You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista.
Which of the following options would you choose to prevent users from being able to install removable devices on client computers while ensuring that the domain administrators and desktop support technicians are allowed to install removable devices on client computers?
You need to achieve the desired goal in minimum amount of administrative effort?
A.
On all domain controllers, implement Windows System Resource Manager (WSRM).
B.
On all client computers, deploy Connection Manager Administration Kit (CMAK).
C.
On all client computers, configure a Group Policy object (GPO).
D.
On all client computers, configure User Account Control.
E.
None of the above
Explanation:
To prevent users from being able to install removable devices on client computers, you need to implement a Group Policy object (GPO) for all client computers.
You can find the group policy settings called Preventing Installation of Removable Devices and Prevent Installation of Devices Not Described By Other Policy Settings would enable you to achieve the desired goal. These policies can be found in the group policy tree at: Computer ConfigurationAdministrative TemplatesSystemDevice InstallationDevice Installation Restrictions.
Preventing Installation of Removable Devices prevent Installation of Removable Devices setting prevents users from installing removable devices. The Prevent Installation of Devices Not Described By Other Policy Settings prevents the Installation of Devices Not Described by Other Policy Settings group policy setting is kind of a catch all setting. There are a couple of different ways that you can use this policy setting. One thing that you can do is to enable this setting, but not enable any other hardware installation related settings. In doing so, you will effectively prevent anyone from installing any hardware into systems to which the policy applies.
Another thing that you can do with this group policy setting is to use other policy settings to allow specific devices based on device ID or class and then enable this policy setting. In doing so, you will prevent the installation of any device that you have not specifically allowed users to install.
Reference: Windows Longhorn: Using Group Policy to Control Device Management (Part 2)
http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-Control-Device-Management-Part2.html