none
Exclude users from GPO

    Question

  • I am attempting to prevent MOST users from inserting USB drives into a server, except for a specific few that I have specified by device ID.

    However, I want to exclude specific users from this rule.

    In Group Policy Management, under my GPO, I added a user that should be excluded from this GPO under the Delegation tab.  I set their security permission to DENY 'Apply group policy".  I log into the server with their username, and it still prevents them from accessing a USB.

    Going to Device Manager, you will see the driver is listed under 'Other Devices' with the brand name of the USB.  But to reiterate, you cannot access it.

    Am I missing something?


    • Edited by Jbuenno Wednesday, January 27, 2016 9:20 PM
    Wednesday, January 27, 2016 9:18 PM

Answers

All replies

  • Hello,

    I believe this setting is a Computer Configuration option? If so you can only specify which computers it will/will not apply to, not users.

    If it isn't let me know the User Configuration setting that you are using.

    Kind Regards,

    Marcus

    Thursday, January 28, 2016 12:41 AM
  • Hi,

    Please understand that exclude user only works with GP user setting.

    Have you tried GPUPDATE /force or restart the computer?

    Based on my experience, you can achieve this with various way referring to the following articles:

    Refer to the following article to check whether you have missed any steps:

    Exclusion for a Group Policy Object

    http://social.technet.microsoft.com/wiki/contents/articles/4606.exclusion-for-a-group-policy-object.aspx

    Another way for your reference:

    Security Filtering Using GPMC

    http://social.technet.microsoft.com/wiki/contents/articles/4617.security-filtering-using-gpmc.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 28, 2016 7:08 AM
    Moderator
  • Thanks for the reply.  The setting I speak of is located in Computer Configuration.

    To your knowledge, is there any other workaround to exclude a user from a computer configuration GPO?

    To reiterate, we'd like to prevent all users from using a USB drive on a specific computer, with an exception for one or two people.


    • Edited by Jbuenno Thursday, January 28, 2016 1:57 PM
    Thursday, January 28, 2016 1:57 PM
  • Hi
     
    Am 28.01.2016 um 14:57 schrieb Jbuenno:
    > [...] The setting I speak of is located in Computer Configuration.
    > To your knowledge, is there any other workaround to exclude a user from
    > a computer configuration GPO?
     
    You mean, you want to take a shower without getting wet?
     
    No, this way of handling is impossible. It can only be a exclude for
    users, if the application you manipulate with GPO allows userbased settings.
    If the developer allows settings for both objects, it´s his decision,
    which one to priorize.
     
    You need to change your settings to user configuration for USB, because
    in conflicting settings user vs. computer, the computer wins.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Thursday, January 28, 2016 2:11 PM