troubleshooting Question

Need to apply a gpo to most users, but not to others.

Avatar of Ggillotte
Ggillotte asked on
OS SecurityMicrosoft Legacy OS
8 Comments1 Solution403 ViewsLast Modified:
Hi, I enabled the "Deny Removable Storage Access" GPO for all authenticated users, created a group essentially named "Block Policy", and then in the GPO Delegation tab I checked Deny to "Read" and "Apply Group Policy" for the new group.
I thought this would restrict every user in our domain except for the groups that I placed inside the "Block Policy" group.
This made everyone lose removable storage, ie. DVD drive, USB drives, floppy drives, etc., including all admins on our domain.

Because I couldn't get the "Block Policy" group to be excluded from this GPO, I changed the GPO to only include "Domain Users", and then removed a test admin from the "Domain User's" group.
After a reboot, this still didn't work, and even though this test Domain Admin wasn't in the assigned  group the policy settings "stuck".

In order to get the DVD back I had to uncheck "Enforced" and "Link Enabled" on the GPO itself, and reboot the workstation.

Does anybody have any ideas on how to successfully allow a group to be excluded from this restrictive GPO?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 8 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros