We have a pretty straightforward setup with regards to our OU's and GPO's.
Each Department has an OU, so Procurement, PRO, Marketing, etc.
Each of these departments have their own GPO and they are working fine.
We have one General Policy at root level for passwords, backgrounds and common shares.
The rest as above are specific to each OU.
Now a new policy has been implemented to prevent USB keys from being used.
However top management have asked me not to apply it to the Management OU.
I believe I have 3 ways of doing this but I really don't think they are the right ways?
1. Create a new Policy at root level and Block Inheritance on the Management OU and Apply the single "General" Policy to Top Management OU and nothing else (for passwords, backgrounds, etc.)
2. Modify the Group Policy for each of the 7 departments to include these new settings and keep the Top Management OU the way it is.
3. Something about modifying the security permissions not to apply that specific policy on the Top Management OU.
Ideally, if possible, I'd like to keep the route "General" policy and apply all the settings from it to all OU's except those specific USB settings to the Top Management OU. This would ultimately save adding additional root GPO's or similar.
What would be the correct or best practice way?
(p.s.) we have Windows 7 and Windows XP machines so we had to import the ADM file for the XP machines.