Windows 7 / Networking

Removable Storage Access

Windows Server 2008 R2, Windows Vista, and Windows 7 group policies provide several settings that can be used to control how removable devices and removable storage can be used. Some of these settings apply to CD and DVD drives and media, but many are designed to control the read and write permission to removable disks such as external USB drives and memory sticks. These settings can be configured in a computer group policy but can also be configured in the User Configuration node to deny write access to removable media. The settings are located in User Configuration\Policies\Administrative Templates\System\Removable Storage Access.

Managing Microsoft Management Console Access

Microsoft has standardized the deployment of management and configuration tools to use Microsoft Management Console (MMC) snap-ins. By default, all users can open a blank MMC and add snap-ins to the console. The snap-ins loaded on a particular machine are the only ones that can be added. Having access to each snap-in can unnecessarily expose configuration information to undesired individuals. Also, depending on the function of the snap-in, functions might be available to standard users that can impact the performance of production systems. For example, a user can add the Active Directory Users and Computers snap-in to an MMC console and can then create queries that run against the domain controller, causing unnecessary load on the system. To restrict access to the MMC or specific MMC snap-ins using domain group policies, perform the following steps:

  1. Log on to a designated Windows Server 2008 R2 administrative server.
  2. Open the Group Policy Management Console from the Administrative Tools menu.
  3. Add the necessary domains to the GPMC as required.
  4. Expand the Domains node to reveal the Group Policy Objects container.
  5. Either create a new GPO or edit an existing GPO.
  6. After the GPO is opened for editing in the Group Policy Management Editor, expand the User Configuration node, expand the Policies node, and select Administrative Templates.
  7. Expand the Administrative Templates node and select Windows Components.
  8. Scroll down and select Microsoft Management Console in the tree pane. Expand this node to reveal the Restricted/Permitted Snap-Ins node and select it.
  9. With the Restricted/Permitted Snap-Ins node selected in the tree pane, a list of wellknown snap-ins is displayed in the Settings pane. Select and open the Active Directory Users and Computers snap-in. Configure the setting to Disabled to block the use of this snap-in for the users to whom this policy will apply and click OK.
  10. After the snap-in is disabled, close the policy and link it to the desired OU that contains the users who need to be restricted from using the disabled snap-in.
[Previous] [Contents] [Next]

In this tutorial:

  1. Group Policy Management for Network Client
  2. Windows Group Policies
  3. Domain Group Policies
  4. Group Policy Feature Set
  5. User Configuration Policy Node
  6. Planning Workgroup and Standalone Local Group Policy Configuration
  7. Planning Domain Group Policy Objects
  8. Domain GPOs
  9. Active Directory Site GPOs
  10. Managing Computers with Domain Policies
  11. Managing User Account Control Settings
  12. Creating a Software Restriction Policy
  13. Creating Application Control Policies (AppLocker)
  14. Deploying Printers Windows Server 2008
  15. Mapping Drives Using Preferences User Drive Maps Extension
  16. Configuring Basic Firewall Settings with Group Policy
  17. Configuring Windows Update Settings
  18. Configuring Power Options Using Domain Policies
  19. Managing Users with Policies
  20. Configuring Folder Redirection
  21. Removable Storage Access
  22. Managing Active Directory with Policies
  23. Configuring Restricted Groups for Domain Security Groups
  24. Extending Group Policy Functionality
  25. Synchronous Foreground Refresh
  26. GPO Modeling and GPO Results in the GPMC
  27. Managing Group Policy from Administrative or Remote Workstations