none
One group policy won't apply to server

    Question

  • we have defined a group policy to deny USB read/write access for a group of users.

    Policy settings:

    User Configuration/Polices/Administrative Templates/System/Removable Storage Access, and enable "Removable Disks: Deny read access" and "Removable Disks: Deny write access"

    In terms of the scope. the GPO is linked to top domain level. And security filtering is just to the "USB DENY" security group. Users who are in this security group are not allowed to read/write to USB drives.

    However this group policy works for desktop and laptop but does't work for server. 

    When the user in scope RDP to a server, we can see the group policy is applied via gpresult or rsop. But the user still has full access to USB drive.

    We even tried below solution but no luck. 

    Method 1: Use the Services snap-in to change the Startup Type option to Automatic
    1. Click Start, click Run, and then type services.msc.
    2. Right-click Portable Device Enumerator, and then click Properties.
    3. In the Startup Type list, click Automatic, and then click OK
    Method 2: Modify the startup value for the WPDBusEnum registry subkey

    Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
    1. Click Start, click Run, type regedit, and then click OK
    2. Locate the following registry subkey, and then click it: 
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WPDBusEnum\Start
    3. Click Edit, and then click Modify.
    4. In the Value data box, change the current value to 2.
    5. Restart the computer for the change to take effect. When the computer restarts, the Portable Device Enumerator service starts automatically.


    reboot the server, unplug/replug usb drive. no luck. 

    AD: 2003/2016

    Server: 2012/2012 R2

    desktop/laptop: Windows 10

    Any idea?

    Thursday, February 16, 2017 3:05 AM

Answers

  • Hi Wendy,

    Thanks for your suggestion. Unfortunately the Loopback doesn't work. and I can only see it in the old windows 2003 group policy manager not in 2016. It also mentioned this group policy only applies to windows 2000 servers. 

    I end up great a separate GPO for USB deny and configured on computer. Then divided the server OU into two sub OUs, one is "USB DENY" and the other is  "USB allow" and link the new GPO to "USB DENY" OU.

    • Marked as answer by wei_Inlogik Monday, February 20, 2017 9:58 PM
    Monday, February 20, 2017 9:58 PM

All replies

  • Hi,
    As the group policy is user configuration, it only apply to users, not server, maybe, you could have a try using loopback mode to see if it works.
    Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs.
    You could see more details from:
    Circle Back to Loopback
    https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
    Windows Server: Understand “User Group Policy Loopback Processing Mode”
    https://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 16, 2017 7:36 AM
    Moderator
  • Dear,

    As rightly said by Wendy, the group policy has been configured for user. The policy will get applied only for the users present in the Group.

    Kindly check the username used to login to the server. Is the username where part of the same group. If yes the policy will win until the servers OU have any deny option for the policies.

    Thanks

    Syed Abdul Kadar M.


    Dont forget to mark as Answered if you found this post helpful.

    Thursday, February 16, 2017 7:51 AM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 20, 2017 9:48 AM
    Moderator
  • Hi Wendy,

    Thanks for your suggestion. Unfortunately the Loopback doesn't work. and I can only see it in the old windows 2003 group policy manager not in 2016. It also mentioned this group policy only applies to windows 2000 servers. 

    I end up great a separate GPO for USB deny and configured on computer. Then divided the server OU into two sub OUs, one is "USB DENY" and the other is  "USB allow" and link the new GPO to "USB DENY" OU.

    • Marked as answer by wei_Inlogik Monday, February 20, 2017 9:58 PM
    Monday, February 20, 2017 9:58 PM