Windows Server 2008 GPO lockout of CD-ROM devices - cannot revert
Hi there,
I've been wrecking my brain for the last 3 days now with an issue after rolling out a GPO to disable USB, floppy and CD-ROM devices.
Roll-out was through server 2008 to a mixed domain (2008, 2003, xp, win7) hence the adm file located in the below article:
http://support.microsoft.com/kb/555324
After disabling all devices, I have had to re-enable them all. Everything is working fine for floppy and USB devices but the end users keep getting access denied to the CD-ROM.
Here is an article on the exact same issue, but the resolution doesn't work on win7 machines:
"sc start cdrom
sc config cdrom start= enable"
https://www.experts-exchange.com/questions/26373871/Unlock-USB-drives-after-GPO-disable.html
I have tried editing the registry values, no joy.
Tried changing permissions on the cdrom.sys files
Re-enabled all devices through the GPO, including win7 specific settings:
Computer Configuration\Administrati
All values set to disabled.
And
Computer Configuration\Administrati
All values set to enabled and started
I would like to be able to roll out the solution (what ever it may be) as we have over 100 users...
Any help at all would be greatly appreciated!!
Thanks in advance,
Aidan.
I've been wrecking my brain for the last 3 days now with an issue after rolling out a GPO to disable USB, floppy and CD-ROM devices.
Roll-out was through server 2008 to a mixed domain (2008, 2003, xp, win7) hence the adm file located in the below article:
http://support.microsoft.com/kb/555324
After disabling all devices, I have had to re-enable them all. Everything is working fine for floppy and USB devices but the end users keep getting access denied to the CD-ROM.
Here is an article on the exact same issue, but the resolution doesn't work on win7 machines:
"sc start cdrom
sc config cdrom start= enable"
https://www.experts-exchange.com/questions/26373871/Unlock-USB-drives-after-GPO-disable.html
I have tried editing the registry values, no joy.
Tried changing permissions on the cdrom.sys files
Re-enabled all devices through the GPO, including win7 specific settings:
Computer Configuration\Administrati
All values set to disabled.
And
Computer Configuration\Administrati
All values set to enabled and started
I would like to be able to roll out the solution (what ever it may be) as we have over 100 users...
Any help at all would be greatly appreciated!!
Thanks in advance,
Aidan.
ASKER
Hi Yo_bee,
I want to allow access to the cd-rom. All other devices (USB,floppy,High capacity floppy) have been re-enabled with no issues.
End users keep getting access denied , even though i have set the appropriate status for both the adm and admx in the gpo.
I was contemplating deleting the current GPO and specifying new separate policies for each device rather than having all of them within the same policy.
Thanks,
Aidan.
I want to allow access to the cd-rom. All other devices (USB,floppy,High capacity floppy) have been re-enabled with no issues.
End users keep getting access denied , even though i have set the appropriate status for both the adm and admx in the gpo.
I was contemplating deleting the current GPO and specifying new separate policies for each device rather than having all of them within the same policy.
Thanks,
Aidan.
I would try this first.
Create a Sterile OU blocking all GPO's.
Move the computer and/or user object into this OU.
Reboot the machine and then logon with that isolated user.
See if you can read the devices.
Then move them back and repeat the steps above and report the results.
You can also look through the users Event Log > Applications and Services > Microsoft >Windows > Group Policy and see if any thing showes up. You might have to configure for Verbose logging for GP.
Create a Sterile OU blocking all GPO's.
Move the computer and/or user object into this OU.
Reboot the machine and then logon with that isolated user.
See if you can read the devices.
Then move them back and repeat the steps above and report the results.
You can also look through the users Event Log > Applications and Services > Microsoft >Windows > Group Policy and see if any thing showes up. You might have to configure for Verbose logging for GP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Its a manual process and doesnt offer an easy way for mass roll out.
Group Policy path \User Configuration\Policies\Adm
Disable USB drive - Group Policy - Removable Storage Access