Admin Insufficient Write/Format Permissions w/ Removable Media Even After DCGPOFIX
Experts,
I have a dire issue. Some tweeks were made with our Default Domain Pol that resulted in denying all from writing to or formatting removable media. Administrators do not have permissions, either. Yes, reboots were done after changes were made. Our backup system was denied write/format, too, which is extra bad.
So, as a last resort, we ran a DCGPOFIX to both Default and DC. After a reboot, an RSOP shows absolutely nothing that should be prohibiting anyone from writing to removable media. Everything went back to its dcpromo day where none of the policy settings were configured.
This is a single domain in its own forest not inhereting secpol from anything else. Please help!
Future thanks!
I have a dire issue. Some tweeks were made with our Default Domain Pol that resulted in denying all from writing to or formatting removable media. Administrators do not have permissions, either. Yes, reboots were done after changes were made. Our backup system was denied write/format, too, which is extra bad.
So, as a last resort, we ran a DCGPOFIX to both Default and DC. After a reboot, an RSOP shows absolutely nothing that should be prohibiting anyone from writing to removable media. Everything went back to its dcpromo day where none of the policy settings were configured.
This is a single domain in its own forest not inhereting secpol from anything else. Please help!
Future thanks!
Nick Rhode
Try doing a gpupdate /force on a system then reboot to see if it pulls the new policy.
ASKER
I've done this, plenty. Weird thing is, it takes the other updates. I even time stamped my Consent to Monitoring banner to make sure it updates every time, and it does. The only thing that won't budge is the write/format permission. It's almost as if it's protecting itself from... itself, i.e. blocking a write to that particular security setting, despite what my RSOP shows.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Interesting; however, this affliction extends to CD/DVD writing, too. And my backup drives are RD1000, so I think it's eSATA in the bay it goes in. The only USB device I tried writing to was a USB CD/DVD writer.
Should be to pretty much anything removable. Phones, flashdrivers, anything considered removable storage. A USB CD/DVD rom drive with a DVD is removable storage etc.
ASKER
I'll try this right now. I'll be back with a report :P
ASKER
My registry didn't have the StorageDevicePolicies key, but I created one following the instructions. No dice.
Seems this might only be for non-server OS, though? My issue was with Win Server 2008 (not R2).
Seems this might only be for non-server OS, though? My issue was with Win Server 2008 (not R2).
ASKER
This thread looks VERY identical to my issue > https://www.experts-exchange.com/questions/28287287/Server-2008-R2-Reversing-GPO-Denying-CD-Write-Access-Burn-Rights.html
Take a client where the restrictions are seen and run rsop.msc on it to show, what restrictions apply and where they originate.
ASKER
@McKnife - I did an RSOP on a client the other day and it's receiving gp updates correctly. It's been a couple weeks of this issue, which means my backup is two weeks old :(
As soon as I can get back to my server, I'm going to try the Device Manager trick. It makes sense. If that doesn't work, I'll see about changing some registry key parameters. I'll let you guys know ASAP.
As soon as I can get back to my server, I'm going to try the Device Manager trick. It makes sense. If that doesn't work, I'll see about changing some registry key parameters. I'll let you guys know ASAP.
Well, it's important to look at the settings rsop reports. Are those restrictions reflected there in?
ASKER
No, those restictions no longer showed even before the dcgpofix. I ran the dcgpofix after reverting back to no restrictions because the restrictions actually stuck, despite what the RSOP was showing. I'll double check as soon as I can, though.
ASKER
I removed the device from Device Manager, after making sure nothing in RSOP showed any Deny, then rescanned and added it back. Still cannot format it. Should I have rebooted my server?
Also, I found a Deny_All registry key in HKCU\Software\Policies\Mic
but it had a zero value.
Also, I found a Deny_All registry key in HKCU\Software\Policies\Mic
but it had a zero value.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Download was blocked. Can I paste that code into a text file and save as .reg? If so, where would I put it? Double-clicking a registry file doesn't sound like a thing.
Edit 1: I'm sorry. Looks like I'll be saving it as .bat :P
Edit 2: Is this safe to run on my server?
Edit 1: I'm sorry. Looks like I'll be saving it as .bat :P
Edit 2: Is this safe to run on my server?
No, this is a .reg file and YES, double clicking would do it - if your user is not local admin, you might need to open the commandline and use
reg import regfile.reg
reg import regfile.reg
> Is this safe to run on my server?
Of course. The content of any regfile is plain text, no macros or whatever code. If you are worried, please backup the whole branch HKEY_CURRENT_USER\Software
Of course. The content of any regfile is plain text, no macros or whatever code. If you are worried, please backup the whole branch HKEY_CURRENT_USER\Software
ASKER
Ok, I ran that reg. It created all the keys with 0 values. Rebooted. Still, my permissions are denied in writing to my RD1000. The only resriction showing in RSOP is the format/eject media (Computers and Users), which is set to allow Administrators only. I've been using the Admin account for all of this.
Ok, that was HKCU. I suppose you would need to do the same in HKLM now. Please check the keys there.
ASKER
So, just change all the
[HKEY_CURRENT_USER\
to
[HKEY_LOCAL_MACHINE\
?
[HKEY_CURRENT_USER\
to
[HKEY_LOCAL_MACHINE\
?
First check the keys there. Otherwise correct.
ASKER
Keys were not there, so I ran the reg. It did the same for the LM that it did for the CU. Rebooted. Still cannot format/write, HOWEVER! My backup software, Yosemite, can write to the tape now. I checked it with a restore and it's good.
It still doesn't fix my problem with being able to format/write the backup drive or CD/DVDs, though :(
RSOP looks the same as it did before HKLM edits.
It still doesn't fix my problem with being able to format/write the backup drive or CD/DVDs, though :(
RSOP looks the same as it did before HKLM edits.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll give this a shot tomorrow. They're gonna get frustrated with my reboots :P
ASKER
Let me add something: When I try to write, it does tell me I "do not have permissions" to. It doesn't actually say, insufficient permissions, like it normally would with a GP block.
What's the wording AND window title of that message?
ASKER
When trying to write to backup drive...
Title: Destination Folder Access Denied
Wording: You need permission to perform this action.
Options: Try again/Cancel
I ran Process Monitor. Without knowing what to look for, I don't know what I'm looking at :P
Title: Destination Folder Access Denied
Wording: You need permission to perform this action.
Options: Try again/Cancel
I ran Process Monitor. Without knowing what to look for, I don't know what I'm looking at :P
What kind of backup drive is it, a hard drive/usb thumb dribe/usb hdd?
ASKER
Dell RD1000, so basically an enclosed 2.5" hard drive.
http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=corp&sku=341-7183
http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=corp&sku=341-7183
Do the inplace upgrade after performing a full backup.
ASKER
I'll have to do this Monday when my customers are off. Thanks so far!
ASKER
Ok, so here's where I'm at... I cannot find my Server 2008 disk :(
The only remaining issue I'm having is the RD1000 bay/drives. I can write to everything else but that. I don't need to do anything but back up to it, but I'd really like to get to the bottom of this.
The only remaining issue I'm having is the RD1000 bay/drives. I can write to everything else but that. I don't need to do anything but back up to it, but I'd really like to get to the bottom of this.
Ask someone with a TechNet or MSDN subscription for an ISO file - they work with your key also.
ASKER
I'm going to close this out. I think a repair might work, but all other avenues have been exhausted. Thanks, Nick and McKnife!