZOnly VALUE NUMERIC 67076079”, as shown in Figure 2. Then continue to find "Stings", add a line "ABCDFGHIJKLMNOQRSTUVWXYZOnly=" in addition to E, P and other drives " & rdquo;, as shown in Figure 3. Save and overwrite the original file after modification. 3. Edit the domain user's group policy to restart the domain controller, open the "Active Directory Users and Computers" group policy, edit the domain user's group policy, in the "User Configuration" & Rquo; → & ldquo; Administrative Templates & rdquo; → & ldquo; "Windows Explorer" "Hide these specified drives in my computer" and "Prevent access to the drive from my computer" option has appeared in the "except E, P drive" & rdquo; Options, as shown in Figure 4. After selecting this item and confirming, find a client, open its USB port, insert the flash memory after logging in to the domain, and the flash drive logo is displayed in the system tray area in the lower right corner, but the flash drive letter is not displayed in my computer. Entering the flash drive letter in the address bar also indicates that access is not allowed. At this time, using a USB mouse and other devices has no effect. Successfully disabled USB storage without affecting the use of USB devices. Finally, for safety reasons, autoplay is disabled in Group Policy.