Group Policy to Deny Write Access to USB Devices


  1. Keslaa
    Posts : 5
    Windows 7 Enterprise 64-bit
       New #1

    Group Policy to Deny Write Access to USB Devices


    Hello. I am looking for a way to prevent writing to all removable devices. I have found the setting in group policy and enabled it. However, admin credentials are requested and if entered correctly, the user can write to the external drive. I want to configure this to allow writing to a removable device ONLY if the user is in the correct security group or a member of the domain administrators. In other words, this policy would apply to all users and be denied to the security group. Thanks for your time.

    Almost forgot: We are still in a 2003 domain, although most of our DCs are now Windows 2008 R2. This policy would apply only to users logging in to our Windows 7 machines.
    Last edited by Keslaa; 19 Jun 2012 at 13:08. Reason: Clarification
      My Computer
    Quote Quote

  3. Ztruker
    Posts : 6,285
    Windows 10 Pro X64
       New #2

    From Disable-Enable USB sticks and limit access to USB storage devices « 7explications's Blog

    Block USB in Windows 7 using Group Policy
    Computer Configuration > Administrative Templates > System > Removable Storage Access
    Removable Disks: Deny execute access Enabled
    Removable Disks: Deny read access Enabled
    Removable Disks: Deny write access Enabled
      My Computer
    Quote Quote

  4. Keslaa
    Posts : 5
    Windows 7 Enterprise 64-bit
    Thread Starter
       New #3

    Thank you for the response. I set up your recommendations and they worked. Previously, I was applying these settings under the User Configuration group policy.

    What I was directed to do, however, was to find a way to block writing only to the removable disk. If I change the above settings and only enable Deny write access, the user can still enter admin credentials to bypass this restriction. Is it possible to completely block writing only with no admin-level bypass?
      My Computer
    Quote Quote

  6. Ztruker
    Posts : 6,285
    Windows 10 Pro X64
       New #4

    Not that I've been able to find. Maybe someone else has some ideas?
      My Computer
    Quote Quote

  7. logicearth
    Posts : 5,642
    Windows 10 Pro (x64)
       New #5

    Do your users actually have administrator credentials? (i.e., can enter the administrators password?)
      My Computer
    Quote Quote

  8. doubled822
    Posts : 150
    Windows 7 Ultimate x64, BackTrack Linux 5 R2, Windows XP
       New #6

    I have this set up on our Windows 2008 R2 functional level domain at work, under computer configuration just as Ztruker directed. The only way our users, admins or not, can access a removable device is if their PC is added to the exception list that we have as a separate GPO nested under the primary one that disables removable devices.

    When you say they can access them by using admin credentials, 1. are the users in fact admins? 2. How is this prompted? Do they get a UAC prompt when plugging the device in?
      My Computer
    Quote Quote

 

  Related Discussions
Hello: Once a month, I backup my laptop's files to an external hard drive. But, about three months ago, my company enabled Group Policy to where none of us employees are able to plug external hard drives into our USB ports. Is there a way of overriding this policy? If not, is there a way...
One of my user accounts have been getting the error above after a shutdown. I tried system restore but it did not work. I have tried disabling non-windows service on startup and that didn't work Can someone help me please!!
usb deny write access problem
in General Discussion

hello, my first post here..my problem is as follows... I have a win7 peer2peer netwrk with 10 computers To block usb write access i created 3 accounts on each machines superAdmin :(administrator acc) full rights localAdmin : (administrator acc) Removable disk :deny write access policy...
I have set some access limits on some programs, but the user that has the limits can run the Local Group Policy Editor and change the settings. How do I prevent access by other users to the Local Group Policy Editor? Thanks for the help.
I want to disable the default reboot after Windows runs unattended updates as this often prevents my overnight backup from running. I have tried using the gpedit.msc routine to access the Local Computer Policy Editor but apparently that does not work in Win 7 Home Premium which I have. Is...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 01:55.
Find Us