We help IT Professionals succeed at work.

Block USB Storage Devices

Fred Marshall
Fred Marshall used Ask the Experts™
We're trying to implement a GPO that will block USB storage devices.
It appears that there are at least two approaches at the broad design level:
1) Apply the GPO to users.
2) Apply the GPO to computers.
We tried applying a new GPO to users like this:
  • Set up a User's Security Group
  • Set up a GPO with Scope including the User's Security Group
  • and with Authorized Users having READ and NOT Apply GPO
  • Then, the GP settings for removable storage are added as well
  • Then the GPO is linked to the User's OU
  • Then blocked Users are added to the User's Security Group
It didn't work for us.  

The other approach would seem to be:
  • Set up an OU of Computers
  • Create a simple GPO with the same settings for removable storage
  • Link the GPO to an appropriate Computer OU or set of them
  • Move pertinent computers into the appropriate Computer OUs

I haven't done the latter yet but I have more confidence in it.

Any suggestions?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer

Depending on what kind of environment you are in, sometimes it is simpler to open up the case, disconnect the front panel USB cable connector at the motherboard, and close it back up again.  This will prevent casual use from the front panel connectors and anybody trying to re-enable the front panel USB will trip the tamper detection switch inside.

If, however, the users are of a mind to get that flash drive inserted no matter what, then they will go around to the back panel connectors and those are generally installed on the motherboard.  In that case, yes, then the issue must be handled in the Registry.
Distinguished Expert 2018

Your GPO, was it configured in the user config section or computer config section?
If you target users, the user config section needs to be used, then of course it works your way.

So I suspect you targeted users, but made that setting in the computer config section.

One could install physical port locks, as an example:



McKnife:  I want to make sure that I know what you mean by "user config section" and "computer config section".  Those terms aren't familiar to me.  Perhaps I just missed seeing it as the screens were being changed.  Otherwise, I'd say "Yes, I did say "Then the GPO is linked to the User's OU".  But our terms are so different, I thought I'd better ask.

Thank you!
Distinguished Expert 2018

Any GPO has two main sections named "computer configuration" and "user configuration". If you are applying this to an OUZ with users, you need to use the user config. section, not the computer config. section.


Ah yes.  In the GPO's  Settings tab and/or the GPO's Edit window.  We did have it correct but this led us to find an error.  I made a diagram so I might better envision what's what.
GPO Elements of a Particular GPO So, this is a first shot at a particular GPO like the one I described initially.  I'm sure it can be improved as it may imply things that aren't quite correct.

Perhaps it doesn't make a difference where one starts in thinking about creating a GPO.  In this diagram, I rather envision that there would be Groups (of Users in this case) that it will apply to.  I've assumed for testing that there may be at least one interim Group that's larger than the initial Group and smaller than the final or end Group.
Same thing for OU's.
So, my brain goes to defining these two things and their possible evolution first.
And, the GPO can be done, using them, last.
Distinguished Expert 2018

Use gpresult as a user that is member of the test group and see if the GPO has applied or not.


McKnife:  Thanks!  Very helpful!

For an affected User logged into a workstation:
I can see the intended Applied Group Policy Object.
I can see the User membership in the affected Group
I can see related registry entries (that I don't understand...).
I can't see the corresponding entries in gpedit and they aren't grayed out either.
I might have expected that.  ?

I find it a bit confusing that the Usernames have to be listed twice:
Once in the user OU
Once in the Group to which the GPO is applied
So, this implies that having a name removed from either one will affect the outcome.  Is that right?
Distinguished Expert 2018
To your last question: yes, that's right. The filtering needs the group membership. The linking needs the OU membership.

Gpedit does not reflect what's set - that is normal and expected. Always use gpresult.

So it says it has applied but the user may still use usb devices?


McKnife:  Thank  you!

So, which supercedes the other and why?  I can think of these rather obvious cases:

The OU membership is larger than the Group membership.
The Group membership is larger than the OU membership.
My guess would be that the more restrictive would apply but that the situation would be allowed in either case when constructing.
I can well imagine then, using a large OU as a handy point of reference (such as ALL Users) and then actively controlling with the Group membership.  Is that common practice?

I've not yet been able to do a physical test as I'm off site and it will be tomorrow before we can do a physical test.
Distinguished Expert 2018

There is no supercedence in play. Let me clarify the basics:

-GPOs are linked to the domain head or to OUs.
-If you link them to the domain head, the GPOs apply to anyone (users) and any machine (computers). User settings are applied to users and computer settings (from the computer config. section) apply to computers.
-if you want filtering to happen, you may use security groups for that.
-if you want the GPO to apply only to a certain OU, don't link it to the domain head but to the OU
-you can of course do both, link it to an OU and use security filtering as well


Thanks!  McKnife answered a lot of questions here!  Very helpful!!