17

I created a limited user account and want to restrict USB and CD drive access using group policy settings. Hence I want to use gpedit.msc to enforce restrictions on the limited account and disable access to USB and CD drive, and prevent the limited account from modifying those changes. How can I achieve this without restricting any other accounts?

Improve this question

4 Answers 4

Reset to default
19

In Windows Vista and later you can apply policies only to a specific account, but you have to load the group policy object editor from the Microsoft Management Console, not by opening the snapin directly.

  1. Open mmc.exe
  2. When the MMC console opens, click "File" -> "Add/remove snapin"
  3. Select "Group Policy Object Editor" and click the "Add >" button
  4. In the dialog which appears, click "Browse".

  5. Click the "users" tab and select a user.

  6. Click "OK", then "Finish", then "OK" again

You will now have a group policy user object for the selected user. Apply whatever restrictions you want. You may be interested in checking out "Hide these specified drives in My Computer" in User Configuration > Administrative Templates > Windows Components > Windows Explorer.

Improve this answer
5
  • @nhinkle What if I wanted to apply the same policies to more the one user on a non-domain Win7? Is there a way to copy them?
    – AJaM
    Commented Aug 15, 2011 at 12:21
  • @AJaM I am not aware of a way to copy them. Unfortunately, you'd have to do it for each individual computer.
    – nhinkle
    Commented Aug 15, 2011 at 16:09
  • 2
    Makes me sad how hidden this is. Took me a while to find a solution and I finally came across your answer. It's great, thank you!
    – Brave Newbie
    Commented Aug 30, 2011 at 19:24
  • @nhinkle, Why is it different when we open it in mmc? What's the reason for that?
    – Pacerier
    Commented Mar 19, 2015 at 14:11
  • 1
    @Pacerier if you don't open it through mmc, it'll apply the policies to the whole computer. When you open through mmc, you can choose whether to only apply them to a certain account.
    – nhinkle
    Commented Mar 19, 2015 at 16:52
2

You would have to makes these group policy changes from an administrator account, not from the limited account.

Improve this answer
4
  • Tried that but it applies to all accounts, how do I make changes to just the limited account?
    – rzlines
    Commented Apr 23, 2010 at 16:59
  • Correct me if I'm wrong, but isn't the group policy item to disable USB access in the Machine configuration? If that's the case, it doesn't matter which account you make the change under, it will affect all users of the computer.
    – dsolimano
    Commented Apr 23, 2010 at 20:06
  • oh! if that is the case how do I restrict a limited user account. I don't want to limit the admin account, just the user account is all that I want to restrict
    – rzlines
    Commented Apr 24, 2010 at 13:56
  • @Rogue, I posted below about the USB devices. I'll think some more about the CD drives and edit when I figure something out. I feel like I'm missing something obvious here.
    – dsolimano
    Commented Apr 25, 2010 at 1:57
1

For restricting access to USB devices, Microsft has a KB article about denying permisison to certain files - http://support.microsoft.com/kb/823732. You might need to leave SYSTEM with access to the files for the other accounts, some trial and error is in order.

EDIT-

There seems to be some fairly affordable third party software that does what you're looking for, but I've not tested it myself. http://www.devicelock.com/

Improve this answer
0

(I post "an answer" because I have not enough reputation to comment above. However, this information is important.)

Tested: Windows 8.1

The answer given by nhinkle above works well. However, it does not prevent you from opening a command prompt and navigate to the drives manually. Starting a JPG file on the other drive opens the image viewer.

You can disable the command prompt via "User Configuration\Administrative Templates\System", but I haven't found a way using the MMC to allow the command prompt while restricting it from navigating around.

There is a workaround, by accessing the "Security" "Properties" (right click) of the drive/root folder(s) (like D:), adding a dedicated line for the user account in question and check "Refused" "[x] Total Control" (might be labeled differently, I use a non-EN Windows version).

Improve this answer
2
  • This is really a comment and not an answer to the original question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient reputation you will be able to comment on any post.
    – DavidPostill
    Commented Oct 11, 2015 at 14:33
  • As I said, I'm aware of this. And this is not a critique nor a request. It's an additional information that I judged important to know. My systems are fine, but it would be too bad if people using the method above would think being in security while they aren't. If you judge this information not worth keeping in 'the wrong place", feel free to remove it.
    – Imifos
    Commented Oct 12, 2015 at 15:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .