Hi, I enabled the "Deny Removable Storage Access" GPO for all authenticated users, created a group essentially named "Block Policy", and then in the GPO Delegation tab I checked Deny to "Read" and "Apply Group Policy" for the new group.
I thought this would restrict every user in our domain except for the groups that I placed inside the "Block Policy" group.
This made everyone lose removable storage, ie. DVD drive, USB drives, floppy drives, etc., including all admins on our domain.
Because I couldn't get the "Block Policy" group to be excluded from this GPO, I changed the GPO to only include "Domain Users", and then removed a test admin from the "Domain User's" group.
After a reboot, this still didn't work, and even though this test Domain Admin wasn't in the assigned group the policy settings "stuck".
In order to get the DVD back I had to uncheck "Enforced" and "Link Enabled" on the GPO itself, and reboot the workstation.
Does anybody have any ideas on how to successfully allow a group to be excluded from this restrictive GPO?