Trouble with GPO for Allowing USB Access

By
Elli Mongillo
-
0
2
Asked By CuriousTechie92 On

I'm trying to set up a Group Policy Object (GPO) to manage access to removable storage, specifically USB drives. I've configured two GPOs: one to Allow access for specific IT staff and those with legitimate requests to borrow USBs, and another to Deny access for everyone else. I'm focusing on User policies rather than Computer policies. However, I'm encountering issues where, despite being a member of the Allow security group, a user is still getting denied access. My GPO settings include: the Deny scope includes Authenticated Users, while the Allow scope targets a specific AD security group. The Link order prioritizes Allow with a lower number than Deny, and Allow is set to Enforced. What am I missing?

3 Answers

Answered By TechWhizKid On

You probably don’t need the Enforce setting for this to work. Your Link order might be mixed up—try swapping them. If it still doesn't work, ensure you didn’t remove 'Authenticated Users: Read' access when adjusting the permissions.

Answered By NetworkGuru88 On

For our clients, we've opted for a Computer object approach instead of User policies because it’s much easier to manage. We have two separate Organizational Units (OUs) for this: one for Deny and one for Allow. When a user needs temporary access, we simply move their computer object into the Allow OU, run a `gpupdate /force`, and then move it back when they're done. I wonder if you need to include Authenticated Users in your Allow permissions for everything to work properly.

Answered By SysAdminPro23 On

Consider using an AD group specifically for this access, like ‘permission.AllowRemovableStorage’. In the Deny GPO, include this new group and ensure to clear all permissions except for ‘Apply group policy’ under the Deny section. In the Allow GPO, do the same but check it under Allow. Even better, make sure you don't have any other entries with ‘Apply group policy’ checked. Since you’re filtering by users, adding Domain Users or Authenticated Users with Read access might help.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.