Solved

GPO for Mass Storage Devices based on security groups

Posted on 2013-12-04
10
998 Views
Last Modified: 2013-12-10
I have a client that needs to be able to set via a GPO the ability to block all mass storage USB Devices to domain users, but allow to a specified AD Security Group.  Can somebody point me in the direction to create this GPO?  These are windows 7 machines.  Thanks in advance.
0
Comment
Question by:jruskey
10 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 39697127
Hi.

The policy section to use is shown here: http://technet.microsoft.com/en-us/library/cc730808(v=ws.10).aspx - as we can use security filtering, you can indeed impose this policy to a certain AD group, only.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39697307
How do I apply this to just a certain AD Security Group?  I know how to apply it to a OU, but not a security group.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39697616
Like I wrote: security filtering. Find it right in the security section in the properties of the GPO.
0
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 167 total points
ID: 39697909
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 166 total points
ID: 39700225
In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
    User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

It specify read and write permission on all kinds of removable storage device.

2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

With device installation restrictions, the installation of removable storage device will be totally under control.

More detailed information:

Managing Hardware Restrictions via Group Policy

http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx

But the minimum client requirement is Windows vista/Win7.So this is no good for my Windows XP machines.

If you have win2003 and WinXP clients for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo ADM template to DisableUSB OU and usb enabled policy ADM template to EnableUSB OU.

Computer OU
--USBEnable...Apply usb enabled policy(template)
--USBDiable...Apply usb disable policy(template)

Refer below link for the ADM template

You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the diable policy will not work.Also set allow permission to usbstor.inf and usbstor.PNF file and attach the gpo to USbdisable and usbenable GPO accordingly.

Computer Configuration\Windows setting\security settings\File system Add
%SystemRoot%\inf\usbstor.inf
%SystemRoot%\inf\usbstor.PNF
set deny permission to administrator,authenticated user,everyone,SYSTEM,users.

Simarly set allow permission to administrator,authenticated user,everyone,SYSTEM,users

Referencelink:http://www.petri.co.il/disable_usb_disks_with_gpo.htm

Once done you can move the computer to USBEnable or USBDisable OU.If there is requiremet to enable the USB or disable the conputer USB you can move the require computer object to appropiate OU to receieve the appropiate policy.However for setting to take effect you need to reboot the Computer.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39700387
"You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the disable policy will not work" - not really true. This section of the link you reference is talking about making it work for windows 2000. Here, we have win7 and the built-in policies can do it.
Also, it's no use to set it at the computer policy as it will affect all users.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39700923
I will be onsite and set this up next Tuesday.  So, basically from what I am reading, I should create a security group called 'No USB Access'.  Put my users that I don't want to have USB Access in that group.  Then create a User GPO blocking out USB access and apply it to that new security group I created.  Sound correct?  Based on what McKnife said, I want this as a user policy since a computer policy will block everybody regardless of security filter settings.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 167 total points
ID: 39700931
All correct.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39709254
This works.  However, I want to deny access to all but 6 users.  So, is there a way to reverse this and apply it to all domain users except allow it to a group called allowusbaccess?
0
 
LVL 1

Author Comment

by:jruskey
ID: 39709345
Nevermind - Figured this out.  Applied it to the default authenticated users groups and security, but under the delegation tab, I added the allowusbaccess group and went into advanced settings and did an explicit deny on read.  Thanks for your help.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now