none
acess limited removable media by gpo

    Question

  • I am running Server 2008 R2 as a domain controller with active directory. I wish to deny access to any removable media for all computers (mostly win 7) in the domain except for administrators. Can I do this through group policy and if so, how.
    Thursday, January 15, 2015 5:47 AM

Answers

  • deny group policy 

    https://support.microsoft.com/kb/816100?wa=wsignin1.0

    instructions on applying the policy with pictures

    http://prajwaldesai.com/how-to-disable-usb-devices-using-group-policy/

    • Marked as answer by larrymthompson Tuesday, January 20, 2015 8:31 PM
    Tuesday, January 20, 2015 6:26 PM

All replies

  • yeh you can do this Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access - Deny all Access

    use security filtering in conjunction or delegation\advanced and deny read access and apply group policy for administrators of that GPO

    Thursday, January 15, 2015 10:05 AM
  • Hi larrymthompson,

    The setting provided by Alex works for your scenario, just one additional remind, it is not recommend to change the default domain policy.

    You can  create an OU which contains all the computers in the domain. And then link the group policy to this OU, and deny the administrators to apply this GPO. Regarding how to Deny All Access to Removable Devices or Media via group policy, you can check the below link for the details:

    http://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

    If you have any other questions, feel free to let me know.

    Best Regards,

    Elaine




    Friday, January 16, 2015 9:38 AM
    Moderator
  • Not sure why you would create an OU and add all the computers to that OU considering you can only be in one OU at a time and this wouldn't add to flexibility further down the line in fact Id stay well clear of this. I would just link to the domain NOT add to the default domain policy.
    Saturday, January 17, 2015 5:32 PM
  • Alex,

    Thank you for your reply. I did not consider moving the domain members into another OU due to my inability to determine whether I should move  them into another OU or copy them. My problem is apparently lack of knowledge into how to apply a group policy. I did indeed set the template to deny all removable media, but it apparently has no effect (or not the effect I wished). Additionally how does one set up a policy to except administrators (I know it would be to deny the deny) but the actual practice. They are already in a group (Administrators) so how do I create a policy that would except them from the deny all (once it works).

    Than you for your time.

    Larry Thompson

    Monday, January 19, 2015 4:22 PM
  • deny group policy 

    https://support.microsoft.com/kb/816100?wa=wsignin1.0

    instructions on applying the policy with pictures

    http://prajwaldesai.com/how-to-disable-usb-devices-using-group-policy/

    • Marked as answer by larrymthompson Tuesday, January 20, 2015 8:31 PM
    Tuesday, January 20, 2015 6:26 PM
  • Alex,

    Thank you for your time and considerations. I do believe this answers my questions, and have implemented same. Will be testing tomorrow, thanks again.

    Tuesday, January 20, 2015 8:32 PM
  • your welcome enjoy the forums
    Tuesday, January 20, 2015 8:38 PM