Solved

GPO for Mass Storage Devices based on security groups

Posted on 2013-12-04
10
1,058 Views
Last Modified: 2013-12-10
I have a client that needs to be able to set via a GPO the ability to block all mass storage USB Devices to domain users, but allow to a specified AD Security Group.  Can somebody point me in the direction to create this GPO?  These are windows 7 machines.  Thanks in advance.
0
Comment
Question by:jruskey
10 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 39697127
Hi.

The policy section to use is shown here: http://technet.microsoft.com/en-us/library/cc730808(v=ws.10).aspx - as we can use security filtering, you can indeed impose this policy to a certain AD group, only.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39697307
How do I apply this to just a certain AD Security Group?  I know how to apply it to a OU, but not a security group.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39697616
Like I wrote: security filtering. Find it right in the security section in the properties of the GPO.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 167 total points
ID: 39697909
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 166 total points
ID: 39700225
In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
    User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

It specify read and write permission on all kinds of removable storage device.

2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

With device installation restrictions, the installation of removable storage device will be totally under control.

More detailed information:

Managing Hardware Restrictions via Group Policy

http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx

But the minimum client requirement is Windows vista/Win7.So this is no good for my Windows XP machines.

If you have win2003 and WinXP clients for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo ADM template to DisableUSB OU and usb enabled policy ADM template to EnableUSB OU.

Computer OU
--USBEnable...Apply usb enabled policy(template)
--USBDiable...Apply usb disable policy(template)

Refer below link for the ADM template

You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the diable policy will not work.Also set allow permission to usbstor.inf and usbstor.PNF file and attach the gpo to USbdisable and usbenable GPO accordingly.

Computer Configuration\Windows setting\security settings\File system Add
%SystemRoot%\inf\usbstor.inf
%SystemRoot%\inf\usbstor.PNF
set deny permission to administrator,authenticated user,everyone,SYSTEM,users.

Simarly set allow permission to administrator,authenticated user,everyone,SYSTEM,users

Referencelink:http://www.petri.co.il/disable_usb_disks_with_gpo.htm

Once done you can move the computer to USBEnable or USBDisable OU.If there is requiremet to enable the USB or disable the conputer USB you can move the require computer object to appropiate OU to receieve the appropiate policy.However for setting to take effect you need to reboot the Computer.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39700387
"You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the disable policy will not work" - not really true. This section of the link you reference is talking about making it work for windows 2000. Here, we have win7 and the built-in policies can do it.
Also, it's no use to set it at the computer policy as it will affect all users.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39700923
I will be onsite and set this up next Tuesday.  So, basically from what I am reading, I should create a security group called 'No USB Access'.  Put my users that I don't want to have USB Access in that group.  Then create a User GPO blocking out USB access and apply it to that new security group I created.  Sound correct?  Based on what McKnife said, I want this as a user policy since a computer policy will block everybody regardless of security filter settings.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 167 total points
ID: 39700931
All correct.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39709254
This works.  However, I want to deny access to all but 6 users.  So, is there a way to reverse this and apply it to all domain users except allow it to a group called allowusbaccess?
0
 
LVL 1

Author Comment

by:jruskey
ID: 39709345
Nevermind - Figured this out.  Applied it to the default authenticated users groups and security, but under the delegation tab, I added the allowusbaccess group and went into advanced settings and did an explicit deny on read.  Thanks for your help.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question