How to Deny access to all Removable Media for select users on SBS 2011

I have created a GPO on my SBS 2011 box to deny all access to removable media for a specific group I created. Policy is enabled/enforced and linked appropriately.

However despite all efforts, the policy does not apply to the users in the group.

I have applied the policy to both the computer and user configuration in the GP.

When I run RSOP on a user, I can see the policy is enabled under the user configuration, however, will never show up under the computer configuration despite not being configured in any other GPO.

Is this not supposed to work by design or is there some other way to get this GPO to function.
tjwo94Asked:
Who is Participating?
 
Jeffrey Kane - TechSoEasyConnect With a Mentor Principal ConsultantCommented:
This is not a USER policy, so do not set anything in the user configuration.

There are THREE settings which must be enabled in your GPO under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access:


Removable Disks: Deny execute access Enabled
Removable Disks: Deny read access Enabled
Removable Disks: Deny write access Enabled

Deny USB Drives
Make sure that this policy is linked either at the domain level, or if to an OU, that all machines that are restricted are in the OU.

If the above doesn't work, please run the following command on a workstation:

C:\>gpresult /h gp.html

Then post the resulting "gp.html" file back here.
0
 
NetfloCommented:
The GPO needs to be tweaked slightly differently if applying to Windows XP clients as opposed to Windows 7 and above which will just work. Is this the case?

If so, please take a look at the following link: http://www.grouppolicy.biz/2010/02/how-to-use-group-policy-to-disable-usb-drives-on-windows-xp/
0
 
tjwo94Author Commented:
All clients are Windows 7, hence the frustration as to why it isn't working.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
tjwo94Author Commented:
Just to clarify, this policy can only be applied to specific machines, not specific users? So I would need to put specific machines in an OU as opposed to specific users?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Yes, it is a MACHINE setting, not a USER setting.

FYI, if you don't want to move the machines to a specific OU, you could always just create a SECURITY GROUP and add them to that, and then delegate the GP to only that Security Group.

Jeff
0
 
tjwo94Author Commented:
Thank you Jeff for the help and clarification, I'll have no trouble getting the access squared away now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.