Configuring a RAS Policy that Limits the Use of Removable Storage Devices

Q: We want to configure a RAS policy to limit how our employees can use CD-ROM drives and USB drives and devices by using the Computer ConfigurationAdministrative TemplatesSystemRemovable Storage Access folder in the Microsoft Management Console (MMC) Group Policy Editor snap-in as you described in "Controlling User Access to Removable Storage Devices," April 2007, http://www.securityprovip.com/articles/articleid/95314/95314.html. However, we recently ran across the Force a Restart to Ensure Removable Storage Access Policy is Enforced policy. What does this policy do? When and why is it necessary to reboot user workstations to ensure that the policy is enforced?

A: The Force a Restart to Ensure Removable Storage Access Policy is Enforced policy is used when you don't currently have a RAS policy enabled and a user is actively accessing a remote storage device. When you enable the RAS policy and the user’s workstation refreshes Group Policy, the user won’t be forcibly disconnected and will retain access until the computer is rebooted because he already has the device or media open. However, if you enable the Force a Restart to Ensure Removable Storage Access Policy is Enforced policy, Windows will detect this situation and force an immediate restart to block the user from continued access to the removable storage device.