Disable removable drives using GPO
Here’s how you can easily disable use of external or removable drives using Group Policy in your Active Directory environment.
First we need to create a new policy and link it to the Organizational unit.
Now edit the newly created policy and navigate to:
Computer Configuration | Administrative Templates | System | Removable Storage Access
In the right pane open the “All Removable Storage classes: Deny all access” setting.
Set the policy to “Enabled”
Since this is a Computer configuration policy it should be applied to a computer containter.
On the other hand if you would like to apply this policy to a user containter you will have to enable Group Policy Loopback processing mode policy setting to be able to apply this policy on a user container.
In this case policy will be applied to all computers/users in that container.
To filter out users or computers that should not receive this policy, go to Delegation tab/Advanced setting and select desired Active Directory Security group and select Deny checkbox under “Apply group policy” setting.
All users/computers that are members of this Active Directory Security group will not get this policy applied.
You can also think about using a third-party solution like the Device lock which is great since you can filter usage of USB removable drives on a Hardware ID base. It also integrates with Active Directory.
You can also monitor files that are being copied from and to USB removable drives.
Comments are welcome!