Avatar of Ggillotte
Ggillotte asked on

Need to apply a gpo to most users, but not to others.

Hi, I enabled the "Deny Removable Storage Access" GPO for all authenticated users, created a group essentially named "Block Policy", and then in the GPO Delegation tab I checked Deny to "Read" and "Apply Group Policy" for the new group.
I thought this would restrict every user in our domain except for the groups that I placed inside the "Block Policy" group.
This made everyone lose removable storage, ie. DVD drive, USB drives, floppy drives, etc., including all admins on our domain.

Because I couldn't get the "Block Policy" group to be excluded from this GPO, I changed the GPO to only include "Domain Users", and then removed a test admin from the "Domain User's" group.
After a reboot, this still didn't work, and even though this test Domain Admin wasn't in the assigned  group the policy settings "stuck".

In order to get the DVD back I had to uncheck "Enforced" and "Link Enabled" on the GPO itself, and reboot the workstation.

Does anybody have any ideas on how to successfully allow a group to be excluded from this restrictive GPO?
Microsoft Legacy OSOS Security

Avatar of undefined
Last Comment
Ron Malmstead

8/22/2022 - Mon
Ron Malmstead

Is this a user policy or a computer policy?
If it's a computer policy, it applies to computer objects, not user objects so the permissions for users would be ignored for computer policy settings.

Hi Xuserx2000, good question.

I forgot to mention that at first it was applied to both users and computers, then i removed computers from it.
It only has user settings now, but I still got the same problems mentioned before.

Does it make a difference that inside the "Block Policy" group, I added other groups like "Domain Admins", instead of individual users?
I don't think it should matter, but that's the only thing I can think of.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

Please post the settings of GPO.

Secondly, don't enforce unless you have a reason.

If possible post the screenshot of OU & structure & where GPO is applied.

My fear is that you are using computer side settings.

Ron Malmstead

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

A Policy always reverts back when disabled, preference sticks unless checked to remove when disabled.


That was exactly it.
The old settings didn't revert back because I changed the GPO settings to "Not Configured", and the old settings were stuck in that workstation.

I also found that if I create and link a GPO "disabling" the disabled permission (expressly allowing it), add the group of user's that I want to allow this permission to it, and then change the link order to one above the restrictive gpo (above the GPO for everyone else) then it has precedence over the GPO below it.

Which is better?
To block a group by denying the "apply GPO" in its delegation, or creating a different GPO and linking it above the other GPO?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ron Malmstead

The method that is better is the one that has less GPO objects and still has the desired result.