How to apply group policy settings to specific local accounts in Windows

Question

I created a limited user account and want to restrict USB and CD drive access using group policy settings. Hence I want to use gpedit.msc to enforce restrictions on the limited account and disable access to USB and CD drive, and prevent the limited account from modifying those changes. How can I achieve this without restricting any other accounts?

Answer 1

In Windows Vista and later you can apply policies only to a specific account, but you have to load the group policy object editor from the Microsoft Management Console, not by opening the snapin directly.

1. Open mmc.exe
2. When the MMC console opens, click "File" -> "Add/remove snapin"
3. Select "Group Policy Object Editor" and click the "Add >" button
4. In the dialog which appears, click "Browse".

5. Click the "users" tab and select a user.

   

6. Click "OK", then "Finish", then "OK" again

You will now have a group policy user object for the selected user. Apply whatever restrictions you want. You may be interested in checking out "Hide these specified drives in My Computer" in User Configuration > Administrative Templates > Windows Components > Windows Explorer.

Answer 2

You would have to makes these group policy changes from an administrator account, not from the limited account.

Answer 3

For restricting access to USB devices, Microsft has a KB article about denying permisison to certain files - http://support.microsoft.com/kb/823732. You might need to leave SYSTEM with access to the files for the other accounts, some trial and error is in order.

EDIT-

There seems to be some fairly affordable third party software that does what you're looking for, but I've not tested it myself. http://www.devicelock.com/

Answer 4

(I post "an answer" because I have not enough reputation to comment above. However, this information is important.)

Tested: Windows 8.1

The answer given by nhinkle above works well. However, it does not prevent you from opening a command prompt and navigate to the drives manually. Starting a JPG file on the other drive opens the image viewer.

You can disable the command prompt via "User Configuration\Administrative Templates\System", but I haven't found a way using the MMC to allow the command prompt while restricting it from navigating around.

There is a workaround, by accessing the "Security" "Properties" (right click) of the drive/root folder(s) (like D:), adding a dedicated line for the user account in question and check "Refused" "[x] Total Control" (might be labeled differently, I use a non-EN Windows version).