Block USB Storage Devices
We're trying to implement a GPO that will block USB storage devices.
It appears that there are at least two approaches at the broad design level:
1) Apply the GPO to users.
2) Apply the GPO to computers.
We tried applying a new GPO to users like this:
The other approach would seem to be:
I haven't done the latter yet but I have more confidence in it.
Any suggestions?
It appears that there are at least two approaches at the broad design level:
1) Apply the GPO to users.
2) Apply the GPO to computers.
We tried applying a new GPO to users like this:
- Set up a User's Security Group
- Set up a GPO with Scope including the User's Security Group
- and with Authorized Users having READ and NOT Apply GPO
- Then, the GP settings for removable storage are added as well
- Then the GPO is linked to the User's OU
- Then blocked Users are added to the User's Security Group
The other approach would seem to be:
- Set up an OU of Computers
- Create a simple GPO with the same settings for removable storage
- Link the GPO to an appropriate Computer OU or set of them
- Move pertinent computers into the appropriate Computer OUs
I haven't done the latter yet but I have more confidence in it.
Any suggestions?
Your GPO, was it configured in the user config section or computer config section?
If you target users, the user config section needs to be used, then of course it works your way.
So I suspect you targeted users, but made that setting in the computer config section.
If you target users, the user config section needs to be used, then of course it works your way.
So I suspect you targeted users, but made that setting in the computer config section.
One could install physical port locks, as an example:
https://www.amazon.com/Lindy-USB-Port-Blocker-Green/dp/B000I2JWJ0
https://www.amazon.com/Lindy-USB-Port-Blocker-Green/dp/B000I2JWJ0
ASKER
McKnife: I want to make sure that I know what you mean by "user config section" and "computer config section". Those terms aren't familiar to me. Perhaps I just missed seeing it as the screens were being changed. Otherwise, I'd say "Yes, I did say "Then the GPO is linked to the User's OU". But our terms are so different, I thought I'd better ask.
Thank you!
Thank you!
Any GPO has two main sections named "computer configuration" and "user configuration". If you are applying this to an OUZ with users, you need to use the user config. section, not the computer config. section.
ASKER
Ah yes. In the GPO's Settings tab and/or the GPO's Edit window. We did have it correct but this led us to find an error. I made a diagram so I might better envision what's what.
So, this is a first shot at a particular GPO like the one I described initially. I'm sure it can be improved as it may imply things that aren't quite correct.
Perhaps it doesn't make a difference where one starts in thinking about creating a GPO. In this diagram, I rather envision that there would be Groups (of Users in this case) that it will apply to. I've assumed for testing that there may be at least one interim Group that's larger than the initial Group and smaller than the final or end Group.
Same thing for OU's.
So, my brain goes to defining these two things and their possible evolution first.
And, the GPO can be done, using them, last.
So, this is a first shot at a particular GPO like the one I described initially. I'm sure it can be improved as it may imply things that aren't quite correct.Perhaps it doesn't make a difference where one starts in thinking about creating a GPO. In this diagram, I rather envision that there would be Groups (of Users in this case) that it will apply to. I've assumed for testing that there may be at least one interim Group that's larger than the initial Group and smaller than the final or end Group.
Same thing for OU's.
So, my brain goes to defining these two things and their possible evolution first.
And, the GPO can be done, using them, last.
Use gpresult as a user that is member of the test group and see if the GPO has applied or not.
ASKER
McKnife: Thanks! Very helpful!
For an affected User logged into a workstation:
I can see the intended Applied Group Policy Object.
I can see the User membership in the affected Group
I can see related registry entries (that I don't understand...).
However,
I can't see the corresponding entries in gpedit and they aren't grayed out either.
I might have expected that. ?
I find it a bit confusing that the Usernames have to be listed twice:
Once in the user OU
Once in the Group to which the GPO is applied
So, this implies that having a name removed from either one will affect the outcome. Is that right?
For an affected User logged into a workstation:
I can see the intended Applied Group Policy Object.
I can see the User membership in the affected Group
I can see related registry entries (that I don't understand...).
However,
I can't see the corresponding entries in gpedit and they aren't grayed out either.
I might have expected that. ?
I find it a bit confusing that the Usernames have to be listed twice:
Once in the user OU
Once in the Group to which the GPO is applied
So, this implies that having a name removed from either one will affect the outcome. Is that right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
McKnife: Thank you!
So, which supercedes the other and why? I can think of these rather obvious cases:
The OU membership is larger than the Group membership.
The Group membership is larger than the OU membership.
My guess would be that the more restrictive would apply but that the situation would be allowed in either case when constructing.
I can well imagine then, using a large OU as a handy point of reference (such as ALL Users) and then actively controlling with the Group membership. Is that common practice?
I've not yet been able to do a physical test as I'm off site and it will be tomorrow before we can do a physical test.
So, which supercedes the other and why? I can think of these rather obvious cases:
The OU membership is larger than the Group membership.
The Group membership is larger than the OU membership.
My guess would be that the more restrictive would apply but that the situation would be allowed in either case when constructing.
I can well imagine then, using a large OU as a handy point of reference (such as ALL Users) and then actively controlling with the Group membership. Is that common practice?
I've not yet been able to do a physical test as I'm off site and it will be tomorrow before we can do a physical test.
There is no supercedence in play. Let me clarify the basics:
-GPOs are linked to the domain head or to OUs.
-If you link them to the domain head, the GPOs apply to anyone (users) and any machine (computers). User settings are applied to users and computer settings (from the computer config. section) apply to computers.
-if you want filtering to happen, you may use security groups for that.
-if you want the GPO to apply only to a certain OU, don't link it to the domain head but to the OU
-you can of course do both, link it to an OU and use security filtering as well
-GPOs are linked to the domain head or to OUs.
-If you link them to the domain head, the GPOs apply to anyone (users) and any machine (computers). User settings are applied to users and computer settings (from the computer config. section) apply to computers.
-if you want filtering to happen, you may use security groups for that.
-if you want the GPO to apply only to a certain OU, don't link it to the domain head but to the OU
-you can of course do both, link it to an OU and use security filtering as well
ASKER
Thanks! McKnife answered a lot of questions here! Very helpful!!
If, however, the users are of a mind to get that flash drive inserted no matter what, then they will go around to the back panel connectors and those are generally installed on the motherboard. In that case, yes, then the issue must be handled in the Registry.