Add read only exceptions to GPO that blocks USB devices that already has exceptions


  • I have a GPO that blocks all USB devices with a group filled with users that are exceptions.

    The way I set it up:

    1. Create GPO named Block USB Devices.

    2. Link to OU where all the users are located in. (Not the default users OU.)

    3. Security Filtering is set to Authenticated Users.

    4. Added the USB-Exceptions group to the Delegation tab and set Apply group policy to deny.

    This works great but now they want another group of users that have read only access to USB devices so they can copy from the device to the machine but not vice versa.

    How do I set this up so that it doesn't conflict with the first GPO?

    Any assistance is greatly appreciated.

    Thank you!

    Tuesday, November 22, 2016 7:37 PM

All replies

  • Hi Mike,

    >>How do I set this up so that it doesn't conflict with the first GPO?

    Create a new OU under the original OU, then configure the appropriate GPO settings, using block inheritance for this new OU.

    The new OU should contains the allowed users who has read only access.

    More info, see here:

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, November 23, 2016 4:01 AM