Solved

Admin Insufficient Write/Format Permissions w/ Removable Media Even After DCGPOFIX

Posted on 2014-02-03
34
534 Views
Last Modified: 2014-02-13
Experts,

I have a dire issue. Some tweeks were made with our Default Domain Pol that resulted in denying all from writing to or formatting removable media. Administrators do not have permissions, either. Yes, reboots were done after changes were made. Our backup system was denied write/format, too, which is extra bad.

So, as a last resort, we ran a DCGPOFIX to both Default and DC. After a reboot, an RSOP shows absolutely nothing that should be prohibiting anyone from writing to removable media. Everything went back to its dcpromo day where none of the policy settings were configured.

This is a single domain in its own forest not inhereting secpol from anything else. Please help!

Future thanks!
0
Comment
Question by:Michael L
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 12
  • 3
34 Comments
 
LVL 22

Expert Comment

by:Nick Rhode
ID: 39829760
Try doing a gpupdate /force on a system then reboot to see if it pulls the new policy.
0
 

Author Comment

by:Michael L
ID: 39829772
I've done this, plenty. Weird thing is, it takes the other updates. I even time stamped my Consent to Monitoring banner to make sure it updates every time, and it does. The only thing that won't budge is the write/format permission. It's almost as if it's protecting itself from... itself, i.e. blocking a write to that particular security setting, despite what my RSOP shows.
0
 
LVL 22

Accepted Solution

by:
Nick Rhode earned 167 total points
ID: 39829785
I have seen this happen mainly with folder redirection.  What can happen is the settings get stuck on the local machine.  You can verify the settings on the local machine to see if they are in fact stuck.  Here is an article that explains the location on the local system.  Check it out

http://www.raymond.cc/blog/disable-write-access-to-removable-storage-devices/
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:Michael L
ID: 39829815
Interesting; however, this affliction extends to CD/DVD writing, too. And my backup drives are RD1000, so I think it's eSATA in the bay it goes in. The only USB device I tried writing to was a USB CD/DVD writer.
0
 
LVL 22

Expert Comment

by:Nick Rhode
ID: 39830080
Should be to pretty much anything removable.  Phones, flashdrivers, anything considered removable storage.  A USB CD/DVD rom drive with a DVD is removable storage etc.
0
 

Author Comment

by:Michael L
ID: 39830116
I'll try this right now. I'll be back with a report :P
0
 

Author Comment

by:Michael L
ID: 39830244
My registry didn't have the StorageDevicePolicies key, but I created one following the instructions. No dice.

Seems this might only be for non-server OS, though? My issue was with Win Server 2008 (not R2).
0
 

Author Comment

by:Michael L
ID: 39830268
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39830300
Take a client where the restrictions are seen and run rsop.msc on it to show, what restrictions apply and where they originate.
0
 

Author Comment

by:Michael L
ID: 39830596
@McKnife - I did an RSOP on a client the other day and it's receiving gp updates correctly. It's been a couple weeks of this issue, which means my backup is two weeks old :(

As soon as I can get back to my server, I'm going to try the Device Manager trick. It makes sense. If that doesn't work, I'll see about changing some registry key parameters. I'll let you guys know ASAP.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39830603
Well, it's important to look at the settings rsop reports. Are those restrictions reflected there in?
0
 

Author Comment

by:Michael L
ID: 39830613
No, those restictions no longer showed even before the dcgpofix. I ran the dcgpofix after reverting back to no restrictions because the restrictions actually stuck, despite what the RSOP was showing. I'll double check as soon as I can, though.
0
 

Author Comment

by:Michael L
ID: 39832717
I removed the device from Device Manager, after making sure nothing in RSOP showed any Deny, then rescanned and added it back. Still cannot format it. Should I have rebooted my server?

Also, I found a Deny_All registry key in HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices,
but it had a zero value.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 333 total points
ID: 39833201
Could you try this script on a client to reset to defaults? http://gallery.technet.microsoft.com/scriptcenter/Reset-Removable-storage-782c9c02 Maybe the client needs to be restarted afterwards.
0
 

Author Comment

by:Michael L
ID: 39833217
Download was blocked. Can I paste that code into a text file and save as .reg? If so, where would I put it? Double-clicking a registry file doesn't sound like a thing.

Edit 1: I'm sorry. Looks like I'll be saving it as .bat :P
Edit 2: Is this safe to run on my server?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39833231
No, this is a .reg file and YES, double clicking would do it - if your user is not local admin, you might need to open the commandline and use
reg import regfile.reg
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39833285
> Is this safe to run on my server?
Of course. The content of any regfile is plain text, no macros or whatever code. If you are worried, please backup the whole branch HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices , first.
0
 

Author Comment

by:Michael L
ID: 39833765
Ok, I ran that reg. It created all the keys with 0 values. Rebooted. Still, my permissions are denied in writing to my RD1000. The only resriction showing in RSOP is the format/eject media (Computers and Users), which is set to allow Administrators only. I've been using the Admin account for all of this.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39833793
Ok, that was HKCU. I suppose you would need to do the same in HKLM now. Please check the keys there.
0
 

Author Comment

by:Michael L
ID: 39833806
So, just change all the
[HKEY_CURRENT_USER\
to
[HKEY_LOCAL_MACHINE\
?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39833810
First check the keys there. Otherwise correct.
0
 

Author Comment

by:Michael L
ID: 39834001
Keys were not there, so I ran the reg. It did the same for the LM that it did for the CU. Rebooted. Still cannot format/write, HOWEVER! My backup software, Yosemite, can write to the tape now. I checked it with a restore and it's good.

It still doesn't fix my problem with being able to format/write the backup drive or CD/DVDs, though :(

RSOP looks the same as it did before HKLM edits.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 333 total points
ID: 39834025
At least one thing solved.
Another approach: while you try to write to DVD and you encounter the error message, you should monitor with procmon what windows does to determine it is not allowed.
But that would mean work.

You should get around it with a repair installation, insert your setup dvd while within windows, start setup and choose "upgrade" that will reset security settings to defaults. It should at least :)
0
 

Author Comment

by:Michael L
ID: 39834042
I'll give this a shot tomorrow. They're gonna get frustrated with my reboots :P
0
 

Author Comment

by:Michael L
ID: 39834051
Let me add something: When I try to write, it does tell me I "do not have permissions" to. It doesn't actually say, insufficient permissions, like it normally would with a GP block.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39834056
What's the wording AND window title of that message?
0
 

Author Comment

by:Michael L
ID: 39834141
When trying to write to backup drive...

Title: Destination Folder Access Denied
Wording: You need permission to perform this action.
Options: Try again/Cancel

I ran Process Monitor. Without knowing what to look for, I don't know what I'm looking at :P
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39834152
What kind of backup drive is it, a hard drive/usb thumb dribe/usb hdd?
0
 

Author Comment

by:Michael L
ID: 39834160
Dell RD1000, so basically an enclosed 2.5" hard drive.

http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=corp&sku=341-7183
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39834828
Do the inplace upgrade after performing a full backup.
0
 

Author Comment

by:Michael L
ID: 39835738
I'll have to do this Monday when my customers are off. Thanks so far!
0
 

Author Comment

by:Michael L
ID: 39851711
Ok, so here's where I'm at... I cannot find my Server 2008 disk :(
The only remaining issue I'm having is the RD1000 bay/drives. I can write to everything else but that. I don't need to do anything but back up to it, but I'd really like to get to the bottom of this.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39851921
Ask someone with a TechNet or MSDN subscription for an ISO file - they work with your key also.
0
 

Author Comment

by:Michael L
ID: 39856368
I'm going to close this out. I think a repair might work, but all other avenues have been exhausted. Thanks, Nick and McKnife!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question