Several people spent several hours reading technet tutorials, and other various how-to/guide/tutorials and was not able to get a GPO effectively blocking usb access for users in a security group.
I managed to effectively construct a working USB blocking GPO and would like to save people some headaches by posting a complete start to finish guide for Group Policy beginners that fills in the various gaps .
1- Create a Security Group
Create a security group with a descriptive name like NoUSB or DisableUSB.
2- Create a GPO
Open the Group Policy Management console and create a new Group policy object. Also give this a descriptive name like No USB or Disable USB.
3- Security Filtering
I managed to effectively construct a working USB blocking GPO and would like to save people some headaches by posting a complete start to finish guide for Group Policy beginners that fills in the various gaps .
1- Create a Security Group
Create a security group with a descriptive name like NoUSB or DisableUSB.
2- Create a GPO
Open the Group Policy Management console and create a new Group policy object. Also give this a descriptive name like No USB or Disable USB.
3- Security Filtering
Select the group policy object and on the scope tab add the recently created security group, in my case NoUSB, to the Security Filtering section
4- Change Permissions
Switch to the Delegation tab and select Advanced. Once in the advance view remove apply permission from the "Authenticated users" group by making sure the box in red is unchecked.
5- Choose GPO Settings
From GPME expand User Configuration -> Policies -> System -> Removable Storage.
Here is where we will actually choose what we want to disable. In my case I only wish to block access to removable disks so I will enable "Removable Disks: Deny read access" and "Removable Disks: Deny write access".
After selecting the devices you would like to disable close GPME, we are all done configuring the group policy settings.
6- Linking the GPO
Link this GPO to the Users OU for your organization
7- Test
Create a test user and add them to your newly created NoUSB security group.
Log into a workstation and attempt to insert a removable disc(flash drive, external hard drive, etc.) You should be blocked from opening the device.
To make sure our policy only applies to users in the security group, also log in a user account(on the same PC) that does not belong to the NoUSB group and attempt to open the removable disc, you should be able to successfully open it.
Conclusion
By following the steps above you will effectively disable USB mass storage access for any users in the NoUSB security group.
I strongly advise not testing this out in a live production environment in case you configure anything incorrectly. My advice is provided as is and I am not responsible for any damage you may cause while attempting to set this up.
ConversionConversion EmoticonEmoticon