<p><a href="https://www.wincert.net/wp-content/uploads/2015/01/windows-server.jpg" rel="attachment wp-att-550"><img class="alignnone size-full wp-image-550" src="https://www.wincert.net/wp-content/uploads/2015/01/windows-server.jpg" alt="Windows Server,printer,hp,hp deskjet,kms,backup,notification area,update,wsus,illegaltag,printer port,scheduled task,root hints,installation file missing,spoolsv.exe,installer error,iis6,home server,print drivers, print spooler,windows update,metro apps,auto-login,standalone installer,iis6,ie11 compatibility view" width="720" height="340" /></a></p>
<p>Here&#8217;s how you can easily disable use of external or removable drives using Group Policy in your Active Directory environment.</p>
<p>First we need to create a new policy and link it to the Organizational unit.</p>
<p>Now edit the newly created policy and navigate to:</p>
<p><strong>Computer Configuration | Administrative Templates | System | Removable Storage Access</strong></p>
<p>In the right pane open the &#8220;<strong>All Removable Storage classes: Deny all access</strong>&#8221; setting.<!--more--></p>
<p><a href="https://www.wincert.net/wp-content/uploads/2016/01/removable-storage-policy.png" rel="attachment wp-att-1620"><img class="alignnone wp-image-1620 size-full" src="https://www.wincert.net/wp-content/uploads/2016/01/removable-storage-policy.png" alt="removable drives" width="681" height="431" /></a></p>
<p>Set the policy to &#8220;<strong>Enabled</strong>&#8221;</p>
<p>Since this is a Computer configuration policy it should be applied to a computer containter.</p>
<p>On the other hand if you would like to apply this policy to a user containter you will have to enable <strong>Group Policy Loopback processing mode</strong> policy setting to be able to apply this policy on a user container.</p>
<p>In this case policy will be applied to all computers/users in that container.</p>
<p>To filter out users or computers that should not receive this policy, go to <strong>Delegation tab/Advanced</strong> setting and select desired Active Directory Security group and select Deny checkbox under &#8220;<strong>Apply group policy</strong>&#8221; setting.</p>
<p>All users/computers that are members of this Active Directory Security group will not get this policy applied.</p>
<p>You can also think about using a third-party solution like the Device lock which is great since you can filter usage of USB removable drives on a Hardware ID base. It also integrates with Active Directory.</p>
<p>You can also monitor files that are being copied from and to USB removable drives.<br />
<a href="http://www.devicelock.com/" target="_blank">http://www.devicelock.com/</a></p>
<p>Comments are welcome!</p>