Solved

Disable USB drives for non-admins

Posted on 2015-01-31
7
205 Views
Last Modified: 2015-02-01
I would like to disable usb ports via Group Policy, but just for non-admins.  I still need access for domain admins and servers, etc.

What is the best way to accomplish this?
0
Comment
Question by:BMFC
  • 3
  • 3
7 Comments
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 40581556
Please check this .adm file and follow this link

http://www.petri.com/disable_usb_disks_with_gpo.htm
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40581742
The above process will work only for winXP and win2000

If you have win vista\7\8\8.1 you need to use below settings
User configuration\administrative templates\system\Removable storage access and enable below settings:
Removable Disk: Deny Read Access
Removable Disk: Deny Write Access

There are other options also for CD DVD and so on.

Apply this policy to OU containing users for which you want to restrict access
0
 

Author Comment

by:BMFC
ID: 40582700
I don't want to apply to the policy to Authenticated Users.  Does a AD group exist that will allow me to apply this policy to and not affect domain admins, servers, etc.?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 35

Expert Comment

by:Mahesh
ID: 40582732
You can do this in TWO ways:

1st way:
Either you add all users to whom you wanted to apply this policy to one OU and apply this policy on that OU
Ensure that do not keep your admin accounts in this OU
Even if policy applied to authenticated users (you can see them on security filtering in GPMC), it not means that policy will apply to all authenticated users in entire domain.
The policy will apply only to users in that particular OU because you have limited GPO scope to specific OU only.
This is user configuration setting, hence keep only required users in that OU and do not keep any computers \servers in this OU
This will ensure that policy will apply to only required users

2nd way:
Create one global security group and add all required user accounts in domain to this group
Create new Policy as stated in 1st comment and Apply this policy to entire domain (domain level)
IN GPMC, click on GPO and right hand side under scope tab you will find security filtering, remove authenticated users from here and add above security group
This will ensure that policy will apply to only selected users part of that security group.
0
 

Author Comment

by:BMFC
ID: 40582737
Would this work?  I left Authenticated Users under the Security Filtering then in the delegation tab, checked the box for deny for "apply group policy".
0
 

Author Comment

by:BMFC
ID: 40582744
Left this part out, I created a second security group called "Exclude GPO" added users i wanted to exclude, then checked the box deny for "apply group policy" at the same time leaving authenticated users in to apply the policy.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40582779
Setting authenticated users deny permissions will never apply GPO to anybody, thus defeating the purpose of GPO as deny perms always override the allow

The last comment will work, however you should avoid setting deny permissions as far as possible

The best way to do this, set policy at domain level, create group named blocked usb users, remove authenticated users from security filtering and add this new group there, now GPO will apply to this group only and not authenticated users

U don't have to specify explicit deny \ allow permissions, GPO will apply to only those users \ groups who are on security filtering tab

Security filtering will be found under scope tab
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now