Share via

Create A GPO to disable USB Storage Devices

Anonymous
2023-12-07T10:02:09+00:00

Create A GPO to disable USB Storage Devices.

Hi All, newly setup environment. ON prem AD syncing to AAD

I need block access to all USB Removable storage devices but allow some users to have access.

My idea is to create the policy and link it to the computers OU, then under the policy delegation add a security group with users and deny the "Apply Group Policy." to that group. So, they will be exempt from the policy.

By doing this, if a user that has been assigned access via that group, logs in to any workstation, they will have access to USB Storage?

Even though the policy is assigned to workstations.

Keeping in mind of allowing all other peripherals like Keyboard, mouse for all users , just blocking storage devices

Thank you.

Desigan

Windows Server Identity and access Deploy group policy objects

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-12-08T05:08:34+00:00

    Hello Desigan Reddy,

    To create a GPO to disable USB storage devices, you can follow these steps:

    1. Open the Group Policy Management Console (GPMC) and create a new GPO.
    2. Name the GPO and link it to the appropriate OU.
    3. Navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
    4. Double-click on "Removable Disks: Deny execute access" and select "Enabled."
    5. Click on "OK" to save the changes.
    6. Double-click on "Removable Disks: Deny read access" and select "Enabled."
    7. Click on "OK" to save the changes.
    8. Double-click on "Removable Disks: Deny write access" and select "Enabled."
    9. Click on "OK" to save the changes.
    10. Close the Group Policy Management Editor.
    11. Apply the GPO to the appropriate OU.

    Regarding your question about allowing some users to have access to USB storage, you can create a security group and add the users who need access to it. Then, you can deny the "Apply Group Policy" permission to that group in the GPO delegation settings. This will exempt those users from the policy and allow them to access USB storage devices.

    I hope this helps! Let me know if you have any further questions.

    Best regards,

    Qiuyang

    7 people found this answer helpful.
    0 comments
  2. Anonymous
    2023-12-08T06:12:07+00:00

    Hi Qiuyang Xi

    Thank you for that. So I should attach the group policy to the computers OU?

    Then for the exclusions, I add users to a security group and deny the "Apply Group Policy" permission.

    Thank you

    0 comments
  3. Anonymous
    2023-12-08T06:20:10+00:00

    Hello Desigan Reddy,

    Yes, you can attach the group policy to the Computers OU to apply it to all computers in that OU. And for the exclusions, you can create a security group and add the users you want to exclude, then deny the "Apply Group Policy" permission for that group in the Delegation tab of the Group Policy Management Console. Let me know if you have any other questions or concerns!

    Best regards,

    Qiuyang

    2 people found this answer helpful.
    0 comments
  4. Anonymous
    2023-12-08T08:58:05+00:00

    Much Appreciated, thank you.

    0 comments
  5. Anonymous
    2023-12-08T09:31:28+00:00

    Hello Desigan Reddy,

    You are welcome ! if you have any other questions you can always reply, wish you have a good day!

    Best regards,

    Qiuyang

    0 comments