Block USB mass storage via GPO

Can someone guide me how to create a GPO to block specific users from using USB mass storage devices on windows active directory computers.
ashdennisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AlexProfiletCommented:
Have you tried this: http://www.petri.co.il/disable_usb_disks_with_gpo.htm#

You can make it user specific by using OUs or you can create a group for those that are denied and use permissions or WMI filtering to make sure it only applies to them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
You can do it using GPO. Please check the below link for step by step instructions for using custom adm template.

Open GPMC – User configuration – Policy – Administrative template – System – Removable storage Access.

Enable deny Read/Write Access.

http://www.petri.co.il/disable_usb_disks_with_gpo.htm#
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Pradeep DubeyConsultantCommented:
this question is already answered in EE. See below link for the same.

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28088854.html
0
Nick RhodeIT DirectorCommented:
Pretty simple really.

In the GPO go to the following:

Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access

You can Deny read and write access in there.  You also might want to consider disabling autoplay also.  This rule applies to all removable like external HD's, Flash drives, phone storage etc.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Take a look at this technet as it illustrates how to accomplish this using Group Policy or Group Policy Preferences. (screenshots included).

http://blogs.technet.com/b/danstolts/archive/2009/01/21/disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx


Will.
0
ashdennisAuthor Commented:
Interesting, got it work by applying it to myself as a test. however when I remove myself from the GPO it does not restore the feature. BTW the link to www.petri.co.il was most helpful.
0
AlexProfiletCommented:
For some GPOs they won't go away unless you specify the opposite option (disable instead of enable, for example). THe image http://www.petri.co.il/images/disable_usb_disks_1.gif shows it about to mention how to re-enable it but it gets cut off and I can't check it at the moment. If you read the description of the GPO it should have the details on how to re-enable it.
0
ashdennisAuthor Commented:
Thanks all, WMI filtering, can you share a link how to?
0
AlexProfiletCommented:
Here's a link with an description on how to apply WMI filtering to apply it only to specific operating systems: http://community.spiceworks.com/how_to/show/1432-using-wmi-filters-to-apply-group-policy-to-a-target-operating-system

If you put the word not in front of like in the WMI command it selects everything except the object your specifying, though for this purpose I don't think you'll need that.


Combine those instructions with this listing of all the WMI arguments and you should be able to figure it out: http://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx

You'll probably want Win32_Group class: http://msdn.microsoft.com/en-us/library/aa394151(v=vs.85).aspx

You can use Get-WmiObject in PowerShell against the group to get the information you need. I believe something like Get-WmiObject SID <groupname> or maybe Get-WmiObject Name <groupname> will get you the information you need to construct the WMI command following the syntax in the first link.

I haven't tested this, but this might work:
select * from Win32_Group WHERE SID like "<groupSID>"
or
select * from Win32_Group WHERE name like "<groupName>"

Where the group is the RestrictedUSBDrive group (or whatever you call it) you created.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.