Removable Storage Access
Windows Server 2008 R2, Windows Vista, and Windows 7 group policies provide several settings that can be used to control how removable devices and removable storage can be used. Some of these settings apply to CD and DVD drives and media, but many are designed to control the read and write permission to removable disks such as external USB drives and memory sticks. These settings can be configured in a computer group policy but can also be configured in the User Configuration node to deny write access to removable media. The settings are located in User Configuration\Policies\Administrative Templates\System\Removable Storage Access.
Managing Microsoft Management Console Access
Microsoft has standardized the deployment of management and configuration tools to use Microsoft Management Console (MMC) snap-ins. By default, all users can open a blank MMC and add snap-ins to the console. The snap-ins loaded on a particular machine are the only ones that can be added. Having access to each snap-in can unnecessarily expose configuration information to undesired individuals. Also, depending on the function of the snap-in, functions might be available to standard users that can impact the performance of production systems. For example, a user can add the Active Directory Users and Computers snap-in to an MMC console and can then create queries that run against the domain controller, causing unnecessary load on the system. To restrict access to the MMC or specific MMC snap-ins using domain group policies, perform the following steps:
- Log on to a designated Windows Server 2008 R2 administrative server.
- Open the Group Policy Management Console from the Administrative Tools menu.
- Add the necessary domains to the GPMC as required.
- Expand the Domains node to reveal the Group Policy Objects container.
- Either create a new GPO or edit an existing GPO.
- After the GPO is opened for editing in the Group Policy Management Editor, expand the User Configuration node, expand the Policies node, and select Administrative Templates.
- Expand the Administrative Templates node and select Windows Components.
- Scroll down and select Microsoft Management Console in the tree pane. Expand this node to reveal the Restricted/Permitted Snap-Ins node and select it.
- With the Restricted/Permitted Snap-Ins node selected in the tree pane, a list of wellknown snap-ins is displayed in the Settings pane. Select and open the Active Directory Users and Computers snap-in. Configure the setting to Disabled to block the use of this snap-in for the users to whom this policy will apply and click OK.
- After the snap-in is disabled, close the policy and link it to the desired OU that contains the users who need to be restricted from using the disabled snap-in.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations