General GP for users to lock down computer/network

Posted on 2014-08-13
Last Modified: 2014-08-20
I'm setting up a network for a about 11 users and the business owner want to restrict/limit his users on what they are able to do on their computers and the network.

An example is to not allow to plug in USB drive or access to the CD-ROM.

Can someone give me some starting ideas or a template GP?
Question by:Gerhardpet
    LVL 14

    Accepted Solution

    Here are some good places to start: - How can I prevent users from connecting to a USB storage device? - HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

    You can simply configure the following group policies to control the access:
    [Computer Configuration\Administrative Templates\System\Removable Storage Access]
    CD and DVD: Deny read access
    CD and DVD: Deny write access
    Removable Disks: Deny read access
    Removable Disks: Deny write access
    All Removable Storage classes: Deny all access
    All Removable Storage classes: allow direct access in remote sessions
    LVL 2

    Expert Comment

    I would also suggest configuring the local users as power users instead of giving them admin rights. Simply create a GPO that places the domain users group in the power users group. That way they can't install programs. It does have a downside that they can't install java updates and stuff like that so be sure to consider what they will actually need to perform. I am a fan of the software restriction policy to prevent stuff like the crypto locker virus. This also has limitations as users can't extract files when installing or upgrading programs but it will help to keep the crypto locker and crypto wall from infecting the network.
    LVL 60

    Expert Comment

    This has some nice lockdown considerations as well as policy

    specific to device lockdown can be found here too

    List of Windows 7/Vista hardware installation policy options:

    Allow administrators to override Device Installation Restriction policies
    Allow installation of devices using drivers that match these device setup classes
    Prevent installation of devices using drivers that match these device setup classes
    Display a custom message when installation is prevented by a policy setting        
    Display a custom message title when device installation is prevented by a policy setting
    Allow installation of devices that match any of these device IDs
    Prevent installation of devices that match any of these device IDs
    Time (in seconds) to force reboot when required for policy changes to take effect
    Prevent installation of removable devices    
    Prevent installation of devices not described by other policy settings
    LVL 1

    Author Comment

    If I'm correct I would create the policy for User Configuration because the policy will not apply to a few people in the office. If I use Computer Configuration it will apply to all computers...correct?
    LVL 60

    Expert Comment

    User settings of a GPO will only affect user accounts that reside in the OU(s) that are in the scope of where that GPO is linked.
    Computer settings will only affect computer accounts that reside in the OU(s) that are in the scope of where that GPO is linked.

    How to apply a Group Policy Object to individual users or computer

    How to exclude individual users or computers from a Group Policy Object

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
    This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now