none
Blocking Removeable media via GPO with logging

    Question

  • We have a requirement to block write access to removable media unless users are in specific groups. We accomplished this task with Group Policy (Administrative Templates, System, and Removable Storage Access.), however we also have a requirements to log events when users attempt to write to USB devises and they are denied.

    So GPO is in place and users who are authorized to write are able to write and users who are authorized for read can read only. Now I need to log the event when a user in read only group attempts to write.

    Does anyone know what event log generates when a users attempts to write to removable media and the pop displays that says that are denied?

      

    Thanks -Brandon


    • Edited by combolc Thursday, April 02, 2015 2:24 PM
    Thursday, April 02, 2015 2:23 PM

Answers

  • Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy Configuration, double-click Object Access, and then double-click Audit Removable Storage. Full details here https://technet.microsoft.com/en-gb/library/jj574128.aspx?f=255&MSPPError=-2147217396
    • Marked as answer by combolc Thursday, April 02, 2015 3:48 PM
    Thursday, April 02, 2015 2:48 PM

All replies

  • Hi

    You can edit this settings on GPO editor;

    Computer Configuration->Policies->Administrative Templates->System->Removable Storage Access

    Thursday, April 02, 2015 2:32 PM
  • Hi

    You can edit this settings on GPO editor;

    Computer Configuration->Policies->Administrative Templates->System->Removable Storage Access

    edit what setting? The GPO is working we need cover the logging requirement.

    We need to know when a users gets blocked by the GPO and receives the popup telling them they are not authorized to write. What even log does that generate?


    • Edited by combolc Thursday, April 02, 2015 2:38 PM
    Thursday, April 02, 2015 2:38 PM
  • Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy Configuration, double-click Object Access, and then double-click Audit Removable Storage. Full details here https://technet.microsoft.com/en-gb/library/jj574128.aspx?f=255&MSPPError=-2147217396
    • Marked as answer by combolc Thursday, April 02, 2015 3:48 PM
    Thursday, April 02, 2015 2:48 PM
  • That's great, thanks. unfortunately we are using windows 7 on desktop side.

    Anyone have a Windows 7 solution?


    • Edited by combolc Thursday, April 02, 2015 3:49 PM
    Thursday, April 02, 2015 3:48 PM