Then you have to install the SEP client in user mode and configure the policy accordingly.
Lets take an Example ,
You have an AD sync.
There are 2 user , User 1 and Admin one member of user group and the other of Admin In AD.
And the Client is installed in the user mode.
On the same machine when user 1 logs in it will take the policy from the Group user( Block USB)
And if the admin logs in it will take the policy from the admin group to allow usb
You need to decide and configure the policy accordingly to each group.
Also AD sync and Client in User mode will be a great help