Windows policy settings: overriding machine settings for specific user

This is confusing: "the limitation appears to be additive - there is no way (that I know of) to define an exception for a specific user." I am not sure what you mean because you should be able to define exceptions.

Log in as the user, and set his specific HKEY_CURRENT_USER registry entry to allow him to access USB devices by turning off the entry. If he is not an admin, this registry entry will not save, so you will have to either give him admin rights, even if only while you make the change (log out and log back in if you do make him an admin), or log in as an administrator, and find his hive under HKEY_USERS and change it there as an admin.

You will need to set all the others, who currently have profiles not to allow it.

Now, to set it for all future users, navigate to

HKEY_USERS.DEFAULT\Software\Policies\Microsoft

the key structure probably ends here, so add the rest, including the "Deny_All" DWORD value. Any new users logging in, will get that setting.

KCotreau

Posted 2011-06-24T16:02:23.467

Reputation: 24 985

disabling removable media access in the machine level (in HKEY_LOCAL MACHINE), and allowing removable media access to a specific user doesn't work. blocking each other user does work, but it's problematic with domain users (there might be many users in the domain) – Ophir Yoktan – 2011-06-24T20:22:30.520

@Ophir Yoktan I never said do it for HKLM...do it all for current each user with the appropriate permission, then set it up so any future users get the default profile, with the permission denied. – KCotreau – 2011-06-24T22:17:54.473

Windows policy settings: overriding machine settings for specific user

Answers