Limiting Access To Removable Drives


  • Hello,

    I am trying to configure a GPO that will limit users access to removable drives. I have configured two GPOs.

    The first to disable is configured in the computer configuration. It's enabled for Removable Disks: Deny read access, Removable Disks: Deny write access, WPD Devices: Deny read access, and WPD Devices: Deny write access. I've gone through all of the OUs and located computer objects and examined their member of properties. I then added the most common groups listed in members of to the security filtering pane.

    The second to enable is configured in the user configuration. It's disabled for All Removable Storage classes: Deny all access, CD and DVD: Deny write access, Floppy Drives: Deny read access, Floppy Drives: Deny write access, Removable Disks: Deny read access, Removable Disks: Deny write access, WPD Devices: Deny read access, & WPD Devices: Deny write access. I created a security group and added all of users that are permitted to have access to the devices.

    I linked both GPOs to the domain and made sure that the enable access took precedence over the disable access. I ran gpupdate /force and logged off and back on to the DC. I ran gpresult and both policies are showing in 'The following GPOs were not applied because they were filtered out' with 'Filtering: Denied (Security)'. I have verified that the objects listed in the security filtering are getting the correct permissions, but I'm still not sure why they're not working correctly.

    The GPOs were configured on a Windows 2008 server and is being applied to Windows 7 clients or higher.

    Any assistance would be greatly appreciated. Thank you in advance.

    Friday, April 3, 2015 3:47 PM

All replies

  • Hi,

    Firstly, please check the event viewer to check the detailed information for this error and find the root reason.

    In general, Denied (Security) is mainly caused by the security filtering on the GPO.Please check security filtering on the GPOs:

    Policy settings incorrectly applied or denied due to security filtering

    If the security filtering is empty, you can add the authenticated users into the list:

    Best regards,


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Monday, April 6, 2015 9:26 AM
  • So I removed all security filtering from both GPOs and ran gpupdate /force. Logged off and back on and ran gpresult /v and they are both Denied (Security). I unlinked the allow usb devices GPO and ran the gpupdate /force again. GPresult is still showing Denied (Security) for the disable usb GPO. Not sure why this would still be happening with no security filtering at all.
    Monday, April 13, 2015 5:13 PM