GP to deny access to local media

I wrote a GP to deny access to local storage (DVD, USB, etc) and stuck everyone in it.  Then I made a security group for my exceptions and stuck a few people in there.  However, IF a person was originally denied access to local storage, and I then move them to the exception list, they are still denied access, even after a reboot.

I ran a gpresult and the policy is NOT applying to the user or the computer, but the user is still denied access, just as they were when they were in the original group.  Again, the policy to deny access is NOT being applied, yet the user cannot access removable media.

It's like once the tattoo is in place, the PC is not releasing it....

Any ideas?  I really need my exception group to have access to local storage.  It works so long as the user starts off in the exception list.

It only fails if they started off in the deny group and I move them to the exception list.

Thanks

Cliff

PS:  Server 2008 R2 domain running in Server 2012 domain controllers and Win7 Pro machines.
crp0499CEOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Please describe what policy (computer part or user part) you set. If you use the computer part, you'll not be able to exclude users from that policy, only computers.
0
crp0499CEOAuthor Commented:
It's a user policy, Admin templates\system\removable storage access
0
McKnifeCommented:
Following https://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
those should not be tattooing policies since your key HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices is below amongst those four keys mentioned.
Please, after a logoff and logon again, check the registry for their presence.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.