17
11
I created a limited user account and want to restrict USB and CD drive access using group policy settings. Hence I want to use gpedit.msc to enforce restrictions on the limited account and disable access to USB and CD drive, and prevent the limited account from modifying those changes. How can I achieve this without restricting any other accounts?
rzlines
Posted 2010-04-23T16:51:02.460
Reputation: 7 006
18
In Windows Vista and later you can apply policies only to a specific account, but you have to load the group policy object editor from the Microsoft Management Console, not by opening the snapin directly.
Click the "users" tab and select a user.
You will now have a group policy user object for the selected user. Apply whatever restrictions you want. You may be interested in checking out "Hide these specified drives in My Computer" in User Configuration > Administrative Templates > Windows Components > Windows Explorer.
nhinkle
Posted 2010-04-23T16:51:02.460
Reputation: 35 057
2
You would have to makes these group policy changes from an administrator account, not from the limited account.
th3dude
Posted 2010-04-23T16:51:02.460
Reputation: 9 189
Tried that but it applies to all accounts, how do I make changes to just the limited account? – rzlines – 2010-04-23T16:59:33.797
Correct me if I'm wrong, but isn't the group policy item to disable USB access in the Machine configuration? If that's the case, it doesn't matter which account you make the change under, it will affect all users of the computer. – dsolimano – 2010-04-23T20:06:55.743
oh! if that is the case how do I restrict a limited user account. I don't want to limit the admin account, just the user account is all that I want to restrict – rzlines – 2010-04-24T13:56:42.443
@Rogue, I posted below about the USB devices. I'll think some more about the CD drives and edit when I figure something out. I feel like I'm missing something obvious here. – dsolimano – 2010-04-25T01:57:00.537
1
For restricting access to USB devices, Microsft has a KB article about denying permisison to certain files - http://support.microsoft.com/kb/823732. You might need to leave SYSTEM with access to the files for the other accounts, some trial and error is in order.
EDIT-
There seems to be some fairly affordable third party software that does what you're looking for, but I've not tested it myself. http://www.devicelock.com/
dsolimano
Posted 2010-04-23T16:51:02.460
Reputation: 2 778
0
(I post "an answer" because I have not enough reputation to comment above. However, this information is important.)
Tested: Windows 8.1
The answer given by nhinkle above works well. However, it does not prevent you from opening a command prompt and navigate to the drives manually. Starting a JPG file on the other drive opens the image viewer.
You can disable the command prompt via "User Configuration\Administrative Templates\System", but I haven't found a way using the MMC to allow the command prompt while restricting it from navigating around.
There is a workaround, by accessing the "Security" "Properties" (right click) of the drive/root folder(s) (like D:), adding a dedicated line for the user account in question and check "Refused" "[x] Total Control" (might be labeled differently, I use a non-EN Windows version).
Imifos
Posted 2010-04-23T16:51:02.460
Reputation: 201
This is really a comment and not an answer to the original question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient reputation you will be able to comment on any post.
– DavidPostill – 2015-10-11T14:33:25.003As I said, I'm aware of this. And this is not a critique nor a request. It's an additional information that I judged important to know. My systems are fine, but it would be too bad if people using the method above would think being in security while they aren't. If you judge this information not worth keeping in 'the wrong place", feel free to remove it. – Imifos – 2015-10-12T15:33:02.657
@nhinkle, Why is it different when we open it in
mmc? What's the reason for that? – Pacerier – 2015-03-19T14:11:55.043@Pacerier if you don't open it through mmc, it'll apply the policies to the whole computer. When you open through mmc, you can choose whether to only apply them to a certain account. – nhinkle – 2015-03-19T16:52:32.800
1+1 - This is really amazing! I wonder why MS doesn't educate users about such features. Especially since Windows takes utmost care to complicate everything :) Where do you learn such things? Books? – Robinicks – 2010-04-27T09:21:58.783
@nhinkle What if I wanted to apply the same policies to more the one user on a non-domain Win7? Is there a way to copy them? – AJaM – 2011-08-15T12:21:53.113
@AJaM I am not aware of a way to copy them. Unfortunately, you'd have to do it for each individual computer. – nhinkle – 2011-08-15T16:09:41.560
2Makes me sad how hidden this is. Took me a while to find a solution and I finally came across your answer. It's great, thank you! – Brave Newbie – 2011-08-30T19:24:02.293
+1: This is just what I needed too! I can't believe how hidden this is either. – John H – 2012-07-30T16:48:37.360