Group Policy to Deny Write Access to USB Devices

Keslaa

New member
Local time
4:40 PM
Messages
5
Hello. I am looking for a way to prevent writing to all removable devices. I have found the setting in group policy and enabled it. However, admin credentials are requested and if entered correctly, the user can write to the external drive. I want to configure this to allow writing to a removable device ONLY if the user is in the correct security group or a member of the domain administrators. In other words, this policy would apply to all users and be denied to the security group. Thanks for your time.

Almost forgot: We are still in a 2003 domain, although most of our DCs are now Windows 2008 R2. This policy would apply only to users logging in to our Windows 7 machines.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Enterprise 64-bit
OS
Windows 7 Enterprise 64-bit

My Computer My Computer

At a glance

Windows 10 Pro X64Intel Quad Core i7-4770 @ 3.4Ghz16.0GB PC3-12800 DDR3 SDRAM 1600 MHzIntel Integrated HD Graphics
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Lenovo IdeaCenter 450
OS
Windows 10 Pro X64
CPU
Intel Quad Core i7-4770 @ 3.4Ghz
Memory
16.0GB PC3-12800 DDR3 SDRAM 1600 MHz
Graphics Card(s)
Intel Integrated HD Graphics
Sound Card
Realtek HD Audio
Monitor(s) Displays
HP 22" LCD
Screen Resolution
1680 x 1050
Hard Drives
250GB Samsung EVO SATA-3 SSD
2TB Seagate ST2000DM001 SATA-2
1.5TB Seagate ST3150041AS SATA
Keyboard
Dell USB
Mouse
Lenovo USB
Internet Speed
Cable via Road Runner 3MB Upload, 30MB Download
Antivirus
Windows Defender, MBAM Pro, MBAE
Browser
Seamonkey
Other Info
UEFI/GPT
PLDS DVD-RW DH16AERSH
Thank you for the response. I set up your recommendations and they worked. Previously, I was applying these settings under the User Configuration group policy.

What I was directed to do, however, was to find a way to block writing only to the removable disk. If I change the above settings and only enable Deny write access, the user can still enter admin credentials to bypass this restriction. Is it possible to completely block writing only with no admin-level bypass?
 

My Computer My Computer

At a glance

Windows 7 Enterprise 64-bit
OS
Windows 7 Enterprise 64-bit
Not that I've been able to find. Maybe someone else has some ideas?
 

My Computer My Computer

At a glance

Windows 10 Pro X64Intel Quad Core i7-4770 @ 3.4Ghz16.0GB PC3-12800 DDR3 SDRAM 1600 MHzIntel Integrated HD Graphics
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Lenovo IdeaCenter 450
OS
Windows 10 Pro X64
CPU
Intel Quad Core i7-4770 @ 3.4Ghz
Memory
16.0GB PC3-12800 DDR3 SDRAM 1600 MHz
Graphics Card(s)
Intel Integrated HD Graphics
Sound Card
Realtek HD Audio
Monitor(s) Displays
HP 22" LCD
Screen Resolution
1680 x 1050
Hard Drives
250GB Samsung EVO SATA-3 SSD
2TB Seagate ST2000DM001 SATA-2
1.5TB Seagate ST3150041AS SATA
Keyboard
Dell USB
Mouse
Lenovo USB
Internet Speed
Cable via Road Runner 3MB Upload, 30MB Download
Antivirus
Windows Defender, MBAM Pro, MBAE
Browser
Seamonkey
Other Info
UEFI/GPT
PLDS DVD-RW DH16AERSH
Do your users actually have administrator credentials? (i.e., can enter the administrators password?)
 

My Computer My Computer

At a glance

Windows 10 Pro (x64)Intel Core i7-3930K (3.2GHz - 4.5GHz)4x Samsung 4GB PC3-12800 DDR3 (16GB 1600MHz)Nvidia Geforce GTX 690
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Alienware Aurora ALX R4
OS
Windows 10 Pro (x64)
CPU
Intel Core i7-3930K (3.2GHz - 4.5GHz)
Motherboard
Alienware Aurora-R4 x79
Memory
4x Samsung 4GB PC3-12800 DDR3 (16GB 1600MHz)
Graphics Card(s)
Nvidia Geforce GTX 690
Sound Card
SteelSeries Siberia Elite
Monitor(s) Displays
Dell UltraSharp U3011
Screen Resolution
2560x1600
Hard Drives
Samsung 850 Pro 256 GB, Seagate 1TB Desktop Hybrid HDD, 2x Western Digital 4TB Green HDD
PSU
875W Some Dell PSU <.<
Case
Alienware Aurora ALX
Cooling
Custom Liquid Cooling (EK CPU & GPU blocks) dual EK 480RAD
Keyboard
Logitech G710+ Mechanical
Mouse
Logitech G700s
Internet Speed
Verizon Fios (50 mbps average)
Other Info
Server: Intel NUC D54250WYK: i5-4250U, 16GB, 256 GB mSATA, Windows Server 2012 R2
I have this set up on our Windows 2008 R2 functional level domain at work, under computer configuration just as Ztruker directed. The only way our users, admins or not, can access a removable device is if their PC is added to the exception list that we have as a separate GPO nested under the primary one that disables removable devices.

When you say they can access them by using admin credentials, 1. are the users in fact admins? 2. How is this prompted? Do they get a UAC prompt when plugging the device in?
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64, BackTrack Linux 5 R2,...Intel Core i7 920 OC to 3.6GHzCorsair 6GB DDR3ATI Radeon 4890
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Ultimate x64, BackTrack Linux 5 R2, Windows XP
CPU
Intel Core i7 920 OC to 3.6GHz
Motherboard
ASUS P6T Deluxe V2
Memory
Corsair 6GB DDR3
Graphics Card(s)
ATI Radeon 4890
Monitor(s) Displays
ASUS 23"
Screen Resolution
1920x1080
Hard Drives
150GB Velociraptor
640GB
PSU
Corsair 850w
Case
CoolerMaster HAF932
Cooling
CoolerMaster V8
Internet Speed
30Mbps
Back
Top