|I'm doubtful you can do that through AD considering they're a physical device on the local computer controlled through the computer's BIOS. |
I suspect you'd have to go physically unplug all USB ports on all clients. This is what we used to do with floppy drives and CD-ROM's back in the day.
I could be wrong and if I am, hopefully someone else will chime in and tell you how to do it. If you haven't already searched "disable USB in a security policy in AD" (or something like that) on Microsoft's site and google, you should. I'm sure if there is a way, you'd be able to find a link to it.
It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.