none
windows 7 enable/disable usb per group

    Question

  • hi all

    how can I disable all usb device and enable some user or maschine per security group

    I found in google follow answer, but how can i exclude a lot of computer

    Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access

    Removable Disks: Deny execute access  Enabled
    Removable Disks: Deny read access    Enabled
    Removable Disks: Deny write access   Enabled
    

    Chris
    Thursday, November 25, 2010 2:20 PM

Answers

  • Create two GPOs and link them to the computer OU or below. One is for disabling USB devices, the other for enabling. In GPMC, on the policy for enabling USB devices, open the Scope tab. In the lower pane, Security filtering, remove the default entry and add the AD group with the computers where USB devices should be allowed.

    In GPMC, on the computer OU, Linked Group Policy Objects tab, make sure the Allow USB policy has higher presedence (lower number) than the Disallow USB policy.

    The same logic can be used for users by using the same settings under User Configuration and adding policies to the user OU.

    Thursday, November 25, 2010 2:38 PM
  • Hi,

    Eirik is right here. Or you can create 1 GPO to enbale the settings to deny read/execute/write access and filter out all client computers/user accounts which you want to enable Removable Disks acess for.

    Friday, November 26, 2010 7:16 AM
    Moderator

All replies

  • Create two GPOs and link them to the computer OU or below. One is for disabling USB devices, the other for enabling. In GPMC, on the policy for enabling USB devices, open the Scope tab. In the lower pane, Security filtering, remove the default entry and add the AD group with the computers where USB devices should be allowed.

    In GPMC, on the computer OU, Linked Group Policy Objects tab, make sure the Allow USB policy has higher presedence (lower number) than the Disallow USB policy.

    The same logic can be used for users by using the same settings under User Configuration and adding policies to the user OU.

    Thursday, November 25, 2010 2:38 PM
  • Hi,

    Eirik is right here. Or you can create 1 GPO to enbale the settings to deny read/execute/write access and filter out all client computers/user accounts which you want to enable Removable Disks acess for.

    Friday, November 26, 2010 7:16 AM
    Moderator
  • hi miles

    what does you mean with "filter out". How can I exclude user from all authenticated user GPO delegation 

    chris


    Chris
    Friday, November 26, 2010 8:04 AM
  • Hi Eirik, I would like to have the option of creating a security group wiht users that have permisson to run USB devices and the option to log onto a system that has the deny for all but allow for USB users to the usbstor.inf and usbstor.pnf, I the problem I have is if users log onto a sytem that has USB enabled they will then be allowed to remove data.

    I have tried a number of work arounds but the the biggest problem I am faced with is the HKLM\ setting to stop usbstor as how do I apply this to a user policy at login and not have to reboot the system for the computer policy to makethe change ?

    Tuesday, November 30, 2010 8:04 AM
  • Hi Chris,

    To exclude user from all authenticated user GPO delegation, you can add a explicit DENY entry to prevent user(s) from applying this GPO.

    Friday, December 03, 2010 8:17 AM
    Moderator
  • Hi Miles,

    sorry but I don't understand you. There is no deny under delegation - only read, edit settings, and edit settings/delete/modify settings

    I think we need two GP - one that disable USB (delegation authenticated user) and one that enable USB (a lot of admins)

     


    Chris
    Friday, December 03, 2010 8:57 AM