How to block USB storage devices in a 2016/2012 domain with Group Policy. – wintips.org

This guide provides step-by-step instructions on how to block USB storage devices in the entire domain or specific domain users using Group Policy 2016 or 2012 in an AD domain. More precisely, you will find out how after reading the instructions in this guide. to prevent access to any USB memory device (flash drives, external hard drives, smartphones, tablets, etc.); can connect to any computer in the domain or deny access to the USB stick only to specific domain users.

Today, most of us use a USB memory device to transfer data. However, for an organization, the ability of its employees to use external storage devices may involve security risks, such as the distribution of malware or the interception of confidential information. To avoid these risks, you can use Group Policy to block access to USB storage devices to all users and computers in your domain or to only certain domain users.. *

*Notes:
1. In this post, to block USB drives through Group Policy, We used an Active Directory 2016 domain controller to create a new Group Policy and Windows 10 Pro and Windows 7 Pro workstations to deploy it.
2. The “Block USB Access” policy does not affect domain administrators or other connected USB devices such as USB keyboards, mice, printers, etc.

3. After you apply Group Policy, users will not be able to access any type of USB storage device and will receive one of the following error messages when they try to access a USB storage device on their PC.

image image

How to use Group Policy to prevent access to USB storage devices (Server 2012/2012R2/2016)

Part 1. How to block access to USB storage devices across a domain 2016.

To disable access to a USB storage device connected to any computer (user) in the domain:

1. Open the Server 2016 AD Domain Controller Server Manager and then from Tools open the menu Manage Group Policy. *

* Also, go to Control Panel -> Administrative tools -> Manage Group Policy.

Group Policy Management - Server 2016

2. under Domainsselect your domain and then right click at Default domain policy and select Editing.

Edit the default domain policy

3. Go to the “Group Policy Management Editor” section:

  • User Configuration > Rules > Administrative Templates > System > Access to removable memory

4. In the right pane, double-click: Removable disks: Deny read access. *

*Notes:
1. Many textbooks suggest this at this point Turn on All removable storage classes: Deny all permissions policy, but during our testing we found that this policy does not apply to smartphones or tablets.
2. If you want to block USB write access, select Removable disks: do not allow writing.

How to block USB storage devices in a domain with Group Policy

5. Check Enabled and press OK.

How to block usb via group policy in windows server 2016

6. Close Group Policy Editor.
7. Restart server and client machines or run gpupdate /force command to apply the new group policy settings (without restart) to both the server and clients.

Part 2. How to prevent specific domain users from accessing USB storage devices.

To disable access to USB storage devices for only specific users using Group Policy, you must create a group with users who do not want access to USB storage devices, and then apply a new policy to this group. For this:

Step 1. Create a group with disabled USB users. *

*Note: If you have already created a group with USB users, skip to step 2.

1. It’s open Active Directory Users and Computers.
2.
“Click the right mouse button.Users” select and select the object in the left panel new > Group

Active Directory - Create a group

3. Enter a name for the new group (for example, “USB Disabled Users”) and click OK. *

*Note: Check the “Global” and “Security” options.

image

4. Open the newly created group, select Members tab and click Add

image

5. Now select the domain user(s) whose USB storage devices you want to block and click on it OK.

image

6. press OK to close group properties.

image

Step 2. Create a new Group Policy Object to remove USB storage devices.

1. open the Manage Group Policy.
2.
Right-click and select your domain under the Domains item Create a GPO on this domain and link it here.

image

3. Enter a name for the new GPO (for example, “USB Disabled”) and click OK.

image

4. Right-click the new GPO and click Editing.

Disable USB access for specific users via Group Policy

5. Go to the “Group Policy Management Editor” section:

  • User Configuration > Rules > Administrative Templates > System > Access to removable memory

4. In the right pane, double-click: Removable disks: Deny read access. *

*Note:
1. Many textbooks suggest this at this point Turn on All removable storage classes: Deny all permissions policy, but during our testing we found that this policy does not apply to smartphones or tablets.
2. If you want to block USB write access, select Removable disks: do not allow writing.

Block access to USB storage for some users

5. Check Enabled and press OK.

Removable disks - access denied

6. Close the Group Policy Management Editor mirror

7. Go back to Group Policy Management, select the USB Disabled GPO, and on the Scope tab, click . Add button (under the “Security filter” settings).

Block USB to some users in AD Server 2016

8. Enter the name of the “Users with USB disabled” group (for example, “Users with USB disabled” in this post) and click. OK.

image

9. When done, select Delegation Tab.

image

10. In the “Delegation” tab, choose the Verified users and press Complicated.

image

11. In Security Options, choose the Verified users and remove the mark the Apply Group Policy checkbox. Click when done OK.

image

6. Close Group Policy Editor.
7. Restart start the server and client machines or “gpupdate /force” command (as an administrator), to apply the new Group Policy settings (without restarting) to both the server and clients.

That’s it! Let me know if this guide helped you by leaving a comment about your experience. Please like and share this guide to help others.

If you found this article useful, please support us by donating. Even $1 can make a big difference for us We continue to help others while keeping this site free:

Leave a Comment