Most Administrators know that you can use a GPO to disable the ability to use USB storage devices on Windows computers. So you look up the instructions and implement the policy, but how do you know if it’s working?
I’m sure you made a test OU while you were working out the best option for your situation, but if you are disabling access for security reasons you’ll need a report. There are a few ways that you could go about getting the data. I like PowerShell. The code below will search your domain computers for USB storage. You should aware that savy users can use online tools to fool detection. As always, use at your own risk.
# Author: kevin-trent@hotmail.com; https://techbloggingfool.com
# Get-UsbStorage.ps1
# Uses WMI to retrieve activley attached USB Storage devices from all domain workstations.
# Run from a Domain Controller or a computer with the RSAT tools installed that is a domain memeber.
# Requires WinRM be enabled on workstations. See https://docs.microsoft.com/en-us/windows/win32/winrm/portal
Import-Module ActiveDirectory
Function USBDisks {
$Computers = Get-ADComputer -Filter ‘Operatingsystem -Notlike “*server*” -and enabled -eq “true”‘ -Properties dnshostname|Select dnshostname -ExpandProperty dnshostname
Foreach ($Computer in $Computers)
{Get-WmiObject Win32_Volume -ComputerName $Computer|Where {($_.Drivetype -eq “2”) -and ($_.Capacity -ne $null)}|
Select @{n=”Computer”;e={$Computer}}, @{n=”Drive Letter”;e={$_.Caption}}, @{n=”Label”;e={$_.Label}}, @{n=”Capacity(GB)”; e={“{0:N2}” -f($_.Capacity/1GB)}}, @{n=”FreeSpace(GB)”; e={“{0:N2}” -f($_.FreeSpace/1GB)}}, @{n=”Pagefile Detected”; e={$_.PagefilePresent}}
}
}
$report = USBDisks|Sort-Object Computer
$report|Export-CSV $env:userprofile\documents\USBDisks.csv -NoTypeInformation
techbloggingfool.com 