Group Policy

Dear Experts,

I applied usb storage  deny policy through group policy to an OU which consists of few users in windows server 2012.

after applying i run the command gpupdate / force. also restarted the client computers & logged in as the user. but the users can access their usb flash drives without any problem .  how can they. did i missed out something . please help.

This is windows server 2012.

Urgent help needed
LVL 1
jct_777Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lucian ConstantinTrainerCommented:
Hi,

What operating system do you have on your workstation(s)?... because some of the group policies does apply to Vista and later...

Also check what branch of policy do you apply - Computer Configuration or User Configuration and make sure the OU contains the objects affected by the policy - Computer Accounts and/or User Accounts.
jct_777Author Commented:
Hi,

Here it is mostly Windows 7 , Xp Professional & also Windows 8.

I applied the Ploicy for usb deny  to the OU which was containing some users.  after that i did gpupdate.

restarted the client computer & Logged in as the user in the r which is having XP sp3. but i can access usb flash drives without any issues.

the server is windows server 2012.

Please help

JCT
jct_777Author Commented:
I did it in User Configuration
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Lucian ConstantinTrainerCommented:
As you may see by clicking on the policy you have modified - will show when on "Extended Pane" the "Requirements: At least Windows Vista" so it will not be applied to the Windows XP clients. In XP case you have to tweak an registry entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
and set its value to 4 (in hexa)

This will affect the entire computer not only the user.

For more details see: How can I prevent users from connecting to a USB storage device?
jct_777Author Commented:
When i connecting the Usb flash drive in windows 7 computer i can access the usb without any problem. this means i am missing some settings .

Please help

JCT
Lucian ConstantinTrainerCommented:
If you set the option "Removable Disks: Deny read access" to Enabled, then any Vista computer or later should deny access to the USB storage.

You should check if your policy is applied by using the following command at a command prompt:

GPRESULT /R

Now look at the name of the policy that will deny access if is the list of the "Applied Group Policy Objects" otherwise you should see it the list of the "filtered out" policies.
jct_777Author Commented:
Today when i checked the group policy ie. usb deny is working fine with windows 7 computers(i can't access any usb it shows Access denied).

But in Xp & Windows 8 computers I can access the usb flash drives without any problem.
the setting that i applied is ok but its not working with XP & Windows 8.

Is there any extra settings in windows Xp & Windows 8.

Attached image shows the result after running the command GPRESULT /R

please help me in resolving this issue.

regards,

JCT
Gp1.jpg
Gp1.jpg
Lucian ConstantinTrainerCommented:
The policy should work on Windows 8 the same way it did for Windows 7. You have to check the Windows 8 station with GPRESULT /R command (not the server as you did in the attached pictures) but before checking the result do a GPUPDATE /FORCE to update the policies.

The only exception from this rule is the Windows XP and the necessary tweaks were in my above comment (ID: 39532360) for that you could use either a script that is running at logon and set that registry key properly or run only once for example using a remote execution tool like PSEXEC from Sysinternals suite and import a REG file that has the proper settings:

PSEXEC \\remote-pc -S REG IMPORT FullPathToRegFile.REG
jct_777Author Commented:
As suggested before i already did Gp update in server & also in the client side restarted the client computer also but to no effect.

In your previous comment you suggested to edit the registry file in the Xp computers.

its not possible as most of the XP users are in different location .

after applying the policy its working fine for Windows & but for Xp & Windows8 its not.

I will run the command in windows 8 computer n check.

But as i mentioned before most of the computers here is windows Xp professional & that too in different locations.

there should be some solution . please help..

Regards,

JCT
jct_777Author Commented:
I run the below command in Windows 8 computer. the result is attached.
GPresult-in-Windows-8-PC.jpg
Lucian ConstantinTrainerCommented:
Ok, this picture demonstrates that your policy is applied on that PC. If the PC is Windows 8 you should receive the same "access denied" message.

For XP you could do as follows:
1. Create a REG file by exporting the USBSTOR key, then delete the rest of the keys except Start one, finally your file should look like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]
"Start"=dword:00000004

Open in new window


2. Put the REG file on a share accessible for Everyone
3. Create a logon script that will be assigned by a GPO to the COMPUTERS objects, or modify your current logon script to call the following BAT file:

echo off
ver | find  /i "Microsoft Windows XP" > nul

if ERRORLEVEL 0 (
	echo "XP detected, Import registry file"
	reg import "\\FullPathToRegFile.REG"
)

Open in new window


Note: This BAT file you could use it "manually" on a test XP station to see if is really working properly before deploying by GPO (may need to be run on an elevated command prompt).

4. Restart a Windows XP station in the OU you applied the GPO, containing the computer account that the GPO will be applied and check the registry to have the HKLM\...\USBSTOR\Start key with value of 4.

Check if the PC will be able to access the USB.
jct_777Author Commented:
Ok. when i go to office tomorrow i will check by performing the above steps.

One more question is there issues with Group policy settings because today when i applied desktop wallpaper to an OU & when  logged  in xp , Windows7 & windows 8 computers  with those particular users . the desktop wall paper is the old one.
Is there anything i am missing in the group policy.

Already i have a login & logo-ff  script in the server for this OU. shall i edit that logon script & add the above mentioned or shall i create a new logon script.

please advice.

JCT
jct_777Author Commented:
Dear All,

Usb disable options applies to Windows 8 & windows & computers. But in Xp computers with that particular user we can easily access the usb drives. as i told before most of the xp clients are in locations that is far away from the HO. I cannot go to each & every computer to do the registry file editing. there must be a solution for this .

Also when i applied desktop wallpaper the policy is working fine with Windows 8 & windows 7 computers but in Xp pc its not taking the background is white.

there must be some settings that we have to do it in the server.

please help

Regards,

JCT
Lucian ConstantinTrainerCommented:
Already i have a login & logo-ff  script in the server for this OU. shall i edit that logon script & add the above mentioned or shall i create a new logon script.
As I've already mentioned in my previous comment on step 3: you could create a new GPO or modify a current GPO, so in your case if you already have one just modify it and make sure the script is added to the Computer Configuration branch not user configuration.
As you could see in the Scripts Startup Properties you could also have multiple script to be executed so you could just add the provided script to the existing one(s).

For the background problem you probably use a "preference" GPO and this requires that XP clients have installed Group Policy Preference Client Side Extensions for Windows XP (KB943729) (deployable by WSUS or any other preferred method).
jct_777Author Commented:
I have a doubt regarding the script. will it affect the particular computer or only to mentioned users in the designated OU.

I want this to be applied to users through OU.

Regards,

JCT
Lucian ConstantinTrainerCommented:
Restriction on USB storage on XP systems will affect the entire PC. If you want restriction on "user level" you cannot use the "native" operating system tools like GPOs, meaning you'll have to use 3rd party tools.

There is something you could try (in theory it could work but I did not try it personally) as described by S S P in this post: Block USB at User level through Group policy, and the basic ideea is as follows (quoted from that post):

1.Create Group  e.g EN_USB_Access

2. Add users having pemissions to use USB storage to this group.

3.Set Up permission on HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR using Group Policy, and  give Allow-read permission to EN_USB_Access group on this key. Remove other Users/Group from the ACL
If this will work will mean you'll have "user level" USB restriction.

Off-Topic Note: don't forget that Windows XP (with SP3) will end at April 8, 2014

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.