Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Disable USB drives for non-admins

Posted on 2015-01-31
7
Medium Priority
?
636 Views
Last Modified: 2015-02-01
I would like to disable usb ports via Group Policy, but just for non-admins.  I still need access for domain admins and servers, etc.

What is the best way to accomplish this?
0
Comment
Question by:BMFC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 40581556
Please check this .adm file and follow this link

http://www.petri.com/disable_usb_disks_with_gpo.htm
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40581742
The above process will work only for winXP and win2000

If you have win vista\7\8\8.1 you need to use below settings
User configuration\administrative templates\system\Removable storage access and enable below settings:
Removable Disk: Deny Read Access
Removable Disk: Deny Write Access

There are other options also for CD DVD and so on.

Apply this policy to OU containing users for which you want to restrict access
0
 

Author Comment

by:BMFC
ID: 40582700
I don't want to apply to the policy to Authenticated Users.  Does a AD group exist that will allow me to apply this policy to and not affect domain admins, servers, etc.?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 38

Expert Comment

by:Mahesh
ID: 40582732
You can do this in TWO ways:

1st way:
Either you add all users to whom you wanted to apply this policy to one OU and apply this policy on that OU
Ensure that do not keep your admin accounts in this OU
Even if policy applied to authenticated users (you can see them on security filtering in GPMC), it not means that policy will apply to all authenticated users in entire domain.
The policy will apply only to users in that particular OU because you have limited GPO scope to specific OU only.
This is user configuration setting, hence keep only required users in that OU and do not keep any computers \servers in this OU
This will ensure that policy will apply to only required users

2nd way:
Create one global security group and add all required user accounts in domain to this group
Create new Policy as stated in 1st comment and Apply this policy to entire domain (domain level)
IN GPMC, click on GPO and right hand side under scope tab you will find security filtering, remove authenticated users from here and add above security group
This will ensure that policy will apply to only selected users part of that security group.
0
 

Author Comment

by:BMFC
ID: 40582737
Would this work?  I left Authenticated Users under the Security Filtering then in the delegation tab, checked the box for deny for "apply group policy".
0
 

Author Comment

by:BMFC
ID: 40582744
Left this part out, I created a second security group called "Exclude GPO" added users i wanted to exclude, then checked the box deny for "apply group policy" at the same time leaving authenticated users in to apply the policy.
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40582779
Setting authenticated users deny permissions will never apply GPO to anybody, thus defeating the purpose of GPO as deny perms always override the allow

The last comment will work, however you should avoid setting deny permissions as far as possible

The best way to do this, set policy at domain level, create group named blocked usb users, remove authenticated users from security filtering and add this new group there, now GPO will apply to this group only and not authenticated users

U don't have to specify explicit deny \ allow permissions, GPO will apply to only those users \ groups who are on security filtering tab

Security filtering will be found under scope tab
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question