How to Control USB Access on select Devices using GPO

How to Control USB Access on select Devices using GPO

Enabling and Disabling USB access using Active Directory Group Policy

Removable storage devices such as USB drives have gained widespread use and become an indispensable way for the storage of data. However, they also pose a threat to the security of an organization. For instance, an employee might connect a device infected with malware to a computer, which in turn possesses the risk of the malware spreading to all the computers in the network. In another scenario, the portable nature of USB devices can be exploited to copy sensitive files and information. This causes a breach in the privacy and security of an organization. In order to avoid these mishaps, organizations generally block the use of USB devices on their computers.

USB access can be enabled or disabled using Group Policy Objects (GPOs) via Active Directory. This makes it easier for IT administrators to control access on all computers within the domain. With the help of GPOs, the administrator can block access on all devices. In addition to this, specific users or devices may be provided USB access. This is done by means of the Group Policy Management Console.

How to Disable USB access using GPO

The process of disabling access to USB devices is discussed as follows. The process involves creating a Group Policy Object and linking it to the desired Organizational Unit. To create a Group Policy Object (GPO) for blocking USB access, follow the steps given below.

  1. Open the Group Policy Management Console (GPMC). This can be done by navigating to Start > Run and typing gpmc.msc.
  2. Right-click on Group Policy Objects and click on New.
  3. Provide an appropriate name to the GPO (for example, Block USB Access) and click OK.
  4. Right-click on the newly created policy and click Edit.
  5. This opens the Group Policy Management Editor. In the console tree, navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
  6. The Removable Storage Access section contains multiple options for different types of storage devices. Right-click on the All Removable Storage classes: Deny all access settings and click on Edit.
  7. In the dialog box that opens, select the Enable option to block all access to USB devices.
  8. Click on Apply and then click OK.
Once the group policy is created, it can be linked to the desired organizational unit which contains the devices to which USB access is to be denied. This can be done by following the instructions given below.
  1. Locate the Organizational Unit to which the group policy needs to be applied and right-click on it.
  2. Select the Link an existing GPO option.
  3. Select the required GPO (in this case Block USB Access) from the list of available policies and click OK.
  4. Perform a group policy update using the gpupdate /force command.
  5. This links the group policy to all the computers in the organizational unit.
  6. If a USB device is connected to any computer within the selected OU, a message stating Access denied can be seen. Thus, USB access is blocked to the selected computers.

How to Enable USB Access for select devices using GPO

In the previous section, USB access was denied to all computers within an organizational unit by means of a Group Policy Object called Block USB Access. However, it is possible to exempt specific computers or users, such as administrators from this policy. This enables USB access on those devices. This can be done by creating a separate Active Directory group containing the computers for which the USB access needs to be enabled. In other words, this group contains all the computers which are exempted from the Block USB Access policy.
  1. Create a group containing the users or devices to be exempted from the policy.
  2. Open the Group Policy Management Console.
  3. Locate and select the desired GPO (in this case, Block USB Access), and click on the Delegation tab.
  4. Click on Advanced and click Add.
  5. Enter the name of the group to be exempted from the policy and click OK.
  6. Select the group and scroll to the Apply group policy permission section.
  7. Select the Deny option and click OK.
  8. If prompted by the Windows Security dialog box, click Yes.
Thus all the computers within the group will be exempted from the group policy that denies USB access. In other words, the list of devices within the group will be allowed USB access. This helps in using group policies for enabling USB access to only certain authorized users such as administrators. This in turn helps control access to removable storage devices and minimizes the security risks faced by the organization.
    • Related Articles

    • How to Create a Group Policy to Disable USB Port for all Users except Local Administrators

      How to Create a Group Policy to Disable USB Port for all Users except Local Administrators It is thus considered a safe practice to restrict USB access to all users except the administrators. This can be done with the help of Active Directory Group ...
    • Managing Websites using Active Directory Group Policy Objects (GPO)

      How to Blacklist/ Whitelist and Bookmark select Websites on Browsers using GPO Organizations frequently need to block or restrict access to specific websites and applications for security and management reasons. Certain websites may not be safe and ...
    • Active Directory User Rights Assignement using GPO

      User Rights: An Introduction  User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. They allow users to perform ...
    • How to copy files or folders to all computers using GPO

      Introduction There are several scenarios for when you would need to copy one or multiple files to select computers or all computers in a domain of an Active Directory (AD) network. For example, there might be a shared folder that everyone in the ...
    • GPO Delegation

      Just like other AD objects, security principals can be assigned permissions to access a GPO. The following are the list of permissions that can be assigned: Read Edit Settings Edit Settings, Delete, Modify security The following steps illustrate how ...