Enabling Locked Down Removeable Storage for certain users

Good Afternoon,

I have got a client who have locked down their machines to stop users from accessing\copying files to removable storage devices such as CD/DVD-R's, USB Sticks, Floppy Drives basically they have went the whole way and locked down everything.  The good news is this work's and now no one is able to access any removable storage, unfortunately there are a group of user's who require access to save, move, copy documents to and from removable storage.

They have disabled the Removable drives via GPO using the following article:


They have created two GPO's one for Disabling the Removable Storage and one for Enabling Removable Storage. I have ensured that the GPO for Enabling Removable Storage is applied to the machine after the one to Disable the storage.

Each GPO is set to only apply to a certain group either "Disable Removable Storage" which most users are a member of or "Enable Removable Storage" which only has the privileged users.

I have doubled checked the Enable Removable Devices GPO to ensure that the services have been started for each of the devices that should be accessed.

On each machined the Removable Storage Driver is stopped in services and I can't start it as I keep getting a "Code 5 unable to start this service because you do not have permissions" error.

If I run a gpresult on each machine I can see the user has had the Enable Removable Storage Policy applied. But they can't access anything.

Users are not members of any special groups on the workstation just "users"

Can someone please help me with this?

Many thanks in advance

Stan Ferguson-Smith
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Without seeing the full RSoP it would be hard to determine since other GPO setting could be preventing this. Most porbably it si because the user account logged in does not have permission on the service. You can add this permission to your overwriting GPO as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gwyddonAuthor Commented:
I will get a RSoP from one of the machines and get it uploaded ASAP for you.
Well, you actually should create 2 separate user groups. You can keep everyone that needs access disabled as regular users, but then creare another group (e.g. Storage Users), and increase their priveleges to allow them access to start services and anything else they need.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Go back to usbstor.sys/usbstor.inf, and make sure that the System, and thier User group has permissions to read/execute the files (c:\windows\system32\drivers\etc and c:\windows\inf respectively...).....
I mean no sarcasm in this, but have you rebooted the machine? Even though the GPO may have applied, since it is a Computer policy, the policy cannot necessarliy finish unless the machine is rebooted.
gwyddonAuthor Commented:
@ johnb6767: I have just made the changed to Group Policy now and will be forcing that through in the next 15min or so. I will let you know what happens.

@jillmjones: This issue has been happening for a month or so, so most of the machines have been rebooted several times now, including the PDC.
gwyddonAuthor Commented:

I ended up going to site to sort this yesterday, it was indeed another GPO that was kicking in higher up the tree that had no values configured.
Glad you found the answer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.