Solved

GPO for Mass Storage Devices based on security groups

Posted on 2013-12-04
10
1,042 Views
Last Modified: 2013-12-10
I have a client that needs to be able to set via a GPO the ability to block all mass storage USB Devices to domain users, but allow to a specified AD Security Group.  Can somebody point me in the direction to create this GPO?  These are windows 7 machines.  Thanks in advance.
0
Comment
Question by:jruskey
10 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 39697127
Hi.

The policy section to use is shown here: http://technet.microsoft.com/en-us/library/cc730808(v=ws.10).aspx - as we can use security filtering, you can indeed impose this policy to a certain AD group, only.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39697307
How do I apply this to just a certain AD Security Group?  I know how to apply it to a OU, but not a security group.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39697616
Like I wrote: security filtering. Find it right in the security section in the properties of the GPO.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 167 total points
ID: 39697909
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 166 total points
ID: 39700225
In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
    User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

It specify read and write permission on all kinds of removable storage device.

2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

With device installation restrictions, the installation of removable storage device will be totally under control.

More detailed information:

Managing Hardware Restrictions via Group Policy

http://www.microsoft.com/technet/technetmag/issues/2007/06/GroupPolicy/default.aspx

But the minimum client requirement is Windows vista/Win7.So this is no good for my Windows XP machines.

If you have win2003 and WinXP clients for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo ADM template to DisableUSB OU and usb enabled policy ADM template to EnableUSB OU.

Computer OU
--USBEnable...Apply usb enabled policy(template)
--USBDiable...Apply usb disable policy(template)

Refer below link for the ADM template

You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the diable policy will not work.Also set allow permission to usbstor.inf and usbstor.PNF file and attach the gpo to USbdisable and usbenable GPO accordingly.

Computer Configuration\Windows setting\security settings\File system Add
%SystemRoot%\inf\usbstor.inf
%SystemRoot%\inf\usbstor.PNF
set deny permission to administrator,authenticated user,everyone,SYSTEM,users.

Simarly set allow permission to administrator,authenticated user,everyone,SYSTEM,users

Referencelink:http://www.petri.co.il/disable_usb_disks_with_gpo.htm

Once done you can move the computer to USBEnable or USBDisable OU.If there is requiremet to enable the USB or disable the conputer USB you can move the require computer object to appropiate OU to receieve the appropiate policy.However for setting to take effect you need to reboot the Computer.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39700387
"You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the disable policy will not work" - not really true. This section of the link you reference is talking about making it work for windows 2000. Here, we have win7 and the built-in policies can do it.
Also, it's no use to set it at the computer policy as it will affect all users.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39700923
I will be onsite and set this up next Tuesday.  So, basically from what I am reading, I should create a security group called 'No USB Access'.  Put my users that I don't want to have USB Access in that group.  Then create a User GPO blocking out USB access and apply it to that new security group I created.  Sound correct?  Based on what McKnife said, I want this as a user policy since a computer policy will block everybody regardless of security filter settings.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 167 total points
ID: 39700931
All correct.
0
 
LVL 1

Author Comment

by:jruskey
ID: 39709254
This works.  However, I want to deny access to all but 6 users.  So, is there a way to reverse this and apply it to all domain users except allow it to a group called allowusbaccess?
0
 
LVL 1

Author Comment

by:jruskey
ID: 39709345
Nevermind - Figured this out.  Applied it to the default authenticated users groups and security, but under the delegation tab, I added the allowusbaccess group and went into advanced settings and did an explicit deny on read.  Thanks for your help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now