Enable USB ports blocked by active directory policy

Question

I have a GPO in my active directory that restricts USB device connections to all client machines in the company, at this time I needed to connect a camera via USB to access the video recordings, to access the camera is necessary to move the client machine to an organizational unit that does not have the USB restriction GPO, I would like to know if there is some kind of configuration either on the client machine or in the GPO that allows me to connect only that camera via USB port. Thank you in advance for your help.

Answer 1

Most of the time, what the GPO does is blocking USB Storage Device. So it should not affect other devices unless they also have a USB Storage presentation. But an export of the effective GPO will tell us (you can generate this with the command gpresult /h GPO.html).
But maybe that's not a GPO that is blocking the ports, and you might have other products (or BIOS features) which go further than just disabling USB storage.

Answer 2

Hi @Eduar Muñoz Murcia

You can deny certain types of device access. For example, you can restrict USB storage devices but allow other types of USB device. This may work for you depending on the reason why you’re restricting USB?

Open Computer Configuration => Administrative Templates => System => Removable Storage Access => in the right pane, open Removable Disks: Deny Execute Access.

I do hope this answers your question.

Thanks.

--
--If the reply is helpful, please Upvote and Accept as answer--

Answer 3

I'm not an AD administrator, but I have a security question related to this thread: can we setup a GPO that blocks usb storage devices, but allows us to specifically allow company USB drives that we control?

Answer 4

Hello @Eduar Muñoz Murcia

I think this is what you need:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN

In case this helped kindly mark the answer as Accepted

BR