none
Group Policy on user administrative template is not working

    Question

  • Dear All,

    I have problem with my GPO application on user OU.

    I want to block access to USB removable storage and CDROM drive to all authenticated users, but it is not working.

    Getting result from client by using command gpresult /v:

    PS C:\Users\SOPHEA.CHHUN> gpresult /v

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    © 2013 Microsoft Corporation. All rights reserved.

    Created on 11/02/2016 at 1:29:46 PM


    RSOP data for ADCPBANK\SOPHEA.CHHUN on IT006 : Logging Mode
    ------------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.3.9600
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\SOPHEA.CHHUN
    Connected over a slow link?: No


    USER SETTINGS
    --------------
        CN=SOPHEA CHHUN,OU=CPB-HO-Users,OU=CPB-Users,DC=xxxx,DC=com
        Last time Group Policy was applied: 11/02/2016 at 12:40:52 PM
        Group Policy was applied from:      xxxx.xxxxx.com
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        xxxxx
        Domain Type:                        Windows 2008 or later

        Applied Group Policy Objects
        -----------------------------
            Block Command Prompt
            Block USB-CDROM
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            INFRA GROUP
            Everyone
            BUILTIN\Users
            BUILTIN\Administrators
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Domain Users
            Organization Management
            VPN Group
            HO-IT-NSD-Users
            All CPB Head Office User
            HO-IT-Users
            Head Office-Users
            CPB Recipient Management
            G_HEADOFFICE
            DnsAdmins
            G_IT
            G_IT_INF
            G_HEAD_UNIT
            High Mandatory Level

        The user has the following security privileges
        ----------------------------------------------


        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B1
    08AE}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://10.18.1.39:9095/Browse
    rWebCpb
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46,
     0, 49, 0, 46, 0, 51, 0, 57, 0, 58, 0, 57, 0, 48, 0, 57, 0, 53, 0, 47, 0, 66, 0, 114, 0, 111, 0, 119, 0, 115, 0, 101, 0,
     114, 0, 87, 0, 101, 0, 98, 0, 67, 0, 112, 0, 98, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Restrictions\RestrictPopupExceptionList
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy
                    State:       disabled

                GPO: Block Command Prompt
                    Folder Id: Software\Policies\Microsoft\Windows\System\DisableCMD
                    Value:       2, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\HideLegacyLogonScripts
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\10.18.1.39
                    Value:       49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46, 0, 49, 0, 46, 0, 51, 0, 57, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
                    Value:       49, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\Start Page
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 105, 0, 110, 0, 101, 0, 116, 0, 46, 0,
     97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Suggested Sites\Enabled
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\RunLogonScriptSync
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\Use FormSuggest
                    Value:       110, 0, 111, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
                    Value:       49, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D
    4F33}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\adcpbank.com
                    Value:       97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0
    , 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://10.18.9.5
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46,
     0, 57, 0, 46, 0, 53, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest Passwords
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\ListBox_Support_Allow
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\AlwaysShowMenus
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
                    Value:       110, 0, 111, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Main\FormSuggest Passwords
                    Value:       110, 0, 111, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\PowerShell\EnableScripts
                    Value:       0, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
                    Value:       255, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91e
    fb8b}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\10.18.9.5
                    Value:       49, 0, 48, 0, 46, 0, 49, 0, 56, 0, 46, 0, 57, 0, 46, 0, 53, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{F33FDC04-D1AC-4E8E-9A30-19BBD4B1
    08AE}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91e
    fb8b}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D
    4F33}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Block USB-CDROM
                    Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\Deny_All
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
                    Value:       49, 0, 56, 0, 48, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    Folder Id: Software\Policies\Microsoft\Internet Explorer\New Windows\Allow\http://inet.adcpbank.com
                    Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 105, 0, 110, 0, 101, 0, 116, 0, 46, 0,
     97, 0, 100, 0, 99, 0, 112, 0, 98, 0, 97, 0, 110, 0, 107, 0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
                    State:       Enabled

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A
    PS C:\Users\SOPHEA.CHHUN>

    However, user still can access USB and CDROM.

    Do i miss something?

    Thanks and kind regards,


    Mr. Sophea Chhun

    • Moved by Just KarlModerator Thursday, February 11, 2016 4:40 PM Looking for the correct forum.
    Thursday, February 11, 2016 6:33 AM

Answers

All replies

  • Hello,

    The 'Academic Initiatives - Technical Queries' forum is for posts Related to technical / coding / programming related issues as related to Microsoft's Academic Initiatives.

    As it's off-topic here, I am moving the question to the Where is the forum for... forum.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Thursday, February 11, 2016 4:38 PM
    Moderator
  • Hello,

    I'd ask in the Windows Server Group Policy forum.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Thursday, February 11, 2016 4:40 PM
    Moderator
  • Dear All,

    Any one here could help me as it is urgent case for me.

    Thanks and regards,


    Mr. Sophea Chhun

    Friday, February 12, 2016 8:26 AM
  • Hi,

    This is the 'Where Is' forum where we suggest appropriate forums for questions. You'll need to repost your issue in the forum that Karl has linked to above for further assistance.

    Good luck.


    Friday, February 12, 2016 1:43 PM
  • Any one here could help me as it is urgent case for me.

    And if it is urgent then you may want to call it in to product support. These forums provide peer level support so no guarantee of urgency.

    https://support.microsoft.com/en-us/assistedsupportproducts

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.



    Friday, February 12, 2016 2:31 PM
    Moderator
  • I got it, thanks you for update :-)

    Mr. Sophea Chhun

    Saturday, February 13, 2016 7:57 AM