We're trying to implement a GPO that will block USB storage devices.
It appears that there are at least two approaches at the broad design level:
1) Apply the GPO to users.
2) Apply the GPO to computers.
We tried applying a new GPO to users like this:
- Set up a User's Security Group
- Set up a GPO with Scope including the User's Security Group
- and with Authorized Users having READ and NOT Apply GPO
- Then, the GP settings for removable storage are added as well
- Then the GPO is linked to the User's OU
- Then blocked Users are added to the User's Security Group
It didn't work for us.
The other approach would seem to be:
- Set up an OU of Computers
- Create a simple GPO with the same settings for removable storage
- Link the GPO to an appropriate Computer OU or set of them
- Move pertinent computers into the appropriate Computer OUs
I haven't done the latter yet but I have more confidence in it.