Device Control Policies and AD Containers

Hello Nansterz,

re-structure the AD groups {and in the first post} AD structure that organizes PCs by department and then has a subcontainer for USB exception

hm, I'm not sure if I understand you correctly (and apart from this there are some details to be filled out):

You current AD structure groups the computers by department and each department (at least where required) has a subgroup for exceptions - is that so? Not explicitly stated but to me it sounds like the SEC groups mirror the AD structure - do they? If so, then you should be fine. The "common" computers from the Department X OU would be in SEC group DeptX to which you assign a block policy. The computers in the subcontainer would go to DeptX-Ex which has a policy with exceptions. Please note that the policies are completely independent - policies are neither merged nor is more than one policy (of the same type) applied to a computer.

Christian 

Hello Nansterz,

re-structure the AD groups {and in the first post} AD structure that organizes PCs by department and then has a subcontainer for USB exception

hm, I'm not sure if I understand you correctly (and apart from this there are some details to be filled out):

You current AD structure groups the computers by department and each department (at least where required) has a subgroup for exceptions - is that so? Not explicitly stated but to me it sounds like the SEC groups mirror the AD structure - do they? If so, then you should be fine. The "common" computers from the Department X OU would be in SEC group DeptX to which you assign a block policy. The computers in the subcontainer would go to DeptX-Ex which has a policy with exceptions. Please note that the policies are completely independent - policies are neither merged nor is more than one policy (of the same type) applied to a computer.

Christian