[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


General GP for users to lock down computer/network

Posted on 2014-08-13
Medium Priority
Last Modified: 2014-08-20
I'm setting up a network for a about 11 users and the business owner want to restrict/limit his users on what they are able to do on their computers and the network.

An example is to not allow to plug in USB drive or access to the CD-ROM.

Can someone give me some starting ideas or a template GP?
Question by:Gerhardpet
LVL 14

Accepted Solution

Michael Dyer earned 2000 total points
ID: 40259527
Here are some good places to start:

http://support.microsoft.com/kb/823732 - How can I prevent users from connecting to a USB storage device?

http://support.microsoft.com/kb/555324 - HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

You can simply configure the following group policies to control the access:
[Computer Configuration\Administrative Templates\System\Removable Storage Access]
CD and DVD: Deny read access
CD and DVD: Deny write access
Removable Disks: Deny read access
Removable Disks: Deny write access
All Removable Storage classes: Deny all access
All Removable Storage classes: allow direct access in remote sessions

Expert Comment

ID: 40259563
I would also suggest configuring the local users as power users instead of giving them admin rights. Simply create a GPO that places the domain users group in the power users group. That way they can't install programs. It does have a downside that they can't install java updates and stuff like that so be sure to consider what they will actually need to perform. I am a fan of the software restriction policy to prevent stuff like the crypto locker virus. This also has limitations as users can't extract files when installing or upgrading programs but it will help to keep the crypto locker and crypto wall from infecting the network.

LVL 65

Expert Comment

ID: 40259678
This has some nice lockdown considerations as well as policy

specific to device lockdown can be found here too

List of Windows 7/Vista hardware installation policy options:

Allow administrators to override Device Installation Restriction policies
Allow installation of devices using drivers that match these device setup classes
Prevent installation of devices using drivers that match these device setup classes
Display a custom message when installation is prevented by a policy setting        
Display a custom message title when device installation is prevented by a policy setting
Allow installation of devices that match any of these device IDs
Prevent installation of devices that match any of these device IDs
Time (in seconds) to force reboot when required for policy changes to take effect
Prevent installation of removable devices    
Prevent installation of devices not described by other policy settings

Author Comment

ID: 40260707
If I'm correct I would create the policy for User Configuration because the policy will not apply to a few people in the office. If I use Computer Configuration it will apply to all computers...correct?
LVL 65

Expert Comment

ID: 40260738
User settings of a GPO will only affect user accounts that reside in the OU(s) that are in the scope of where that GPO is linked.
Computer settings will only affect computer accounts that reside in the OU(s) that are in the scope of where that GPO is linked.

How to apply a Group Policy Object to individual users or computer

How to exclude individual users or computers from a Group Policy Object

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question