Solved

Disable USB drives for non-admins

Posted on 2015-01-31
7
241 Views
Last Modified: 2015-02-01
I would like to disable usb ports via Group Policy, but just for non-admins.  I still need access for domain admins and servers, etc.

What is the best way to accomplish this?
0
Comment
Question by:BMFC
  • 3
  • 3
7 Comments
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 40581556
Please check this .adm file and follow this link

http://www.petri.com/disable_usb_disks_with_gpo.htm
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40581742
The above process will work only for winXP and win2000

If you have win vista\7\8\8.1 you need to use below settings
User configuration\administrative templates\system\Removable storage access and enable below settings:
Removable Disk: Deny Read Access
Removable Disk: Deny Write Access

There are other options also for CD DVD and so on.

Apply this policy to OU containing users for which you want to restrict access
0
 

Author Comment

by:BMFC
ID: 40582700
I don't want to apply to the policy to Authenticated Users.  Does a AD group exist that will allow me to apply this policy to and not affect domain admins, servers, etc.?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 36

Expert Comment

by:Mahesh
ID: 40582732
You can do this in TWO ways:

1st way:
Either you add all users to whom you wanted to apply this policy to one OU and apply this policy on that OU
Ensure that do not keep your admin accounts in this OU
Even if policy applied to authenticated users (you can see them on security filtering in GPMC), it not means that policy will apply to all authenticated users in entire domain.
The policy will apply only to users in that particular OU because you have limited GPO scope to specific OU only.
This is user configuration setting, hence keep only required users in that OU and do not keep any computers \servers in this OU
This will ensure that policy will apply to only required users

2nd way:
Create one global security group and add all required user accounts in domain to this group
Create new Policy as stated in 1st comment and Apply this policy to entire domain (domain level)
IN GPMC, click on GPO and right hand side under scope tab you will find security filtering, remove authenticated users from here and add above security group
This will ensure that policy will apply to only selected users part of that security group.
0
 

Author Comment

by:BMFC
ID: 40582737
Would this work?  I left Authenticated Users under the Security Filtering then in the delegation tab, checked the box for deny for "apply group policy".
0
 

Author Comment

by:BMFC
ID: 40582744
Left this part out, I created a second security group called "Exclude GPO" added users i wanted to exclude, then checked the box deny for "apply group policy" at the same time leaving authenticated users in to apply the policy.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40582779
Setting authenticated users deny permissions will never apply GPO to anybody, thus defeating the purpose of GPO as deny perms always override the allow

The last comment will work, however you should avoid setting deny permissions as far as possible

The best way to do this, set policy at domain level, create group named blocked usb users, remove authenticated users from security filtering and add this new group there, now GPO will apply to this group only and not authenticated users

U don't have to specify explicit deny \ allow permissions, GPO will apply to only those users \ groups who are on security filtering tab

Security filtering will be found under scope tab
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question