none
Group policy on Administrative template is not working

    Question

  • Dear All,

    I have problem with my GPO application on user OU.

    I want to block access to USB removable storage and CDROM drive to all authenticated users, but it is not working.

    Getting result from client by using command gpresult /v:

    PS C:\Users\SOPHEA.CHHUN> gpresult /v

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    © 2013 Microsoft Corporation. All rights reserved.

    Created on 11/02/2016 at 1:29:46 PM


    RSOP data for ADCPBANK\SOPHEA.CHHUN on IT006 : Logging Mode
    ------------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.3.9600
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\SOPHEA.CHHUN
    Connected over a slow link?: No


    USER SETTINGS
    --------------
        CN=SOPHEA CHHUN,OU=CPB-HO-Users,OU=CPB-Users,DC=xxxx,DC=com
        Last time Group Policy was applied: 11/02/2016 at 12:40:52 PM
        Group Policy was applied from:      xxxx.xxxxx.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        xxxxx
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Block Command Prompt
            Block USB-CDROM
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            INFRA GROUP
            Everyone
            BUILTIN\Users
            BUILTIN\Administrators
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Domain Users
            Organization Management
            VPN Group
            HO-IT-NSD-Users
            All CPB Head Office User
            HO-IT-Users
            Head Office-Users
            CPB Recipient Management
            G_HEADOFFICE
            DnsAdmins
            G_IT
            G_IT_INF
            G_HEAD_UNIT
            High Mandatory Level

        The user has the following security privileges
        ----------------------------------------------


        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B1
    08AE}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://10.18.1.39:9095/Browse
    rWebCpb
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46,
     0, 49, 0, 46, 0, 51, 0, 57, 0, 58, 0, 57, 0, 48, 0, 57, 0, 53, 0, 47, 0, 66, 0, 114, 0, 111, 0, 119, 0, 115, 0, 101, 0,
     114, 0, 87, 0, 101, 0, 98, 0, 67, 0, 112, 0, 98, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Restrictions\RestrictPopupExceptionList
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy
                    State:       disabled

                GPO: Block Command Prompt
                    Folder Id: Software\Policies\Microsoft\Windows\System\DisableCMD
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\HideLegacyLogonScripts
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\10.18.1.39
                    Value:       49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46, 0, 49, 0, 46, 0, 51, 0, 57, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
                    Value:       49, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\Start Page
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 105, 0, 110, 0, 101, 0, 116, 0, 46, 0,
     97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Suggested Sites\Enabled
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\RunLogonScriptSync
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\Use FormSuggest
                    Value:       110, 0, 111, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
                    Value:       49, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D
    4F33}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\adcpbank.com
                    Value:       97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0
    , 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://10.18.9.5
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46,
     0, 57, 0, 46, 0, 53, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest Passwords
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\ListBox_Support_Allow
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\AlwaysShowMenus
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
                    Value:       110, 0, 111, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\FormSuggest Passwords
                    Value:       110, 0, 111, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\PowerShell\EnableScripts
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
                    Value:       255, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91e
    fb8b}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\10.18.9.5
                    Value:       49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46, 0, 57, 0, 46, 0, 53, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B1
    08AE}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91e
    fb8b}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D
    4F33}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\Deny_All
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
                    Value:       49, 0, 56, 0, 48, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://inet.adcpbank.com
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 105, 0, 110, 0, 101, 0, 116, 0, 46, 0,
     97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                    State:       Enabled

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A
    PS C:\Users\SOPHEA.CHHUN>

    However, user still can access USB and CDROM.

    Do i miss something?

    Thanks and kind regards,


    Mr. Sophea Chhun

    Saturday, February 13, 2016 8:02 AM

Answers

  • Hi Sophea,
    What is the operating system of the problematic computer?
    Here is a KB regarding the Removable Storage Access policy not working correctly on a client computer that is running Windows Vista or Windows Server 2008
    Please see the link as below and have a try: https://support.microsoft.com/en-us/kb/2214863

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Chhun Sophea Sunday, February 21, 2016 1:43 PM
    Monday, February 15, 2016 7:57 AM
    Moderator

All replies

  • Try to create computer policy instead of user policy

    Regards,

    MC Manikandan

    Saturday, February 13, 2016 10:03 AM
  • Dear, Manikandan

    Computer setting for USB blocking is working fine!

    However, my situation is blocking by using user-based rather than computer-based.

    Regards,

    Sophea


    Mr. Sophea Chhun

    Saturday, February 13, 2016 10:49 AM
  • Greetings,

    please check this MSDN guidance... article 

    https://msdn.microsoft.com/en-us/library/bb530324.aspx#grouppolicydeviceinstall_topic3c

    thanks 

    Saturday, February 13, 2016 11:13 AM
  • Greeting,

    It is a full library for configuring, and I read this once already.

    I follow the scenario, however, i run RSOP.msc command on client pc which applied user to see the GPO result set.

    I found that User Configuration\Administrative Templates\System\Removable Storage Access

    Deny Write and Read stat are Enabled for all removable storage classes.

    I dont know why this setting is not taking effect for currently logged on AD user.

    Regards,


    Mr. Sophea Chhun

    Saturday, February 13, 2016 11:44 AM
  • Please read the below KB completely, you may have to uninstall the existing drivers completely from the machine. (The USB storage drivers which are already installed in the machine in order to make GPO works)

    https://technet.microsoft.com/en-us/library/cc731387(v=ws.10).aspx

    Regards,

    MC Manikandan


    • Edited by MC Manikandan Saturday, February 13, 2016 7:41 PM Updated the right link
    • Proposed as answer by MC Manikandan Saturday, February 13, 2016 7:41 PM
    Saturday, February 13, 2016 7:40 PM
  • Hi Sophea,
    What is the operating system of the problematic computer?
    Here is a KB regarding the Removable Storage Access policy not working correctly on a client computer that is running Windows Vista or Windows Server 2008
    Please see the link as below and have a try: https://support.microsoft.com/en-us/kb/2214863

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Chhun Sophea Sunday, February 21, 2016 1:43 PM
    Monday, February 15, 2016 7:57 AM
    Moderator
  • Hi Wendy,

    it is all about USB device class installing rule.

    What i means here is not regarding to any existing or new USB device driver we need to block or allow, I just want to block access (read/write) to all removable USB drive on specific AD users.

    And if I try to go to client PC and go to local GP (gpedit.msc), then change the setting of user to block USB, it works.

    But when i try gpresult /r it shows that Local Group Policy is filtered out (unknown).

    Any idea on this?

    Regards,

    Sophea


    Mr. Sophea Chhun

    Monday, February 15, 2016 11:49 AM
  • Hi,

    >> And if I try to go to client PC and go to local GP (gpedit.msc), then change the setting of user to block USB, it works.
    But when i try gpresult /r it shows that Local Group Policy is filtered out (unknown).

    I have test on local in my lab environment. I have rebooted the computer, then run gpresult /r. it is showed correctly then.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, February 17, 2016 9:01 AM
    Moderator
  • Hello,

    The GPO setting is applied from server to client but the setting is not executing...

    Regards,


    Mr. Sophea Chhun

    Thursday, February 18, 2016 6:26 AM
  • Hi all,

    I have just asked someone (MCT) and other local MS certified guy, they said that the problem of this is caused by in compatible version between client and server.

    Client Win8.1 Pro, Server Win2008R2.

    Do you have any feedback on this idea?

    Thanks and kind regards,


    Mr. Sophea Chhun

    Saturday, February 20, 2016 10:16 AM