• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1162
  • Last Modified:

Block USB mass storage via GPO

Can someone guide me how to create a GPO to block specific users from using USB mass storage devices on windows active directory computers.
2 Solutions
Have you tried this: http://www.petri.co.il/disable_usb_disks_with_gpo.htm#

You can make it user specific by using OUs or you can create a group for those that are denied and use permissions or WMI filtering to make sure it only applies to them.
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
You can do it using GPO. Please check the below link for step by step instructions for using custom adm template.

Open GPMC – User configuration – Policy – Administrative template – System – Removable storage Access.

Enable deny Read/Write Access.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Pradeep DubeyConsultantCommented:
this question is already answered in EE. See below link for the same.

Nick RhodeIT DirectorCommented:
Pretty simple really.

In the GPO go to the following:

Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access

You can Deny read and write access in there.  You also might want to consider disabling autoplay also.  This rule applies to all removable like external HD's, Flash drives, phone storage etc.
Will SzymkowskiSenior Solution ArchitectCommented:
Take a look at this technet as it illustrates how to accomplish this using Group Policy or Group Policy Preferences. (screenshots included).


ashdennisAuthor Commented:
Interesting, got it work by applying it to myself as a test. however when I remove myself from the GPO it does not restore the feature. BTW the link to www.petri.co.il was most helpful.
For some GPOs they won't go away unless you specify the opposite option (disable instead of enable, for example). THe image http://www.petri.co.il/images/disable_usb_disks_1.gif shows it about to mention how to re-enable it but it gets cut off and I can't check it at the moment. If you read the description of the GPO it should have the details on how to re-enable it.
ashdennisAuthor Commented:
Thanks all, WMI filtering, can you share a link how to?
Here's a link with an description on how to apply WMI filtering to apply it only to specific operating systems: http://community.spiceworks.com/how_to/show/1432-using-wmi-filters-to-apply-group-policy-to-a-target-operating-system

If you put the word not in front of like in the WMI command it selects everything except the object your specifying, though for this purpose I don't think you'll need that.

Combine those instructions with this listing of all the WMI arguments and you should be able to figure it out: http://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx

You'll probably want Win32_Group class: http://msdn.microsoft.com/en-us/library/aa394151(v=vs.85).aspx

You can use Get-WmiObject in PowerShell against the group to get the information you need. I believe something like Get-WmiObject SID <groupname> or maybe Get-WmiObject Name <groupname> will get you the information you need to construct the WMI command following the syntax in the first link.

I haven't tested this, but this might work:
select * from Win32_Group WHERE SID like "<groupSID>"
select * from Win32_Group WHERE name like "<groupName>"

Where the group is the RestrictedUSBDrive group (or whatever you call it) you created.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now