This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 21%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
We have a third party tool currently used to manage USB lockdown using AD security groups like the below.We are decommissioning the tool and move to the USB lockdown feature using GPO.I am looking to create a GPO to target for the below users security group
USB lockdown-Disable all access
USB Lockdown-Read only access
USB Lockdown-Read Write access
My plan to configure GPO is: I can configure one policy with USB lockdown-Disable all access and exempt the other 2 groups from delegation setting the read only and read write groups to only read the policy but not apply.One policy for read only.One policy for read write (not execute) but this not available in user configuration as computer configuration only has execute related one(this means execute to be disabled which means read and write is allowed).Not sure how to do read write policy for user group.
Action taken now to test policy and result below:
I have created one GPO to restrict to USB read only access and configured the settings user configuration>>Administrative Templates>>System Removable Storage access>>Removable disks:Deny write access.Linked the policy to Users OU and applied security filtering to my account for testing purpose.I removed existing lockdown groups for my account to make sure there is no conflict.I have removed the authenticated users group from security filtering.I have added the system am using to test with read permissions under delegation.While testing even after after multiple gpupdate /force execution,the policy itself is not getting applied.I am not usre if am missing something as even a dummy GPO will normally get applied and gpresult /R does not even list this in applied or denied GPO.NOt sure if authenticated users with read permission need to be given or domain computers group with read permission need to be configured in delegation.
Outcome:
I have fixed the GPO which was not getting applied by adding authenticated users with read permission in delegation tab.The GPO is getting applied now.However while writing to USB by copying data it gives destination folder access denied with continue or skip option which enables me to add admin acct to write the files.I anticipate it to show to show access denied straight away while writing data.I have tested read access to be working fine and write access getting denied but only the way the message being like the earlier stated.Deny access to all is also working fine.I am not sure how to get "deny execute" working with a GPO targetting user group as Deny execute is only available in computer group.
Please advise detailed steps and how to get the above with 2 or 3 policies configured in a easy targeting user groups
Hello,
how about using GPO filtering option?
Filtering the Scope of a GPO
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo?redirectedfrom=MSDN
-----------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
