GPO for Mass Storage Devices based on security groups

Posted on 2013-12-04
Last Modified: 2013-12-10
I have a client that needs to be able to set via a GPO the ability to block all mass storage USB Devices to domain users, but allow to a specified AD Security Group.  Can somebody point me in the direction to create this GPO?  These are windows 7 machines.  Thanks in advance.
Question by:jruskey
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 54

Expert Comment

ID: 39697127

The policy section to use is shown here: - as we can use security filtering, you can indeed impose this policy to a certain AD group, only.

Author Comment

ID: 39697307
How do I apply this to just a certain AD Security Group?  I know how to apply it to a OU, but not a security group.
LVL 54

Expert Comment

ID: 39697616
Like I wrote: security filtering. Find it right in the security section in the properties of the GPO.
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 13

Assisted Solution

Jaihunt earned 167 total points
ID: 39697909
LVL 24

Assisted Solution

Sandeshdubey earned 166 total points
ID: 39700225
In Windows Server 2008 domain, there are a set of built-in policies on removable storage access and installation. It makes restricting USB mass storage device more easier.

1. Computer Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access
    User Configuration-->Policies-->Administrative Templates-->System-->Removable Storage Access

It specify read and write permission on all kinds of removable storage device.

2. Computer Configuration-->Policies-->Administrative Templates-->System-->Device Installation-->Device Installation Restrictions

With device installation restrictions, the installation of removable storage device will be totally under control.

More detailed information:

Managing Hardware Restrictions via Group Policy

But the minimum client requirement is Windows vista/Win7.So this is no good for my Windows XP machines.

If you have win2003 and WinXP clients for easy managibility of USB group policy.Created Computer OU in the same OU created two sub OU (EnableUSB and DiableUSB OU) and applied the usb disable gpo ADM template to DisableUSB OU and usb enabled policy ADM template to EnableUSB OU.

Computer OU
--USBEnable...Apply usb enabled policy(template)
--USBDiable...Apply usb disable policy(template)

Refer below link for the ADM template

You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the diable policy will not work.Also set allow permission to usbstor.inf and usbstor.PNF file and attach the gpo to USbdisable and usbenable GPO accordingly.

Computer Configuration\Windows setting\security settings\File system Add
set deny permission to administrator,authenticated user,everyone,SYSTEM,users.

Simarly set allow permission to administrator,authenticated user,everyone,SYSTEM,users


Once done you can move the computer to USBEnable or USBDisable OU.If there is requiremet to enable the USB or disable the conputer USB you can move the require computer object to appropiate OU to receieve the appropiate policy.However for setting to take effect you need to reboot the Computer.
LVL 54

Expert Comment

ID: 39700387
"You also need to give deny permission on usbstor.inf and usbstor.PNF to disable the USB else the disable policy will not work" - not really true. This section of the link you reference is talking about making it work for windows 2000. Here, we have win7 and the built-in policies can do it.
Also, it's no use to set it at the computer policy as it will affect all users.

Author Comment

ID: 39700923
I will be onsite and set this up next Tuesday.  So, basically from what I am reading, I should create a security group called 'No USB Access'.  Put my users that I don't want to have USB Access in that group.  Then create a User GPO blocking out USB access and apply it to that new security group I created.  Sound correct?  Based on what McKnife said, I want this as a user policy since a computer policy will block everybody regardless of security filter settings.
LVL 54

Accepted Solution

McKnife earned 167 total points
ID: 39700931
All correct.

Author Comment

ID: 39709254
This works.  However, I want to deny access to all but 6 users.  So, is there a way to reverse this and apply it to all domain users except allow it to a group called allowusbaccess?

Author Comment

ID: 39709345
Nevermind - Figured this out.  Applied it to the default authenticated users groups and security, but under the delegation tab, I added the allowusbaccess group and went into advanced settings and did an explicit deny on read.  Thanks for your help.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question