This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 53%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
I created a simple GPO to block all removable storage devices. I can also go to Delegation->Advanced and add a computer object there and then for "Apply group policy", set it for "Deny" and after a GPO policy update on that specified computer, it will be excluded from the removable storage devices being blocked.
However, if I add that specified computer to an AD group instead and then add that AD group to the "Groups and Users" in the "Delegation" tab for that GPO and set that group to "Deny" the GPO just like I did for the specified computer previously and then after a GPO policy update, that specified computer will still get the policy where the removable storage devices are still blocked.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Do you mean that the delegation permission for the group didn't work?
If you create a new security and add the computer into the security group, it will require the computer to restart one or 2 times to refresh the group membership.
After the restart , you can try to run CMD as administrator and run command :gpresult /v , check if the computer has the right group membership.
Best Regards,
Patience is a virtue. One test was from a dog slow VM and another from a off-prem device going over a VPN. It was taking awhile for the AD group to show up in the security groups when running the gpresult /v for the user. Once it finally did, the GPO enforcement and exceptions worked as I configured them.
Thanks.