Thanks .

I want to allow "domain users" read only access, and allow another group "MediaBurners" the ability to burn.

Group 1: Domain Users

Include Domain Users, exclude MediaBurners

Group 2: MediaBurners

Include MediaBurners

Rules:

Read-Only CD/DVD, Action - read only & monitor, include Group 1

Allow CD/DVD Burning, Action - monitor, include group 2 (MediaBurners)

Does this sound correct? 

Yes that does sound correct. And you have your device definition for the rule set to DVD/CD ?

FYI there was one thing I noticed lately and haven't had time to look it up to see if its just me or not.

I had a security group that was domain local. When I put it into a UAG it didn't apply a policy agaisn't the people in the security group. I am not sure why. But if you want to see if the people you have in the UAG have the policy applied agaisn't them.

Find the system then click on the products tab then select DLP. Scroll down and see if you see the policy rule name applied against that system that has someone logged into it.

I was one of the people in this security group I was testing, then I added my username directly inside the same UAG, then it was being applied to my system.

I have a similar issue to this as well.  I have set up Domain Admins group as a privileged user group and set to override all.  The settings don't seem to be applying to the group, but if I add a user from within the domain admin group individually the settings apply...

I am not sure how the users system SID would matter when using UAG-User assignment groups ??

ooo wait, after reading your link, you mean if they where just added to the group they would need to log off then back in.....right following you there

I will test more this week, but so far I have only noticed it if the security group is DOMAIN LOCAL.