iTunes and XP Pro Permissions

I've recently setup a couple of different XP Pro SP2 systems.  These systems are connected through a network to a Win2k3 domain (SBS).   The problem is that unless a domain user is set as "administrator" locally they are unable to use iTunes to play CD audio.

Symptoms:  Insert CD, iTunes starts, nothing plays or displays in library.   If domain user is added to local administrator group, insert CD, iTunes starts, detects tracks and plays.  

Thoughts:  Domain users on this network are set via group policy on the server to be standard "user" class on workstations so there is no need to add each user to each workstation so they can log in.  Usually the only local accounts that exist on the workstations are administrator account and that's it.  I'm thinking the solution is somewhere in Group Policy on the server but damned if I can find the setting (among the bazillion in there).

Thanks for any insight!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Reid PalmeiraTelecom EngineerCommented:
if you only care about itunes support, it may take some research to figure out exactly what rights a users needs to run itunes correctly. This i'm not so sure on, and can only assume it would take some trial and error to get correct but if you want help with it, it sounds like a neat challenge. Probably access to the CD drive and maybe acting as a server for sharing files via iTunes...i wonder what else....

otherwise the quick and dirty is to make them domain admins as the domain admins are also local admins on a machine as well unless explicitly removed or prevented by GPO.

alternatively you can go about making the user(s) local admins on those machines w/out becoming domain admins. neat reference and short vb script here:,289142,sid45_gci1065698,00.html?bucket=NEWS

I would take some of the initial advice and setup the AD so that you can just delegate control.
Reid PalmeiraTelecom EngineerCommented:
oh if it's the CD drive thing, under domain security policy, under local policy, under security options make sure the setting for "Restrict CD-ROM access to locally logged-in users only" is not diabled for domain users.

AlecErikssonAuthor Commented:
My goal is to _not_ give users administrator privs.  Guess I should have made that clear.  Ultimately I think the users should all be kept as "user" priveleged and I will add this ability (to play CDs via iTunes) to their security settings.   Nor do I want to add each user to each workstation (what a hassle even with a script and more to maintain).  So I'll poke around in the group policy and let ya know what I find.  Will have to wait until Monday at work though.
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

Reid PalmeiraTelecom EngineerCommented:
sounds good. as a test i've treid running itunes on a domain connected workstation as a power user and it seems to be okay, you might try that, the rights are as high as an admin, but are slighly higher than a standard domain user with default GP settings.
AlecErikssonAuthor Commented:
Weird.  I tried it as a local power user Friday and it still wouldn't play.  

The plot thickens.
Reid PalmeiraTelecom EngineerCommented:
just a thought as i was installing a new DVD+-RW drive in a workstation today, try to login as a normal user and open up the properties for that drive in the device manager and make sure the box for "enable digital CD audio for this CD ROM device" is checked.

open system properties, and device manger. under the DVD/CD-ROM drives, select the one to check, right click, open properties, select the "properties tab" it's the check box near the bottom.

might be a dead end, but i noticed it in passing.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AlecErikssonAuthor Commented:
I wasn't able to get this problem squared away, but because of rpalmeira22 put in the effort to help me out I've given him the points.

Many thanks, and sorry about the semi-abandoned topic.
Reid PalmeiraTelecom EngineerCommented:
sorry to hear you never got it going. rather disappointing.

just a random thought, one last thing to try is temporarily bump the user up to admin on that local machine run itunes once, see if it's trying to create some system/hidden files for the user. then demote the user back to power user/user and try it again.
AlecErikssonAuthor Commented:
Yeah I tried that too actually, so we're thinking along the same lines.

I'm sure there's something in teh group policy editor that I could tweak to make it work, but damned if I can figure out which of the million settings it is.  Guess I could contact Apple or Microsoft.  But it's not a very serious problem really, in the grand scheme of things.
Reid PalmeiraTelecom EngineerCommented:
bummer. if i get any other ideas i'll drop another line here. at least it's not something of absolute importance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.