How to Create a Group Policy to Disable USB Port for all Users except Local Administrators

How to Create a Group Policy to Disable USB Port for all Users except Local Administrators

How to Create a Group Policy to Disable USB Port for all Users except Local Administrators

It is thus considered a safe practice to restrict USB access to all users except the administrators. This can be done with the help of Active Directory Group Policy Objects. In order to do this, administrators can use User Configuration to set policies to users, regardless of the computer that they use to login. This is in contrast to Computer Configuration where the policies apply only to the computers, regardless of the user who logs in. If the login user is a local administrator, then USB access is enabled for them and disabled for any other user. Another method is to use Security Filtering in order to exempt a specific group of users from a certain group policy. Thus, USB access can be denied to all users and the local administrators can be exempted from this policy. These are discussed in the following sections.

Disabling USB Access for Login Users using GPO

The USB ports can be disabled for all users other than local administrators using Group Policy Objects (GPOs). Thus USB access is enabled only for the local administrators, regardless of the computer that they use to login. An Organizational Unit containing all users except administrators can be created and the group policy can be linked to the desired organizational unit. The Group Policy for disabling USB access can be created by following the steps given below.
  1. Open the Group Policy Management Console (GPMC).
  2. Right click on Group Policy Objects and click on New.
  3. Provide an appropriate name to the GPO (for example, Disable USB Access) and click OK.
  4. Right click on the newly created group policy (Disable USB Access) and click on Edit.
  5. This opens the Group Policy Management Editor.
  6. In the console tree, navigate to User Configuration > Policies > Administrative Templates > System > Removable Storage Access.
  7. The Removable Storage Access section contains various options for different types of storage devices.
  8. Right click on the All Removable Storage classes: Deny all access setting and click on Edit.
  9. In the dialog box that opens, select the Enable option to block all access to USB devices.
  10. Click on Apply and then click OK.
  11. Locate the organizational unit (OU) containing the users for whom USB access is to be disabled.
  12. Right click on the required organizational unit and select the Link an existing GPO option.
  13. Select the required GPO (in this case, Disable USB Access) from the list of available policies and click OK.
  14. Perform a group policy update using the gpupdate /force command.
If a USB device is connected by any user within the selected OU, a message stating Access denied can be seen. Thus, the USB ports are disabled unless the login user is a local administrator.

Enabling USB Access to Local Administrators using Security Filtering

In order to disable USB access to all login users except the local administrators, Group Policy Security Filtering can be done by following the steps given below.
  1. Open the Group Policy Management Console (GPMC).
  2. Locate and select the required Group Policy Object (Disable USB Access).
  3. In the Security Filtering section, add the Local Administrators group.
  4. Click on the Delegation tab and click on Advanced. Click on Add and enter the name of the group to be exempted (Local Administrators).
  5. Select the group and select the Deny option for the Apply Group Policy permission.
  6. Click on OK and Yes when prompted.
Thus the local administrators are exempted from the Disable USB Access group policy. They are allowed to use the USB ports which are otherwise blocked for all the other users. 

    • Related Articles

    • How to Remove Users from Local Administrator Group

      Removing Users From Local Administrators Group using GPO End users who are members of a Windows local administrators group will have excessive amount of privileges such as the ability to install and run programs, reset passwords, disable users, ...

    • How to create a Group Policy to Force Logoff Users

      Force Logoff Users after Inactivity using Active Directory Group Policy In an organization with many user accounts, some users might forget to log off from the server. Sometimes users may be logged in long after their work has been completed. Besides ...

    • Group Policy

      In a nutshell, a Group Policy is a collection of settings, which determine how a unit of users/computers should behave. The Two Types of Group Policies: Administrators can use Group Policies to enforce a set of configuration settings to both the ...

    • How to Force USB Encryption on Removable Devices using GPO

      As data breaches become increasingly common, ensuring that sensitive data is encrypted is paramount, especially on removable USB devices. Group Policy Objects (GPO) in Windows allows administrators to enforce such security measures across a network. ...

    • How to Control USB Access on select Devices using GPO

      Enabling and Disabling USB access using Active Directory Group Policy Removable storage devices such as USB drives have gained widespread use and become an indispensable way for the storage of data. However, they also pose a threat to the security of ...