none
Policy to disallow access to OneDrive works but the Deny option does not work as expected

    Question

  • Server 2012 R2

    Office 2013 GPO

    I have created a OneDrive Policy to prevent access to OneDrive as follows:-

    Computer Configuration>Polices>Administrative Templates>Windows Components/SkyDrive

    Policy - Prevent the usage of SkyDrive for Storage

    Setting - Enabled

    User Configuration>Polices>Administrative Templates>Microsoft Office 2013/Miscellaneous

    Policy - Block signing into Office

    Setting - Enabled

    This works as intended but I also added in a OneUsers drive group and set a Deny Group Policy against the permissions.

    This does have not have any affect for those that belong to the group who needs ODFB and they have the OneDrive applied.

    Can anyone advise?





    Saturday, July 25, 2015 1:42 PM

Answers

  • Hi Martin,

    Just confirm the GPO setting to restrict access to OneDrive is only at the Computer Configuration level.

    So

    Computer Configuration>Polices>Administrative Templates>Windows Components/SkyDrive

    Policy - Prevent the usage of SkyDrive for Storage

    I now have this working. The Deny policy was in fact working all the time.

    It was down to a conflicting Office 2013 GPO setting, namely:-

    User Configuration>Polices>Administrative Templates>Microsoft Office 2013>Tools | Options | General | Service Options...

    Policy - Online Content

    This was Enabled and set to Do Not Allow Office to Connect to the internet

    Reverting this back to Not Configured restored my granular access.


    Monday, July 27, 2015 4:26 PM

All replies

  • Hi Christopher,

    This works as intended but I also added in a OneUsers drive group and set a Deny Group Policy against the permissions.

    Not sure if I understood correctly. You said, you enabled the settings to prevent the usage of SkyDrive for Storage. And you denied this policy being applied to a group. When you deny it being applied for certain group, this GPO you configured to prevent usage of skydrive, will basically allows users in that group to use skydrive.

    -Umesh.S.K

    Saturday, July 25, 2015 1:51 PM
  • Hi Umesh,

    You are correct.

    So here is the intention:-

    For Domain Users :- No access to OneDrive

    For Domain Admins and users in the OneDrive Users group:- Access to OneDrive

    To do this I have to prevent the use of OneDrive by ENABLING the policy.

    In order to exclude the Domain Admins and the OneDrive users, I have to tick the DENY Group Policy option under Delegation and Advanced. 




    Saturday, July 25, 2015 3:18 PM
  • What is the exact issue? You want to block other users to access the Onedrive and users in group should access Onedrive. That is achieved and it works fine, correct? What is the actual requirement?

    -Umesh.S.K

    Saturday, July 25, 2015 4:15 PM
  • The problem I have is the policy is blocking OneDrive for all users. Including those in the User group who have a Deny against the policy. So the Deny feature is not working. I need to provide granular access to OneDrive and I cannot.
    • Edited by Icebun Saturday, July 25, 2015 5:31 PM
    Saturday, July 25, 2015 5:30 PM
  • Can you run "gpresult /h c:\onedrive.html" and provide the result? Did you check which policy is winning?

    -Umesh.S.K

    Saturday, July 25, 2015 5:37 PM
  • > This works as intended but I also added in a OneUsers drive group and
    > set a Deny Group Policy against the permissions.
    >
    > This does have not have any affect for those that belong to the group
    > who needs ODFB and they have the OneDrive applied.
     
    As pointed out: gpresult will tell you not only which GPOs applied, but
    also the security groups the user was a member of when GPOs were
    applied. Check both.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 27, 2015 12:32 PM
  • Opened a case with Microsoft Support.

    Their response was as follows:-

    It is not possible to to use the Deny Policy option for GPO related to the Computer Configuration.

    So in other words, it is all or nothing.

    The case has now been forwarded to the Office team for further analysis.

    I will keep this thread updated.

    Monday, July 27, 2015 2:09 PM
  • > It is not possible to to use the Deny Policy option for GPO related to
    > the Computer Configuration.
     
    Ah - this is a computer setting? The "Deny" option in fact IS usable in
    computer GPOs, but for obvious reasons this does not work for user
    groups, only for computer groups...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 27, 2015 3:06 PM
  • Hi Martin,

    Just confirm the GPO setting to restrict access to OneDrive is only at the Computer Configuration level.

    So

    Computer Configuration>Polices>Administrative Templates>Windows Components/SkyDrive

    Policy - Prevent the usage of SkyDrive for Storage

    I now have this working. The Deny policy was in fact working all the time.

    It was down to a conflicting Office 2013 GPO setting, namely:-

    User Configuration>Polices>Administrative Templates>Microsoft Office 2013>Tools | Options | General | Service Options...

    Policy - Online Content

    This was Enabled and set to Do Not Allow Office to Connect to the internet

    Reverting this back to Not Configured restored my granular access.


    Monday, July 27, 2015 4:26 PM
  • > It was down to a conflicting Office 2013 GPO setting, namely:-
     
    Thanks for clarification :)
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, July 28, 2015 7:39 AM