We're trying to implement a GPO that will block USB storage devices.
It appears that there are at least two approaches at the broad design level:
1) Apply the GPO to users.
2) Apply the GPO to computers.
We tried applying a new GPO to users like this:
- Set up a User's Security Group
- Set up a GPO with Scope including the User's Security Group
- and with Authorized Users having READ and NOT Apply GPO
- Then, the GP settings for removable storage are added as well
- Then the GPO is linked to the User's OU
- Then blocked Users are added to the User's Security Group
It didn't work for us.
The other approach would seem to be:
- Set up an OU of Computers
- Create a simple GPO with the same settings for removable storage
- Link the GPO to an appropriate Computer OU or set of them
- Move pertinent computers into the appropriate Computer OUs
I haven't done the latter yet but I have more confidence in it.
If, however, the users are of a mind to get that flash drive inserted no matter what, then they will go around to the back panel connectors and those are generally installed on the motherboard. In that case, yes, then the issue must be handled in the Registry.