?
Solved

Server 2008 R2 Reversing GPO Denying CD Write Access (Burn Rights)

Posted on 2013-11-06
9
Medium Priority
?
2,640 Views
Last Modified: 2013-11-07
I had a request from a client to deny certain Win7 computers the ability to write optical discs from their local CD/DVD burner/drives. I used the GPO at Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access > CD and DVD: Deny write access. I linked the GPO to an OU in which I placed the appropriate computers. This worked great! However, I got another request to ALLOW one of those same computers to burn discs again. So I just moved the computer back into the same OU as the other computers that always had burn rights, did a gpupdate /force on both the server and the client, rebooted the client, but the burner software displays the message that the user has no burn rights still. I then created a GPO that explicitely ALLOWED burn rights, but still no joy. What will it take to get the burn rights reassigned to these computers? Thanks!
0
Comment
Question by:tcianflone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39628626
Check to make sure that the GPO is being applied. Use rsop.msc from the command prompt. Right click Computer Configuration and then select properties. From there you will see what policies are in fact still being applied to this machine.

Also reference the event viewer as well to ensure there are no error messages trying to undo the restric access.

If the GPO is not being applied you can try and open gpedit.msc (local) and see if it is being applied there. If it is try changing it back and test again.


Will.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 39628657
Depends how you set the policy, if you used preferences they do not undo, if you used more traditional settings they these should undo one the policy no longer applies.

You can run gpresult and output to a html file all the applied setting's which policy is winning etc, you could even try adding a filter to deny policy processing on the original policy for that computer or user.

Aside from that things can get a little buggy with policies, so maybe unpick what the policy "actually" does and reg hack it in reverse.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39628682
If the policy setting in the new GPO is "not configured" then it won't change the setting in the workstation's registry.  I suspect this may be what is going on.  You'd have to set the policy in the new GPO (at least temporarily) to allow this function and let it propagate so that that workstation's registry will be changed back to what is actually the default setting. IOW, for this specific policy, you have to set it to "Disabled" so that "Deny write access" is disabled, thereby enabling write access.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 40

Expert Comment

by:footech
ID: 39628698
I would be focusing on whether group policy is being applied correctly (and from where).
Settings that are in Administrative Templates (at least most of them) should revert to their unconfigured state when the GPO no longer applies.  See this link for more detail:
http://gpoguy.com/whitepapers/understanding-policy-tattooing/
0
 
LVL 22

Expert Comment

by:Nick Rhode
ID: 39628716
Are the permissions possibly set to the user also?  To me it sounds like the system is not accepting the policy as stated earlier.  Typically you would move the workstation out and if the gpo is set to "Not Configured" it will reset those rights to default for that user or any user for that matter on the workstation.  I don't think your GPO is applying.  Can you do a gpupdate /result and see if it is accepting the new policy and view the html report.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39629300
Ageed with hypercat I will also recommend to create new OU and apply the same policy which is applied but to disable the same and then move the computer in question to this OU.As if you apply the deny policy registry changes are made on worksation and same is not changed if the computer is move to new OU as the registry setting of deny is still tatooed.

Once the policy is applied you also need to reboot the client computer for setting to take effect as this is computer policy.
0
 
LVL 14

Accepted Solution

by:
Raj-GT earned 2000 total points
ID: 39629788
I've seen this before and it's a bug. You need to remove the CD/DVD hardware from Device Manager and rescan/re-add the device after removing the machine from the policy.

Thanks.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 39629839
Go to below location on client
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices
you will find 4-5 GUID's and in right hand pane you will see deny_write key

Replace the value to deny_write with the value given in deny_read
0
 
LVL 1

Author Closing Comment

by:tcianflone
ID: 39630291
Shazzam! Brilliant! Logged in as administrator, removed the optical drive from device manager, rebooted, and it's burning again. Thanks!
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question