0

I have disable the use of removable media to non-administrator users using MMC console to apply a local policy and setting Removable Disks: Deny read access for non-administrators.

enter image description here

I'd like to set this policy using a PowersShell command or script, instead of using a MMC console.

Is that possible? How could I achieve it then?

Is it possible to apply a policy to a specific user group, not just administrators/non-administrators?

anderZubi
  • 121
  • 7
  • This policy is either enabled or disabled. So if it's enabled it will effect all users. The registry key responsible for it being enabled or disabled is `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Deny_Read` with a `1` enabled and `0` disabled. *Have you tried setting that registry key with your PowerShell script?* - As for the other part of your question, is this machine connected to an AD domain? – Ramhound Jan 19 '23 at 15:13
  • @Ramhound The computer is not connected to any domain. Using the MMC console I have been able to set the policy to non-administrators (I added an image to the question). – anderZubi Jan 19 '23 at 15:30
  • Look over and test this method listed here: https://www.windowscentral.com/how-apply-local-group-policy-settings-specific-users-windows-10. I would suggest Group Policy Preferences with conditional rules, but you are not domain joined. I've never done it this way per that post, but it looks promising. I have used and wrapped conditional logic of LGPO using PowerShell and script before as listed here for example: https://superuser.com/questions/1596432/apply-local-group-policy-objects-to-custom-user-group/1598364#1598364 in case this helps for another starting point. – Vomit IT - Chunky Mess Style Jan 19 '23 at 15:36
  • @VomitIT-ChunkyMessStyle Actually, what I have done is exactly what is mentioned in you first link. I just wanted to automate it using PowerShell. I'm afraid there is no one-time solution using PowerShell and I should go the way in you second link, that would imply to execute the script at least every time a new user logs in. – anderZubi Jan 19 '23 at 15:47
  • I would look over that section in the second link labeled "**An Alteration—Startup Script (Bonus OP Material)**" and see if you can work that one out running that way. Most of this is just trivial and may take some trial and error to confirm it works 100% for your environment but I think that's a good starting point. Please see that caveat regarding new user profiles were post first login/profile creation, it takes a subsequent reboot just that one time only to ensure those policies are effective for they newly created user profiles/first logon. – Vomit IT - Chunky Mess Style Jan 19 '23 at 16:32
  • @anderZubi - The only reason that policy is not effect an Administrator is because you applied it at the user level instead of the machine level. The location of the policy at the user level is in the releative same location within the HKEY_LOCAL_USER registry hive. – Ramhound Jan 19 '23 at 16:55

0 Answers0