General GP for users to lock down computer/network

I'm setting up a network for a about 11 users and the business owner want to restrict/limit his users on what they are able to do on their computers and the network.

An example is to not allow to plug in USB drive or access to the CD-ROM.

Can someone give me some starting ideas or a template GP?
LVL 1
GerhardpetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael DyerSenior Systems Support AnalystCommented:
Here are some good places to start:

http://support.microsoft.com/kb/823732 - How can I prevent users from connecting to a USB storage device?

http://support.microsoft.com/kb/555324 - HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

You can simply configure the following group policies to control the access:
 
[Computer Configuration\Administrative Templates\System\Removable Storage Access]
CD and DVD: Deny read access
CD and DVD: Deny write access
Removable Disks: Deny read access
Removable Disks: Deny write access
All Removable Storage classes: Deny all access
All Removable Storage classes: allow direct access in remote sessions
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Axis52401Security AnalystCommented:
I would also suggest configuring the local users as power users instead of giving them admin rights. Simply create a GPO that places the domain users group in the power users group. That way they can't install programs. It does have a downside that they can't install java updates and stuff like that so be sure to consider what they will actually need to perform. I am a fan of the software restriction policy to prevent stuff like the crypto locker virus. This also has limitations as users can't extract files when installing or upgrading programs but it will help to keep the crypto locker and crypto wall from infecting the network.

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent
0
btanExec ConsultantCommented:
This has some nice lockdown considerations as well as policy
http://www.howtogeek.com/111239/the-best-ways-to-lock-down-your-multi-user-computer/
http://deployhappiness.com/group-policy-kiosk-mode-locking-down/

specific to device lockdown can be found here too
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3._Locking_down_Windows_and_Linux_against_Malicious_USB_devices

List of Windows 7/Vista hardware installation policy options:

Allow administrators to override Device Installation Restriction policies
Allow installation of devices using drivers that match these device setup classes
Prevent installation of devices using drivers that match these device setup classes
Display a custom message when installation is prevented by a policy setting        
Display a custom message title when device installation is prevented by a policy setting
Allow installation of devices that match any of these device IDs
Prevent installation of devices that match any of these device IDs
Time (in seconds) to force reboot when required for policy changes to take effect
Prevent installation of removable devices    
Prevent installation of devices not described by other policy settings
0
GerhardpetAuthor Commented:
If I'm correct I would create the policy for User Configuration because the policy will not apply to a few people in the office. If I use Computer Configuration it will apply to all computers...correct?
0
btanExec ConsultantCommented:
User settings of a GPO will only affect user accounts that reside in the OU(s) that are in the scope of where that GPO is linked.
Computer settings will only affect computer accounts that reside in the OU(s) that are in the scope of where that GPO is linked.

How to apply a Group Policy Object to individual users or computer
http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/

How to exclude individual users or computers from a Group Policy Object
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.