GPO deny permission not working for group with a computer object in it

Clint 21 Reputation points

I created a simple GPO to block all removable storage devices. I can also go to Delegation->Advanced and add a computer object there and then for "Apply group policy", set it for "Deny" and after a GPO policy update on that specified computer, it will be excluded from the removable storage devices being blocked.

However, if I add that specified computer to an AD group instead and then add that AD group to the "Groups and Users" in the "Delegation" tab for that GPO and set that group to "Deny" the GPO just like I did for the specified computer previously and then after a GPO policy update, that specified computer will still get the policy where the removable storage devices are still blocked.

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,920 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,306 Reputation points Microsoft Vendor


    Do you mean that the delegation permission for the group didn't work?
    If you create a new security and add the computer into the security group, it will require the computer to restart one or 2 times to refresh the group membership.
    After the restart , you can try to run CMD as administrator and run command :gpresult /v , check if the computer has the right group membership.

    Best Regards,

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Clint 21 Reputation points

    Patience is a virtue. One test was from a dog slow VM and another from a off-prem device going over a VPN. It was taking awhile for the AD group to show up in the security groups when running the gpresult /v for the user. Once it finally did, the GPO enforcement and exceptions worked as I configured them.

    0 comments No comments