none
Group Policy for Removable Storage under User Settings of GPO is not Working

    Question

  • I have tried the Removable Storage settings (CD, DVD, DISK)  under Computer Settings in a 2008 R2 domain. It works fine but it wont work if I define the settings under User settings. My client PC's are 2008 R2 and Windows 7. Is it not possible to make it work under User Settings of GPO?
    Monday, February 9, 2015 2:33 PM

Answers

  • User settings are effective only with client OS such as Windows 7.
    • Marked as answer by avilt Tuesday, March 17, 2015 2:34 PM
    Tuesday, March 17, 2015 2:34 PM

All replies

  • Hi,

    You can configure the group policy with user settings to deny removable access.

    You can follow the step below:

    User Configuration\Policies\Administrative Templates\System\Removable Storage Access\All removable storage classes\Deny all access.

    Make sure you link the GPO correctly.

    Would you please have a try and let’s know the result?

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 10, 2015 6:10 AM
    Moderator
  • I have already made the GPO as explained and linked it to top level (domain level). It desn't work.

    It's the same issue experienced by other users as explained in the following link

    http://community.spiceworks.com/topic/516614-group-policy-not-applying-to-user-account-removable-storage-access

    • Edited by avilt Tuesday, February 10, 2015 7:12 PM
    Tuesday, February 10, 2015 7:06 AM
  • Hi Avilt,

    Would you please let me know how you configure the security filtering?

    Also please help to run a gpresult and post us then we can check if there's any other gpo may overwrite this group policy.

    Looking forward to your reply.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 11, 2015 9:51 AM
    Moderator
  • Please refer the gpresult output below. If I define the same settings under computer configuration, it works. Is it working for you?


    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001
    Created On 2/11/2015 at 1:55:14 PM
    RSOP data for MYDOMAIN\ADMIN on 2008-CLIENT : Logging Mode
    -----------------------------------------------------------

    OS Configuration:            Member Server
    OS Version:                  6.1.7601
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\ADMIN.MYDOMAIN
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=2008-CLIENT,OU=PAS-Windows 2008,OU=MYOFFICE,DC=MYDOMAIN,DC=NET
        Last time Group Policy was applied: 2/11/2015 at 12:25:43 PM
        Group Policy was applied from:      DC-1.MYDOMAIN.NET
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        MYDOMAIN
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Local Group Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            MYDOMAIN Removable Device Policy Users
                Filtering:  Disabled (GPO)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            2008-CLIENT$
            Domain Computers
            System Mandatory Level
            

    USER SETTINGS
    --------------
        CN=ADMIN,CN=Users,DC=MYDOMAIN,DC=NET
        Last time Group Policy was applied: 2/11/2015 at 1:53:11 PM
        Group Policy was applied from:      DC-1.MYDOMAIN.NET
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        MYDOMAIN
        Domain Type:                        Windows 2000
        
        Applied Group Policy Objects
        -----------------------------
            MYDOMAIN Removable Device Policy Users

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Default Domain Policy
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            
        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            
            

    Wednesday, February 11, 2015 4:24 PM
  • Hi Avilt,

    When configure the setting under computer configurations, the policy would apply on the computers no matter what kind of user accounts logged on it.

    When configure the settings under user configuration just as you set up in your environment, it failed to apply.

    I checked the logs you posted here, that the user you logged on the server is domain admin user.

    Did you tried to log in with a general user accout and check if it works?

    Regarding your problem here, I did a test in my environment, and it turns out that i can reproduce your problem.

    My domain is windows server 2012, DC: Windows server 2012 Standard; Member server: Windows server 2012 R2; Client: Windows 7

    I set the GPO as the same as yours, when I apply the GPO, it works on both server and client when I logged in with general user account.

    However, when i logged in with domain admin, it just works on the clients but failed on the servers.

    I found a document below which suit for the removable storage access GPO failed apply on windows server 2008, you can refer to this and have a try:

    https://support.microsoft.com/kb/2214863?wa=wsignin1.0

    Please let me know with the result.

    Best Regards

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 12, 2015 10:38 AM
    Moderator
  • I have tried all the work around you have suggested, none of them are working.

    As a normal user too  I can access the USB/CD. Updated the registry key as suggested by Microsoft. My client PC's are also running 2008 R2.

    Please advise.

    Thursday, February 12, 2015 12:22 PM
  • User settings are effective only with client OS such as Windows 7.
    • Marked as answer by avilt Tuesday, March 17, 2015 2:34 PM
    Tuesday, March 17, 2015 2:34 PM