- I’d create a group for Floppy access, USB storage access and CD-ROM access.
- If I had multiple sites with delegate security administration, I’d use nested groups with the member groups located where local administrators could manage the membership.
- It’s a per-machine setting so I’d place the machines in the appropriate groups where the users require access.
- I’d create a GPO for each device type to be managed, e.g. Block USB Storage Access, Block Floppy Access and Block CD-ROM Access.
- Using GPO filtering, I’d prevent the "Apply Policy" permission for each group for the appropriate policy, e.g. the Floppy Access group would be prevented from applying the Block Floppy Access Policy.
Problems: It’s a per-machine setting. What prevents a user from going to a PC that has access in order to copy or steal data, bring in unauthorised materials, etc? Things are going to be tricky when you need to change how the policy is applied, e.g. a user or administrator needs temporary access to the services muct be unblocked and started. The policy supports USB Storage, Floppy drives, CD-ROM’s and super floppies. Maybe it can be extended to other devices but I don’t know.
In the past I have used DeviceLock. It’s a simple tool to deploy. It can mange the basic devices as well as WiFi, Bluetooth, Firewire, Serial, etc. It is done on a per group and per device bsisis and is set up like NTFS permissions with a schedule. The basic settings where it uses some local groups and administrators to grant acecss. I populated the local groups using GPO Restricted Groups to grant access to selected users. Users could move from machine to machine and always had their designated access or non-access as the case may be. A central policy console as well as GPO integration was available.
If I had the choice, I’d go with DeviceLock. It was just so simple to deploy and manage. But if you have a tight budget then maybe this custom ADM is a solution for you.