Like other's we control access for USB, optical and Windows Portable Devices via GPO. In the past we've also used BIOS, manual registry entries via bat files and policy via our Antivirus to control USB devices. These days, it's just via GPO.
We've currently deployed a new domain and are migrating users across. For certain areas we have GPO enabled to restrict access to Optical drives, Removable Storage devices and WPD. This works fine.
We have one area that needs access to WPD therefore have created a new OU and amended GPO that reinstates access. This is a computer policy. Our DC is W2k16 and effected clients are Win 7.
Unfort, WPD devices display 'Do not have permission to access this device'.
Running GPresult /r shows the policy has been applied.
Computers have been moved into the correct OU.
There are no inherited policies that would counteract what this new policy is supposed to be doing.
I checked the registry for the local machine i can see that deny access to WPD devices are set as disable (or disappear altogether when i amend the policy to 'not configured' and gpupdate.
I move the computer to the highest level of the domain structure so that only the default domain policy is applied/confirmed as sole policy applied and still can't access WPD. Optical and removable devices are now accessed as neither of these things are set to deny within our default domain policy.
As this PC was part of a previous domain, I've checked to see if there's anything lurking in the registry etc that may have been still been present from that domain and also reviewed said policies that were applied.
We don't use 3rd party tools to supplement GPO.
I temp disabled AV (we use McAffe EPO).
A fresh PC build added to the new domain and OU appears to work as expected i.e Removable devices blocked, CD/DVD drive blocked but WPD accessible.
At the moment, i thinking that maybe something must be left over from the previous domain join and that it's probably best to redeploy fresh PC build to the effected area. I'd rather not as there's rather a lot and this thing has me baffled to the point of obsession.
Am i missing something obvious?