Last updated on May 13th, 2021
This guide contains step-by-step instructions on how to block USB storage devices on entire Domain or on specific domain users by using Group Policy in an AD Domain 2016 or 2012. More specifically, after reading the instructions in this guide you will learn how to prevent access to any USB storage device (flash drives, external hard drives, smartphones, tablets, etc.), that can connect to any computer in the domain, or deny the USB storage access only to specific domain users.
Today, many of us use a USB storage device to transfer data. However, for an organization, the ability of its employees to use external storage devices may contain security risks, such as spreading malware or intercepting sensitive data. To avoid these risks, you can read the following instructions to block access to USB storage devices to all users and computers in your domain or to certain domain users only, by using Group Policy. *
* Notes:
1. In this post, to block USB drives through group policy, we used an Active Directory 2016 domain controller to create the new group policy and Windows 10 Pro & Windows 7 Pro workstations to apply it.
2. The “Block USB Access” policy will not affect the Domain Administrators or any other connected USB device, such as USB Keyboards, Mouse, Printer, etc.
3. After applying the Group Policy, the users will not have access to any type of USB Storage device, and will receive one of the following error messages when trying to access a USB storage device on their PC.
How to use Group Policy to Prevent Access to USB Storage Devices (Server 2012/2012R2/2016)
Part 1. How to Block Access to USB Storage Devices on Entire Domain 2016.
To disable the access to any connected USB storage device to any computer(user) on the domain:
1. In Server 2016 AD Domain Controller, open the Server Manager and then from Tools menu, open the Group Policy Management. *
* Additionally, navigate to Control Panel -> Administrative Tools -> Group Policy Management.
2. Under Domains, select your domain and then right click at Default Domain Policy and choose Edit.
3. In ‘Group Policy Management Editor’, navigate to:
- User Configuration > Policies > Administrative Templates > System > Removable Storage Access
4. At the right pane, double click at: Removable Disks: Deny read access. *
* Notes:
1. Many tutorials at this point suggest to Enable the ‘All Removable Storage classes: Deny all access’ policy, but during our tests we discovered that this policy is not apply (work) for smartphones or tablets.
2. If you want to block the USB Write access, select the Removable Disks: Deny write access.
5. Check Enabled and click OK.
6. Close the Group Policy Editor.
7. Restart the server and the client machines, or run the gpupdate /force command to apply the new group policy settings (without restart) to both server and clients.
Part 2. How to Prevent Access to USB Storage Devices on Specific Domain Users.
To disable access to USB storage devices to specific users only by using a group policy, you must create a group with users who do not want to access USB storage devices and then to apply the new policy to this group. To do that:
Step 1. Create a Group with the Disabled USB Users. *
* Note: If you have already created a group with the disabled USB users, continue to step-2.
1. Open Active Directory Users and Computers.
2. Right-click at the “Users” object on the left pane, and choose New > Group
3. Type a name for the new group (e.g. “USB Disabled Users”) and click OK. *
* Note: Leave the ‘Global’ and ‘Security’ options checked.
4. Open the newly created group, select the Members tab and click Add
5. Now select in which domain user(s) you want to block the USB Storage devices and then click OK.
6. Click OK to close group properties.
Step 2. Create a New Group Policy Object to Disable the USB Storage devices.
1. Open the Group Policy Management.
2. Under the ‘Domains’ object, right-click on your domain and select Create a GPO in this domain and Link it here.
3. Type a name for the new GPO (e.g. “USB Disabled”) and click OK.
4. Right-click at new GPO and click Edit.
5. In ‘Group Policy Management Editor’, navigate to:
- User Configuration > Policies > Administrative Templates > System > Removable Storage Access
4. At the right pane, double click at: Removable Disks: Deny read access. *
* Note:
1. Many tutorials at this point suggest to Enable the ‘All Removable Storage classes: Deny all access’ policy, but during our tests we discovered that this policy is not apply (work) for smartphones or tablets.
2. If you want to block the USB Write access, select the Removable Disks: Deny write access.
5. Check Enabled and click OK.
6. Close the Group Policy Management Editor window.
7. Back to ‘Group Policy Management’, select the “USB Disabled” GPO and at the ‘Scope’ tab click the Add button (under the ‘Security filtering’ settings).
8. Type the name of the “USB disabled users” group (e.g. “USB Disabled Users” in this post), and click OK.
9. When done, select the Delegation tab.
10. At ‘Delegation’ tab, select the Authenticated Users and click Advanced.
11. At Security options, select the Authenticated Users and uncheck the Apply group policy checkbox. When done, click OK.
6. Close the Group Policy Editor.
7. Restart the server and the client machines, or run the “gpupdate /force” command (as administrator), to apply the new group policy settings (without restart) to both server and clients.
That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.
do earn a commision from sales generated from this link, but at no additional cost to you. We have experience with this software and we recommend it because it is helpful and useful):