Need to apply a gpo to most users, but not to others.

Hi, I enabled the "Deny Removable Storage Access" GPO for all authenticated users, created a group essentially named "Block Policy", and then in the GPO Delegation tab I checked Deny to "Read" and "Apply Group Policy" for the new group.
I thought this would restrict every user in our domain except for the groups that I placed inside the "Block Policy" group.
This made everyone lose removable storage, ie. DVD drive, USB drives, floppy drives, etc., including all admins on our domain.

Because I couldn't get the "Block Policy" group to be excluded from this GPO, I changed the GPO to only include "Domain Users", and then removed a test admin from the "Domain User's" group.
After a reboot, this still didn't work, and even though this test Domain Admin wasn't in the assigned  group the policy settings "stuck".

In order to get the DVD back I had to uncheck "Enforced" and "Link Enabled" on the GPO itself, and reboot the workstation.

Does anybody have any ideas on how to successfully allow a group to be excluded from this restrictive GPO?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ron MalmsteadInformation Services ManagerCommented:
Is this a user policy or a computer policy?
If it's a computer policy, it applies to computer objects, not user objects so the permissions for users would be ignored for computer policy settings.
GgillotteAuthor Commented:
Hi Xuserx2000, good question.

I forgot to mention that at first it was applied to both users and computers, then i removed computers from it.
It only has user settings now, but I still got the same problems mentioned before.
GgillotteAuthor Commented:
Does it make a difference that inside the "Block Policy" group, I added other groups like "Domain Admins", instead of individual users?
I don't think it should matter, but that's the only thing I can think of.
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Please post the settings of GPO.

Secondly, don't enforce unless you have a reason.

If possible post the screenshot of OU & structure & where GPO is applied.

My fear is that you are using computer side settings.

Ron MalmsteadInformation Services ManagerCommented:
If you already enabled it on computer settings, ..and then switched it back to "Not Configured" the policy setting may still be stuck on the machine.

You may try setting it to "disabled" on the computer side settings, then go forward with the user settings as you've already described.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
A Policy always reverts back when disabled, preference sticks unless checked to remove when disabled.

GgillotteAuthor Commented:
That was exactly it.
The old settings didn't revert back because I changed the GPO settings to "Not Configured", and the old settings were stuck in that workstation.

I also found that if I create and link a GPO "disabling" the disabled permission (expressly allowing it), add the group of user's that I want to allow this permission to it, and then change the link order to one above the restrictive gpo (above the GPO for everyone else) then it has precedence over the GPO below it.

Which is better?
To block a group by denying the "apply GPO" in its delegation, or creating a different GPO and linking it above the other GPO?
Ron MalmsteadInformation Services ManagerCommented:
The method that is better is the one that has less GPO objects and still has the desired result.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.