none
How can I allow nonadmins to use USB drives while also preventing unauthorized applications from running on the computer

    General discussion

  • Is there a way using GPO's to restrict the running of unauthorized apps on a Windows 7 workstation while also allowing any USB stick to be loaded? 

    I'm building PC's for use in a public library, where patrons can access the internet, use MS Office applications, play games and use a few more basic apps.  The PC's are running Windows 7 Ultimate and we have set up local GPO's to restrict access to most everything except the specific applications that we want them to run.  We need them to be able to insert USB sticks and access the contents on these drives so that they can work on resumes, school projects, etc. but our current GPO "Run only specified Windows applications" is preventing the USB's from working.  When we turn off this GPO, the USB sticks are loaded fine with no problems.  When we turn on the "Run only specified Windows applications" GPO, we run into issues when USB's are inserted -- pop ups about system restrictions, USB contents are not accessible in some instances.  We've tried adding GUID's and device ID's to the GPO's in Driver Installation and Device Installation Restrictions but since we can't predict what kind of USB stick a patron will use, we can't include all the GUID's we will need.

    It seems easy to deny access to removable drives, but is there a way to ALLOW access to all USB devices while still restricting the running of unauthorized apps?  The PC's are running Windows 7 Ultimate 64 bit.  Thanks in advance for all suggestions and advice.

    Thursday, November 15, 2012 6:46 PM

All replies

  • Hi,


    You can check whether the following article could help:


    Configure Computer Policy to Allow Non-Administrators to Install Specific Devices

    http://technet.microsoft.com/en-us/library/cc725772.aspx


    Regards,


    Vincent Wang

    TechNet Community Support

    Monday, November 19, 2012 3:21 AM
  • Hi Vincent,

    I am working on a similar issue as we too need to setup shared computers for a public library. I had added GUID's from the article mentioned and drivers load for non administrators for all usb disk / storage devices I have tested.

    If I restrict the running of applications using GPO "run only specified applications" I too have Windows 7 Professional report errors. If I remove the GPO "run only specified applications" then no errors are reported.

    When you insert a USB storage device Windows must be trying to run some applications as the user but unfortunately ProcMon does not show this. This also happens if you right click the disk for the USB in My Computer and choose Eject. In both cases with GPO applied you get errors.

    Can you detail what ".exe" are run when you insert a USB device. We can not allow all applications to be available to the public using our computers within the library.

    thanks

    John


    John Starr

    Tuesday, November 20, 2012 3:58 AM
  • Monika,

    This has been a very painful exercise but I have been able to establish that you at least need to allow the following executables:

    DeviceDisplayObjectProvider.exe

    DeviceEject.exe

    DFDWiz.exe

    This has resolved the issues I was seeing. I know that this is not a total list as when I go to explorer and right click on a usb based drive and choose eject I get an error. I guess it is not enough to allow DeviceEject.exe. I will continue to investgate but maybe someone else can advise what windows files are used by the user when they insert/eject a usb thumb drive etc.

    I hope this helps

    John


    John Starr

    Tuesday, November 20, 2012 9:00 AM
  • Thanks Vincent.  We have tried to assign GUIDs as detailed in this article, but continue to have issues with some USB's.  It's as though they have a different device class, but since we are not on site when patrons come in with these USB's we have no way of knowing what they are.We need a broader way to allow USB devices to be run by non-admins; if you can think of a different way please post as we are still working on this issue.  Thanks.
    Wednesday, November 21, 2012 3:29 PM
  • Thanks John - I will try what you did and see what happens.
    Wednesday, November 21, 2012 3:33 PM