Dear All,
I have problem with my GPO application on user OU.
I want to block access to USB removable storage and CDROM drive to all authenticated users, but it is not working.
Getting result from client by using command gpresult /v:
PS C:\Users\SOPHEA.CHHUN> gpresult /v
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2013 Microsoft Corporation. All rights reserved.
Created on 11/02/2016 at 1:29:46 PM
RSOP data for ADCPBANK\SOPHEA.CHHUN on IT006 : Logging Mode
------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 6.3.9600
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\SOPHEA.CHHUN
Connected over a slow link?: No
USER SETTINGS
--------------
CN=SOPHEA CHHUN,OU=CPB-HO-Users,OU=CPB-Users,DC=xxxx,DC=com
Last time Group Policy was applied: 11/02/2016 at 12:40:52 PM
Group Policy was applied from: xxxx.xxxxx.com
Group Policy slow link threshold: 500 kbps
Domain Name: xxxxx
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------
Block Command Prompt
Block USB-CDROM
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
INFRA GROUP
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Users
Organization Management
VPN Group
HO-IT-NSD-Users
All CPB Head Office User
HO-IT-Users
Head Office-Users
CPB Recipient Management
G_HEADOFFICE
DnsAdmins
G_IT
G_IT_INF
G_HEAD_UNIT
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Resultant Set Of Policies for User
-----------------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Block USB-CDROM
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B1
08AE}\Deny_Write
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://10.18.1.39:9095/Browse
rWebCpb
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46,
0, 49, 0, 46, 0, 51, 0, 57, 0, 58, 0, 57, 0, 48, 0, 57, 0, 53, 0, 47, 0, 66, 0, 114, 0, 111, 0, 119, 0, 115, 0, 101, 0,
114, 0, 87, 0, 101, 0, 98, 0, 67, 0, 112, 0, 98, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Restrictions\RestrictPopupExceptionList
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy
State: disabled
GPO: Block Command Prompt
Folder Id: Software\Policies\Microsoft\Windows\System\DisableCMD
Value: 2, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\HideLegacyLogonScripts
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\10.18.1.39
Value: 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46, 0, 49, 0, 46, 0, 51, 0, 57, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
Value: 49, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\Start Page
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 105, 0, 110, 0, 101, 0, 116, 0, 46, 0,
97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Suggested Sites\Enabled
Value: 0, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\RunLogonScriptSync
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\Use FormSuggest
Value: 110, 0, 111, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
Value: 49, 0, 0, 0
State: Enabled
GPO: Block USB-CDROM
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D
4F33}\Deny_Write
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\adcpbank.com
Value: 97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0
, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://10.18.9.5
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46,
0, 57, 0, 46, 0, 53, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest Passwords
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\ListBox_Support_Allow
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\AlwaysShowMenus
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
Value: 110, 0, 111, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\FormSuggest Passwords
Value: 110, 0, 111, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\PowerShell\EnableScripts
Value: 0, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Value: 255, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy
Value: 1, 0, 0, 0
State: Enabled
GPO: Block USB-CDROM
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91e
fb8b}\Deny_Read
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\10.18.9.5
Value: 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46, 0, 57, 0, 46, 0, 53, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings
Value: 1, 0, 0, 0
State: Enabled
GPO: Block USB-CDROM
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B1
08AE}\Deny_Read
Value: 1, 0, 0, 0
State: Enabled
GPO: Block USB-CDROM
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91e
fb8b}\Deny_Write
Value: 1, 0, 0, 0
State: Enabled
GPO: Block USB-CDROM
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D
4F33}\Deny_Read
Value: 1, 0, 0, 0
State: Enabled
GPO: Block USB-CDROM
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\Deny_All
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
Value: 49, 0, 56, 0, 48, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://inet.adcpbank.com
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 105, 0, 110, 0, 101, 0, 116, 0, 46, 0,
97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
State: Enabled
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
----------------------------------------
N/A
Internet Explorer Connection
----------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
PS C:\Users\SOPHEA.CHHUN>
However, user still can access USB and CDROM.
Do i miss something?
Thanks and kind regards,
Mr. Sophea Chhun
