Allow USB Storage for Some Users and Deny for Others in Windows Server 2022
Need to allow pen drives and external USB storage for some users, but block them for others? Here is the clean step-by-step method for Windows Server 2022 Standard using Group Policy.
Important First Point
This method controls USB storage devices such as pen drives and external hard disks. It does not block normal USB devices like keyboards and mice.
Best Practice Summary
The safest setup is to create a security group for users who must be blocked, apply a user-based Group Policy, and use loopback processing when the rule must apply only on a specific server.
Use This Method When
- The server is domain-joined
- Users log in with Active Directory accounts
- You want the policy to apply on this server only
Before You Start
- Log in with Domain Admin or delegated Group Policy permissions
- Confirm the target users are Active Directory users
- Identify the OU that contains the server computer object
- Identify the OU that contains the user accounts
- Keep one test user for blocked access and one for allowed access
Step 1: Create a Security Group for Blocked Users
- Open Active Directory Users and Computers
- Create a new group named USB_Deny_Users
- Set:
- Group Scope: Global
- Group Type: Security
- Add only the users who must be blocked from USB storage
Users who must be allowed should not be members of this deny group.
Step 2: Create the User GPO
- Open Group Policy Management by running
gpmc.msc - Go to the OU where the target user accounts are located
- Create a new GPO named USB Storage - Deny for Selected Users
- Right-click the GPO and click Edit
Step 3: Configure the USB Storage Restriction
Go to the following path:
User Configuration
→ Policies
→ Administrative Templates
→ System
→ Removable Storage AccessEnable these policies:
- Removable Disks: Deny read access → Enabled
- Removable Disks: Deny write access → Enabled
Do Not Miss This
Leave All Removable Storage classes: Deny all access as Not Configured unless you really want to block every removable storage class.
Step 4: Security Filtering
- Open the new GPO in Group Policy Management
- Open the Scope tab
- Remove Authenticated Users from Security Filtering
- Add USB_Deny_Users
Step 5: Restore Read Permission for Computers
This is one of the most commonly missed steps. When removing Authenticated Users from Security Filtering, client computers still need Read permission on the GPO.
- Open the Delegation tab of the GPO
- Click Advanced
- Add Authenticated Users or Domain Computers
- Grant Read permission only
- Do not grant Apply Group Policy to that entry
Step 6: Make It Apply on This Server Only (Loopback Processing)
This is the real server-side trick. Without loopback processing, user policy follows the user account and may apply in places you did not intend.
- Locate the OU where the Windows Server 2022 computer object is placed
- Create a new GPO named Server 2022 - Loopback USB Control
- Link it to the OU containing the server computer object
- Edit the GPO and go to:
Computer Configuration
→ Policies
→ Administrative Templates
→ System
→ Group Policy- Open User Group Policy loopback processing mode
- Set it to Enabled
- Select Merge mode
Why Merge Mode?
Merge mode keeps normal user policy and also applies the user settings from the server’s computer-side GPO path. It is usually the safest choice for terminal server or shared server scenarios.
Step 7: Update Group Policy
Run these commands on the target server:
gpupdate /forceThen sign out and sign back in with the target user account.
Step 8: Validate the Result
Sign in using one blocked user and one allowed user and test both cases.
For the blocked user
- Plug in a USB storage device
- Confirm read access is denied
- Confirm write access is denied
For the allowed user
- Plug in a USB storage device
- Confirm the user can open files
- Confirm the user can copy files
Run this command to generate a policy result report:
gpresult /h C:\Temp\USB-Policy-Report.htmlYou can also use:
gpresult /rStep 9: Troubleshooting Checklist
- The blocked user is a member of USB_Deny_Users
- The allowed user is not a member of the deny group
- The GPO is linked to the correct OU
- The server computer object is in the correct OU
- Loopback processing is enabled on the server-side GPO
- The GPO still has Read permission for Authenticated Users or Domain Computers
- The user signed out and signed back in after policy refresh
- No higher-precedence GPO is overriding the USB policy
Standalone Server with Local Users Only
When the server is not using Active Directory user accounts, use Multiple Local Group Policy. This method is suitable for local users and local groups only.
- Press Win + R
- Type
mmc - Click File → Add/Remove Snap-in
- Select Group Policy Object Editor
- Click Add
- Click Browse
- Open the Users tab
- Select a specific local user, or choose Non-Administrators
- Go to the same path:
User Configuration
→ Administrative Templates
→ System
→ Removable Storage AccessEnable:
- Removable Disks: Deny read access
- Removable Disks: Deny write access
Local Policy Limitation
Multiple Local Group Policy is not the right answer for Active Directory user-group based control across the domain, and it is not available on domain controllers.
Rollback Steps
- Remove the user from USB_Deny_Users
- Or set the two removable disk deny policies back to Not Configured
- Run
gpupdate /force - Sign out and sign in again
- Retest the USB storage device
Final Recommendation
For most Windows Server 2022 environments, the best design is:
- Use a security group such as USB_Deny_Users
- Use a user GPO to deny removable disk read and write access
- Use loopback processing when the restriction must apply only on the server
- Validate using gpupdate and gpresult
Done right, this gives you proper user-based USB storage control without blocking everybody and without wrecking normal USB devices.
