Disable USB drives for non-admins

I would like to disable usb ports via Group Policy, but just for non-admins.  I still need access for domain admins and servers, etc.

What is the best way to accomplish this?
BMFCAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
Setting authenticated users deny permissions will never apply GPO to anybody, thus defeating the purpose of GPO as deny perms always override the allow

The last comment will work, however you should avoid setting deny permissions as far as possible

The best way to do this, set policy at domain level, create group named blocked usb users, remove authenticated users from security filtering and add this new group there, now GPO will apply to this group only and not authenticated users

U don't have to specify explicit deny \ allow permissions, GPO will apply to only those users \ groups who are on security filtering tab

Security filtering will be found under scope tab
0
 
Gajendra RathodSr. System AdministratorCommented:
Please check this .adm file and follow this link

http://www.petri.com/disable_usb_disks_with_gpo.htm
0
 
MaheshArchitectCommented:
The above process will work only for winXP and win2000

If you have win vista\7\8\8.1 you need to use below settings
User configuration\administrative templates\system\Removable storage access and enable below settings:
Removable Disk: Deny Read Access
Removable Disk: Deny Write Access

There are other options also for CD DVD and so on.

Apply this policy to OU containing users for which you want to restrict access
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
BMFCAuthor Commented:
I don't want to apply to the policy to Authenticated Users.  Does a AD group exist that will allow me to apply this policy to and not affect domain admins, servers, etc.?
0
 
MaheshArchitectCommented:
You can do this in TWO ways:

1st way:
Either you add all users to whom you wanted to apply this policy to one OU and apply this policy on that OU
Ensure that do not keep your admin accounts in this OU
Even if policy applied to authenticated users (you can see them on security filtering in GPMC), it not means that policy will apply to all authenticated users in entire domain.
The policy will apply only to users in that particular OU because you have limited GPO scope to specific OU only.
This is user configuration setting, hence keep only required users in that OU and do not keep any computers \servers in this OU
This will ensure that policy will apply to only required users

2nd way:
Create one global security group and add all required user accounts in domain to this group
Create new Policy as stated in 1st comment and Apply this policy to entire domain (domain level)
IN GPMC, click on GPO and right hand side under scope tab you will find security filtering, remove authenticated users from here and add above security group
This will ensure that policy will apply to only selected users part of that security group.
0
 
BMFCAuthor Commented:
Would this work?  I left Authenticated Users under the Security Filtering then in the delegation tab, checked the box for deny for "apply group policy".
0
 
BMFCAuthor Commented:
Left this part out, I created a second security group called "Exclude GPO" added users i wanted to exclude, then checked the box deny for "apply group policy" at the same time leaving authenticated users in to apply the policy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.