Apemantus , to your questions:
- Can this be achieved in OMA-URI? -> via OMA-URI, you do not need to combine those all groups into one Groups xml or one PolicyRules xml. one OMA-URI one Group xml or one PolicyRule xml.
- what is the precedence mechanic? -> First, you should not have multiple policy rules for same the same USB for same user. If you have, you should combine those policy rules into one PolicyRule xml. Within the PolicyRule xml file, Device control will apply the first Entry matching condition. For example, if the first Entry is Allow Read, and the second Entry is Block Read, Read a USB will be Allowed.
- If a user is in multiple AD groups, which policy applies? -> Same as #2, Device control will apply the first Entry meeting condition. For example, if a user is under AD_Sid_group_A and AD_Sid_group_B, and for a CD/DVD PolcyRule, the first Entry is Block AD_Sid_group_D Write access, Block AD_Sid_group_A Execute access, Allow AD_Sid_group_B Write access. Since the user is under AD_Sid_group_A and AD_Sid_group_B but not AD_Sid_group_D, Write access will be Allowed and Execute will be Blocked.
Feel free to contact me if you still have question.
Microsoft