I Need to block USB view and execute for users and allow for administrators windows 7 and 2008 R2 Domain

I need to set up a GPO to block access and execute to USB drives on windows 7 workstations for users but allow access and execute for administrators on same workstations.  

The domain is set up with windows 7 64bit workstations and my domain controller is windows server 2008 R2.  Can this be done by Domain GPO only or is a registry setting required.  I prefer using domain GPO.
Conrad_BelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Skyler KincaidNetwork/Systems EngineerCommented:
These are the two policies that you would be using:

Computer Configuration | Administrative Templates | System | Removable Storage Access

and

Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restriction

but as you can see they are both Computer Configurations so you won't be able to allow access for Administrators because it applies at the computer level.
0
piattndCommented:
Here's a link that describes somewhat of what you're talking about.  What you're talking about doing is not something that's out of the box from Microsoft GPO.

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Control-USB-Devices-Group-Policy.html

The first couple of sections are specifically on preventing driver installation, which would completely prevent use of the USB device (does not meet your needs).

The last portion covers controlling devices that are already installed, but again, only talks about restricting their use.

If you want further control, you probably need to look at third party software solutions.

Device wall is a paid version of what you're looking for:
http://www.smasystems.com/products/devicewall.htm

Because you're wanting to allow the installation, but control the use, I think you'll find free solutions may not be very reliable or easy to implement.
0
Conrad_BelAuthor Commented:
Thanks for the input so far.  However, what about the GPO that falls under:

User Config\Policies\admin template\system\removable storage?

Could I use this setting to apply and restrict use of my user ou only and not my admin OU?  Is this GPO not useful?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

piattndCommented:
If it's under user configuration, that means you can apply it to user objects and thus block your users, but not your administrators.

Check the settings available in there.  If they will achieve the end goal, then they should work just fine.  Don't be afraid to try it and test!  :)  Just assign it to a test OU and nowhere else.  Make sure you have a user account in that test OU so the policy applies.

Use GPRESULT /r to make sure the policy is actually applying once you login and test it (particularly if it doesn't work).
0
Skyler KincaidNetwork/Systems EngineerCommented:
Yes you can use that.

1. You can create the policy with the settings you want
2. Go to the delegation tab and make sure that you add the Domain Administrators group and make sure to deny the policy from being applied to them.

You will probably want to use the Deny read for all Removable Storage because those settings don't have anything specifically for USB devices but beware, that might also block CDs and DVDs.
0
Conrad_BelAuthor Commented:
Thanks guys.  Will test and let you know how it goes.
0
Conrad_BelAuthor Commented:
Should I remove all the groups from the delegation (creator owner, system, authenicated users etc...) and just add domain admins (deny full control) and domain users (apply full control)?  What are your thoughts?
0
Conrad_BelAuthor Commented:
Ok, so i made the GPO, but change any of the delegations (i.e. changed domain admins to full control with deny apply gpo i get an error:

specified directory service attribute or value does not exist.  

Then when I refresh the GPO i creaded disappears.
0
piattndCommented:
Leave the delegations as is.  You don't want to set any deny statements here.  Apply it to a test OU with a user in it and test with that user.  Once you confirm the desired behavior, have someone that isn't in that OU login and test (perhaps yourself or another admin).

The settings you're changing impact not only who can change the GPO but also who it applies to.  I never ever place a deny statement here.  I always leave things to allow (should be default) and apply it only to the OUs in which I want it to apply.
0
Conrad_BelAuthor Commented:
To late :)  I already set Domain Admins Allow Full control  Deny Apply GPO.  Same for enterprise admins.  I created a test ou, added a test group user security group, added a test user to the security group (not really sure that was needed), for the test user security group applied allow  read  allow apply group policy.

I then did gpupdate /force and restarted workstation
I then logged in with test user and plugged in a USB.  The workstation see's the USB but can't access it (permission denied)
I logged in with an admin account and i can see and access read/write to my usb.

So so far so good.
0
piattndCommented:
Cool.  I'm sure the deny won't give you any trouble, I just use deny extremely sparingly.
0
Conrad_BelAuthor Commented:
Cool, thanks for all your help.  Appreciated the quick responses and follow up.
0
piattndCommented:
No problem.  Let us know how all the testing goes and if you need anything else.
0
Conrad_BelAuthor Commented:
Found my own solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.