Solved

Disable USB drives for non-admins

Posted on 2015-01-31
7
376 Views
Last Modified: 2015-02-01
I would like to disable usb ports via Group Policy, but just for non-admins.  I still need access for domain admins and servers, etc.

What is the best way to accomplish this?
0
Comment
Question by:BMFC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 40581556
Please check this .adm file and follow this link

http://www.petri.com/disable_usb_disks_with_gpo.htm
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40581742
The above process will work only for winXP and win2000

If you have win vista\7\8\8.1 you need to use below settings
User configuration\administrative templates\system\Removable storage access and enable below settings:
Removable Disk: Deny Read Access
Removable Disk: Deny Write Access

There are other options also for CD DVD and so on.

Apply this policy to OU containing users for which you want to restrict access
0
 

Author Comment

by:BMFC
ID: 40582700
I don't want to apply to the policy to Authenticated Users.  Does a AD group exist that will allow me to apply this policy to and not affect domain admins, servers, etc.?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 37

Expert Comment

by:Mahesh
ID: 40582732
You can do this in TWO ways:

1st way:
Either you add all users to whom you wanted to apply this policy to one OU and apply this policy on that OU
Ensure that do not keep your admin accounts in this OU
Even if policy applied to authenticated users (you can see them on security filtering in GPMC), it not means that policy will apply to all authenticated users in entire domain.
The policy will apply only to users in that particular OU because you have limited GPO scope to specific OU only.
This is user configuration setting, hence keep only required users in that OU and do not keep any computers \servers in this OU
This will ensure that policy will apply to only required users

2nd way:
Create one global security group and add all required user accounts in domain to this group
Create new Policy as stated in 1st comment and Apply this policy to entire domain (domain level)
IN GPMC, click on GPO and right hand side under scope tab you will find security filtering, remove authenticated users from here and add above security group
This will ensure that policy will apply to only selected users part of that security group.
0
 

Author Comment

by:BMFC
ID: 40582737
Would this work?  I left Authenticated Users under the Security Filtering then in the delegation tab, checked the box for deny for "apply group policy".
0
 

Author Comment

by:BMFC
ID: 40582744
Left this part out, I created a second security group called "Exclude GPO" added users i wanted to exclude, then checked the box deny for "apply group policy" at the same time leaving authenticated users in to apply the policy.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40582779
Setting authenticated users deny permissions will never apply GPO to anybody, thus defeating the purpose of GPO as deny perms always override the allow

The last comment will work, however you should avoid setting deny permissions as far as possible

The best way to do this, set policy at domain level, create group named blocked usb users, remove authenticated users from security filtering and add this new group there, now GPO will apply to this group only and not authenticated users

U don't have to specify explicit deny \ allow permissions, GPO will apply to only those users \ groups who are on security filtering tab

Security filtering will be found under scope tab
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question