Windows 2008 terminal server - How to restrict access to DVD/floppy?

Question

I has a very simple task. I need to block access to removable media (CD, DVD, floppy, USB drives etc.) on a Windows 2008 R2 Terminal Server for users and allow it for admins.

I tried to enable the following policy in GPO:------

User Configuration/Administrative Templates/System/Removable Storage Access

All Removable Storage classes: Deny all access = Enabled

But it did not work. I tried different physical and virtual 2008 servers with the same result. It works on Windows 7 but not on Windows 2008.

Has anyone had success with this parameter on Windows 2008?

Thank you

Disable the device under device manager, an admin could go turn it back on when they need it. — SpacemanSpiff, Nov 21 '12 at 04:56
This is good if admins know that the devices were disabled this way. — Volodymyr Molodets, Nov 21 '12 at 11:25

Volodymyr Molodets · Answer 1 · 2012-11-22T11:03:55.120

1

Configure the same policy in Computer Configuration section. The User Configuration setting is inconsequential because the Computer Configuration policy overrides.

Link GPO to the OU where terminal server resides.Then configure Security Filtering to apply settings in GPO to the users/groups/computers you need (i.e. your users and terminal server).

edited Nov 22 '12 at 11:03

answered Nov 21 '12 at 12:16

Volodymyr Molodets

2,424
9
36
52

If I put this in Computer policies, it will be applied to all users including administrators. I want administrators to be able to have access to DVD. I am not sure that security filering on computer policies will have effect on user groups. – test1839 Nov 21 '12 at 15:12
That's the point, with Security Filtering you can apply settings ONLY to the users/groups/computers you need. – Volodymyr Molodets Nov 21 '12 at 15:26
Not sure to understand. If the parameter is set in the Computer policy it will apply to computer objects only and won't apply to user profiles. So if I do as you recommend, I will get the policy applied to the whole computer, which will block the access for all users including admins, which I do not want. – test1839 Nov 22 '12 at 00:07
Yes, seems like you are right. I thought there is an exception for Computer Settings, like there's for User Settings (i.e. [loopback processing](http://support.microsoft.com/kb/231287), if user needs to have policies applied based on the location of the computer). – Volodymyr Molodets Nov 22 '12 at 11:02
Perhaps, logon script which will disable access to removable devices is what you need. – Volodymyr Molodets Nov 22 '12 at 11:29

score 0 · Accepted Answer · answered Jan 31 '13 at 02:49

0

Contacted Microsoft. They confirmed that this is "undocumented behavior". So this policy is not working "by design" on W2K8 Terminal Server if applied via User GPO.

answered Jan 31 '13 at 02:49

test1839

23
1
6

Windows 2008 terminal server - How to restrict access to DVD/floppy?

2 Answers2