none
Block USB and CD-ROM Using GPO

    Question

  • I have a problem with block USB storage device and CD Driver on a certain domain users. I want to restrict some domain users from accessing USB storage device and CD Driver but allow to all another. as, if the restricted group tries to access any PC, they can't use USB or CD-ROM where the others can access.

    I try many ways but I field as use the GPO to change in a system file or registry but these ways block over the whole machine not over the restricted users only.

    I need to block the using of the USB and CD over all machines for all users except the administrators (Domain and Local)

    can any one help me in that issue?


    Sunday, July 26, 2009 6:21 AM

Answers

  • Still I don't know what you tried so far... please make clear if it was option 1 or 2.
    For option 1 keep in mind that these policies are machine related ("Comnputer Configuration").
    That means you can apply it to computer accounts only and NOT to user objects. This might be the reason why the settings are missing if you only add user accounts to the GPO apply permission. Also it is important to understand that "Comnputer Configuration" settings are machine wide, independent from the user that logs on.
    I can understand what you plan to do and confirm that this is common requirement.
    Unfortunately the built in support for that is not as we'd like it to have.
    Currently I see option 2 (GPP) as the only option to make it happen the way you need it.

    Patrick
    Sunday, July 26, 2009 8:04 PM

All replies

  • In general, there are these options to block access to USB/CDROM devices:

    For the "old world" (XP and downwards):
    http://support.microsoft.com/kb/555324

    For all newer OS (starting with Vista):

    1. new policies for "Removable storage devices:
    http://www.microsoft.com/whdc/device/storage/remstorperms.mspx
    http://technet.microsoft.com/en-us/magazine/cc138012.aspx

    2. GP Preferences (GPP):
    Works for XP Clients as well, but needs Vista/Win2008 as management station.
    http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=42E30E3F-6F01-4610-9D6E-F6E0FB7A0790&displaylang=en
    http://technet.microsoft.com/en-us/library/cc731665.aspx

    The GPP way also works for "User Configuration", but has the disadvantage that is not a true policy
    and that there is no way to specify individual device IDs (you need the device to be present on the management station).

    Which way have you tried already?



    Patrick
    Sunday, July 26, 2009 7:53 AM
  • dear,

    I try that and the USB and CD/DVD were blocked over the whole machines and whole users.
    I want to apply it over all users except the administrators. I want to know where is the error in my work.
    what about the security filter on GPMC that tell me that the group that listen to the policies.

    I wait for your reply
    Sunday, July 26, 2009 9:16 AM
  • Dear,

    When I try to using the security filtering to apply the Policy over the selected users and run the command rsop.msc, I didn't find the Administrative templates.
    and when I put the Authenticated Users in the security filter it works fine but block overall.

    I want to add the users in security filter and then works fine.

    I find that it is logical to block the devices over the normal user and allow it for administrators over the same machine but I can't configure it, Can you help me
    Sunday, July 26, 2009 9:45 AM
  • Still I don't know what you tried so far... please make clear if it was option 1 or 2.
    For option 1 keep in mind that these policies are machine related ("Comnputer Configuration").
    That means you can apply it to computer accounts only and NOT to user objects. This might be the reason why the settings are missing if you only add user accounts to the GPO apply permission. Also it is important to understand that "Comnputer Configuration" settings are machine wide, independent from the user that logs on.
    I can understand what you plan to do and confirm that this is common requirement.
    Unfortunately the built in support for that is not as we'd like it to have.
    Currently I see option 2 (GPP) as the only option to make it happen the way you need it.

    Patrick
    Sunday, July 26, 2009 8:04 PM
  • Olá,

    Veja se este procedimento pode te ajudar.

    WebCast - GPO - Bloqueando Dispositivos de Hardware - http://bit.ly/batSc1

    Caso seja útil não esqueça de pontuar.

    Grande abraço

    Jordano Mazzoni


    http://jordanomazzoni.com.br Foi util pra voce esta informação ? Classifique http://twitter.com/jordanomazzoni
    Tuesday, September 28, 2010 7:21 PM
  • Hello Friend,

    The same problem I am facing if you found the solution please let me know. And the third party software is giving good solution for this problem. The software name GFI EndPointSecurity. If you having interest that try it.

    thanks.

    R.Kovendan

    Friday, December 30, 2011 2:39 PM