In this article you will learn how to improve your network security by disabling Universal Serial Bus (USB) drive usage in your Active Directory domain.

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

Universal Serial Bus (USB) flash drives are undeniably convenient and easy to use. However, these devices pose very real security threats.

Number one, allowing your users to mount their own USB flash drives provides a vector for malicious code into your network. Number two, a malicious user can steal sensitive data by copying it to their flash drive and leaving the campus.

Here are a couple excellent articles that delve more deeply into IT security threats posed by USB devices:

You may decide to institute an IT security policy in your domain that prohibits use of personal USB devices. This is all well and good, but how many of your users will actually adhere to the policy without some kind of a control in place?

Fortunately, Windows Server 2008 R2 provides us administrators with a method for easily disabling USB drive access on Active Directory domain assets. Let’s get to work.

Defining the restriction ^

One important thing to keep in mind is that Microsoft made it MUCH easier to control removable drive access in Windows 7/Windows Server 2008 R2 Group Policy. If you need to restrict USB drives on earlier client operating systems (including Windows Vista), then one of the following links should prove helpful to you:

Now then: from one of your Active Directory Domain Services domain controllers or from an administrative workstation, open the Group Policy Management Console and link a new GPO to the appropriate target (domain, OU, etc.).

Within the Group Policy Editor, navigate to \Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

NOTE: If you prefer to set these restrictions on a per-user basis instead of computer-wide, then use the Group Policy path \User Configuration\Policies\Administrative Templates\System\Removable Storage Access.

Disable USB drive - Group Policy - Removable Storage Access

Group Policy - Removable Storage Access

Note from the above screenshot that we can use Group Policy to limit access to the following device classes:

  • Optical drives (CD and DVD)
  • Floppy drives
  • Removable disks (USB devices)
  • Tape drives
  • Custom device classes

By far, the most restrictive restriction (pardon the redundancy) is the policy All Removable Storage Classes: Deny All Access. If we enable this policy, as is shown in the following screen capture, then we prevent affected users from mounting ANY class of removable media.

Disable USB drive usage - All Removable Storage classes - Deny all access

All Removable Storage classes - Deny all access

Naturally, we want to apply GPO security filtering to ensure that only our desired users and computers are affected by our new policy. From the Group Policy Management Console we can make use of the Security Filtering and/or the WMI Filtering areas to properly scope our GPO. This is depicted in the following screen image:

Disable USB drive

Disable USB drive

In order to put your new GPO into effect immediately, open an administrative command prompt and issue the following command:

gpupdate/ force

This command refreshes Group Policy throughout your Active Directory domain.

How the restriction works ^

Once your GPO has been ingested by your domain, a user will see the following message box whenever they attempt to mount a restricted media device:

Disabled removable drive

Disabled removable drive

It’s as simple as that!

Conclusion ^

In this article you learned how to leverage Windows Server 2008 Group Policy to disable USB drive us in our Active Directory domain. Have you initiated this policy in your environment? Please feel free to share your experiences and questions in the comments portion of this post.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+
Share
22 Comments
  1. Ajeesh 8 years ago

    i just wanted to know the from where "Disable USB drive" screen will open

    1+

  2. Tim Warner 8 years ago

    Hi Ajeesh. The "Disable USB Drive" screenshot was taken from the Group Policy Management Console. You can open that MMC console from the Administrative Tools folder on your domain controller. Alternatively, you can click Start > Run and type gpmc.msc into the Run box. -Tim

    1+

  3. Fifi 7 years ago

    I failed to get the message access deny after the installation and updating the policy. I wonder where i went wrong. i created the policy in win2008 and implement the policy on Computer conf> policies> administrative templ> removable storage access > I enabled removable disks(deny read and deny write access) and enabled all removable storage classes deny all access.

    kindly assist

    1+

  4. Hesham Mousa 7 years ago

    this solution has a very bad effect if you want to roll back the policy as from testing such policy you cannot roll back because the policy applies on the driver NTFS permissions

    2+

  5. joe 7 years ago

    I want to block only pen drives And external hard drives then what about usb mouse used by clients if we did so. ??

    1+

  6. Rajat 7 years ago

    Hi. I used the procedure above and it was 100% successful. But i also have to find a way to enable the USB. I changed the USBSTOR value from 4 to 3, then too the usb isnt working. Can anybody please help or find a way to enable back the disabled USB? Thanks.

    1+

  7. Michael Pietroforte 7 years ago

    Rajat, I posted an answer in the forum. I hope that helps.

    1+

  8. Michael 6 years ago

    i like article. Looks quite straight and forward. I haven't tried it yet.
    But please can you help me if there's anyway where i can monitor which users have been trying to use USB drives in the domain after i enable the policy?

    1+

  9. Michael Pietroforte 6 years ago

    Michael, I posted your question in the forum. You can subscribe to the topic after you registered.

    1+

  10. Andy 6 years ago

    Does it work for server 2003 with windows 7 client ?

    1+

  11. ghuge 5 years ago

    Hi,
    I have enabled read write restriction for a group of users, if a user from this group is to log onto a win 8.1 system and tries accessing a usb drive it says access is denied, however if the same user logs onto a Windows server 2008 R2 system in the same domain he is allowed to access the usb drive, why may this be happening?

    1+

  12. Nem Muth 5 years ago

    I want to disable usb but enable CD/DVD ROM . How can I do?

    1+

  13. Carlitos 5 years ago

    Hi there, i really appreciate your help, that was great, but i don't want the drive to be visible, is there any way?

    2+

  14. chedva 5 years ago

    i tried to do this on server 2012 (only for single user) but nothing happen and the user can use removable drives why?can anyone help me?

    1+

  15. John sellers 4 years ago

    I think there's third party software that allows you to restrict/allow specific models of flash drives. This could be best for us because we have some machines that aren't on the domain. Obviously GP wouldn't apply to those machines but a third party solution could resolve that issue.

    1+

  16. Pankaj Sharma 4 years ago

    Hi Tim,

    I tried it but it did not work. Windows 2012 server. Can anyone help pleas.

    3+

  17. sandeep 4 years ago

    Hii

    i tried on windows server 2012r2 its working,but i logon to windows 8.1,my local disk D,E also blocked

    2+

  18. Subham 2 years ago

    here in this case the all clients and the domain is not able to access that but that client who connect the usb drive did he access that or not and is it possible that the domain disable the usb port using the group policy ....

    1+

  19. ViCiouSSoRreL 1 year ago

    I want to have the GPO denying but allow specific users access.  How can that be done?

    Currently using a computer based GPO to deny all removable media.

    1+

  20. Jon Sorrell 1 year ago

    I have a hardware based GPO that does not allow any removable media.

    Now I have a specific person I would like to enable.  How can that be accomplished.

    Thanks

    1+

  21. Saurabh 6 months ago

    Hi Team,

    We have applied Domain level USB restriction policy through GPO on our Domain controller win2k8 and after changes took place we tried connecting USB drive on several client machine (installed win 7 OS) where it is giving "Access is denied "  that means the policy is working perfectly on all client machine into the same domain. But when we have logged in to server (win 2008 & 2012 )in the same domain and connected same USB drive then it is accessible , that means the policy is not applying on servers.

    So request you please help in how to disable USB on servers also.

    Regards,

    Saurabh

    0

  22. Mubashir 6 months ago

    i had used this method on my laptop which is connected with domain environment but not work.

    value changed  Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\DWORD value 3

    also check gpedit.msc 

    USB not working.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account