Solved

Admin Insufficient Write/Format Permissions w/ Removable Media Even After DCGPOFIX

Posted on 2014-02-03
34
511 Views
Last Modified: 2014-02-13
Experts,

I have a dire issue. Some tweeks were made with our Default Domain Pol that resulted in denying all from writing to or formatting removable media. Administrators do not have permissions, either. Yes, reboots were done after changes were made. Our backup system was denied write/format, too, which is extra bad.

So, as a last resort, we ran a DCGPOFIX to both Default and DC. After a reboot, an RSOP shows absolutely nothing that should be prohibiting anyone from writing to removable media. Everything went back to its dcpromo day where none of the policy settings were configured.

This is a single domain in its own forest not inhereting secpol from anything else. Please help!

Future thanks!
0
Comment
Question by:Michael L
  • 19
  • 12
  • 3
34 Comments
 
LVL 22

Expert Comment

by:Nick Rhode
Comment Utility
Try doing a gpupdate /force on a system then reboot to see if it pulls the new policy.
0
 

Author Comment

by:Michael L
Comment Utility
I've done this, plenty. Weird thing is, it takes the other updates. I even time stamped my Consent to Monitoring banner to make sure it updates every time, and it does. The only thing that won't budge is the write/format permission. It's almost as if it's protecting itself from... itself, i.e. blocking a write to that particular security setting, despite what my RSOP shows.
0
 
LVL 22

Accepted Solution

by:
Nick Rhode earned 167 total points
Comment Utility
I have seen this happen mainly with folder redirection.  What can happen is the settings get stuck on the local machine.  You can verify the settings on the local machine to see if they are in fact stuck.  Here is an article that explains the location on the local system.  Check it out

http://www.raymond.cc/blog/disable-write-access-to-removable-storage-devices/
0
 

Author Comment

by:Michael L
Comment Utility
Interesting; however, this affliction extends to CD/DVD writing, too. And my backup drives are RD1000, so I think it's eSATA in the bay it goes in. The only USB device I tried writing to was a USB CD/DVD writer.
0
 
LVL 22

Expert Comment

by:Nick Rhode
Comment Utility
Should be to pretty much anything removable.  Phones, flashdrivers, anything considered removable storage.  A USB CD/DVD rom drive with a DVD is removable storage etc.
0
 

Author Comment

by:Michael L
Comment Utility
I'll try this right now. I'll be back with a report :P
0
 

Author Comment

by:Michael L
Comment Utility
My registry didn't have the StorageDevicePolicies key, but I created one following the instructions. No dice.

Seems this might only be for non-server OS, though? My issue was with Win Server 2008 (not R2).
0
 

Author Comment

by:Michael L
Comment Utility
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Take a client where the restrictions are seen and run rsop.msc on it to show, what restrictions apply and where they originate.
0
 

Author Comment

by:Michael L
Comment Utility
@McKnife - I did an RSOP on a client the other day and it's receiving gp updates correctly. It's been a couple weeks of this issue, which means my backup is two weeks old :(

As soon as I can get back to my server, I'm going to try the Device Manager trick. It makes sense. If that doesn't work, I'll see about changing some registry key parameters. I'll let you guys know ASAP.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Well, it's important to look at the settings rsop reports. Are those restrictions reflected there in?
0
 

Author Comment

by:Michael L
Comment Utility
No, those restictions no longer showed even before the dcgpofix. I ran the dcgpofix after reverting back to no restrictions because the restrictions actually stuck, despite what the RSOP was showing. I'll double check as soon as I can, though.
0
 

Author Comment

by:Michael L
Comment Utility
I removed the device from Device Manager, after making sure nothing in RSOP showed any Deny, then rescanned and added it back. Still cannot format it. Should I have rebooted my server?

Also, I found a Deny_All registry key in HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices,
but it had a zero value.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 333 total points
Comment Utility
Could you try this script on a client to reset to defaults? http://gallery.technet.microsoft.com/scriptcenter/Reset-Removable-storage-782c9c02 Maybe the client needs to be restarted afterwards.
0
 

Author Comment

by:Michael L
Comment Utility
Download was blocked. Can I paste that code into a text file and save as .reg? If so, where would I put it? Double-clicking a registry file doesn't sound like a thing.

Edit 1: I'm sorry. Looks like I'll be saving it as .bat :P
Edit 2: Is this safe to run on my server?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
No, this is a .reg file and YES, double clicking would do it - if your user is not local admin, you might need to open the commandline and use
reg import regfile.reg
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
> Is this safe to run on my server?
Of course. The content of any regfile is plain text, no macros or whatever code. If you are worried, please backup the whole branch HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices , first.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Michael L
Comment Utility
Ok, I ran that reg. It created all the keys with 0 values. Rebooted. Still, my permissions are denied in writing to my RD1000. The only resriction showing in RSOP is the format/eject media (Computers and Users), which is set to allow Administrators only. I've been using the Admin account for all of this.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Ok, that was HKCU. I suppose you would need to do the same in HKLM now. Please check the keys there.
0
 

Author Comment

by:Michael L
Comment Utility
So, just change all the
[HKEY_CURRENT_USER\
to
[HKEY_LOCAL_MACHINE\
?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
First check the keys there. Otherwise correct.
0
 

Author Comment

by:Michael L
Comment Utility
Keys were not there, so I ran the reg. It did the same for the LM that it did for the CU. Rebooted. Still cannot format/write, HOWEVER! My backup software, Yosemite, can write to the tape now. I checked it with a restore and it's good.

It still doesn't fix my problem with being able to format/write the backup drive or CD/DVDs, though :(

RSOP looks the same as it did before HKLM edits.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 333 total points
Comment Utility
At least one thing solved.
Another approach: while you try to write to DVD and you encounter the error message, you should monitor with procmon what windows does to determine it is not allowed.
But that would mean work.

You should get around it with a repair installation, insert your setup dvd while within windows, start setup and choose "upgrade" that will reset security settings to defaults. It should at least :)
0
 

Author Comment

by:Michael L
Comment Utility
I'll give this a shot tomorrow. They're gonna get frustrated with my reboots :P
0
 

Author Comment

by:Michael L
Comment Utility
Let me add something: When I try to write, it does tell me I "do not have permissions" to. It doesn't actually say, insufficient permissions, like it normally would with a GP block.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
What's the wording AND window title of that message?
0
 

Author Comment

by:Michael L
Comment Utility
When trying to write to backup drive...

Title: Destination Folder Access Denied
Wording: You need permission to perform this action.
Options: Try again/Cancel

I ran Process Monitor. Without knowing what to look for, I don't know what I'm looking at :P
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
What kind of backup drive is it, a hard drive/usb thumb dribe/usb hdd?
0
 

Author Comment

by:Michael L
Comment Utility
Dell RD1000, so basically an enclosed 2.5" hard drive.

http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=corp&sku=341-7183
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Do the inplace upgrade after performing a full backup.
0
 

Author Comment

by:Michael L
Comment Utility
I'll have to do this Monday when my customers are off. Thanks so far!
0
 

Author Comment

by:Michael L
Comment Utility
Ok, so here's where I'm at... I cannot find my Server 2008 disk :(
The only remaining issue I'm having is the RD1000 bay/drives. I can write to everything else but that. I don't need to do anything but back up to it, but I'd really like to get to the bottom of this.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Ask someone with a TechNet or MSDN subscription for an ISO file - they work with your key also.
0
 

Author Comment

by:Michael L
Comment Utility
I'm going to close this out. I think a repair might work, but all other avenues have been exhausted. Thanks, Nick and McKnife!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

VM backup deduplication is a method of reducing the amount of storage space needed to save VM backups. In most organizations, VMs contain many duplicate copies of data, such as VMs deployed from the same template, VMs with the same OS, or VMs that h…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now