Conrad_Bel
asked on
I Need to block USB view and execute for users and allow for administrators windows 7 and 2008 R2 Domain
I need to set up a GPO to block access and execute to USB drives on windows 7 workstations for users but allow access and execute for administrators on same workstations.
The domain is set up with windows 7 64bit workstations and my domain controller is windows server 2008 R2. Can this be done by Domain GPO only or is a registry setting required. I prefer using domain GPO.
The domain is set up with windows 7 64bit workstations and my domain controller is windows server 2008 R2. Can this be done by Domain GPO only or is a registry setting required. I prefer using domain GPO.
Here's a link that describes somewhat of what you're talking about. What you're talking about doing is not something that's out of the box from Microsoft GPO.
http://www.windowsecurity.
The first couple of sections are specifically on preventing driver installation, which would completely prevent use of the USB device (does not meet your needs).
The last portion covers controlling devices that are already installed, but again, only talks about restricting their use.
If you want further control, you probably need to look at third party software solutions.
Device wall is a paid version of what you're looking for:
http://www.smasystems.com/
Because you're wanting to allow the installation, but control the use, I think you'll find free solutions may not be very reliable or easy to implement.
http://www.windowsecurity.
The first couple of sections are specifically on preventing driver installation, which would completely prevent use of the USB device (does not meet your needs).
The last portion covers controlling devices that are already installed, but again, only talks about restricting their use.
If you want further control, you probably need to look at third party software solutions.
Device wall is a paid version of what you're looking for:
http://www.smasystems.com/
Because you're wanting to allow the installation, but control the use, I think you'll find free solutions may not be very reliable or easy to implement.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. Will test and let you know how it goes.
ASKER
Should I remove all the groups from the delegation (creator owner, system, authenicated users etc...) and just add domain admins (deny full control) and domain users (apply full control)? What are your thoughts?
ASKER
Ok, so i made the GPO, but change any of the delegations (i.e. changed domain admins to full control with deny apply gpo i get an error:
specified directory service attribute or value does not exist.
Then when I refresh the GPO i creaded disappears.
specified directory service attribute or value does not exist.
Then when I refresh the GPO i creaded disappears.
Leave the delegations as is. You don't want to set any deny statements here. Apply it to a test OU with a user in it and test with that user. Once you confirm the desired behavior, have someone that isn't in that OU login and test (perhaps yourself or another admin).
The settings you're changing impact not only who can change the GPO but also who it applies to. I never ever place a deny statement here. I always leave things to allow (should be default) and apply it only to the OUs in which I want it to apply.
The settings you're changing impact not only who can change the GPO but also who it applies to. I never ever place a deny statement here. I always leave things to allow (should be default) and apply it only to the OUs in which I want it to apply.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cool. I'm sure the deny won't give you any trouble, I just use deny extremely sparingly.
ASKER
Cool, thanks for all your help. Appreciated the quick responses and follow up.
No problem. Let us know how all the testing goes and if you need anything else.
ASKER
Found my own solution.
Computer Configuration | Administrative Templates | System | Removable Storage Access
and
Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restriction
but as you can see they are both Computer Configurations so you won't be able to allow access for Administrators because it applies at the computer level.