Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 568
  • Last Modified:

Admin Insufficient Write/Format Permissions w/ Removable Media Even After DCGPOFIX

Experts,

I have a dire issue. Some tweeks were made with our Default Domain Pol that resulted in denying all from writing to or formatting removable media. Administrators do not have permissions, either. Yes, reboots were done after changes were made. Our backup system was denied write/format, too, which is extra bad.

So, as a last resort, we ran a DCGPOFIX to both Default and DC. After a reboot, an RSOP shows absolutely nothing that should be prohibiting anyone from writing to removable media. Everything went back to its dcpromo day where none of the policy settings were configured.

This is a single domain in its own forest not inhereting secpol from anything else. Please help!

Future thanks!
0
Michael L
Asked:
Michael L
  • 19
  • 12
  • 3
3 Solutions
 
Nick RhodeIT DirectorCommented:
Try doing a gpupdate /force on a system then reboot to see if it pulls the new policy.
0
 
Michael LPr. SysadminAuthor Commented:
I've done this, plenty. Weird thing is, it takes the other updates. I even time stamped my Consent to Monitoring banner to make sure it updates every time, and it does. The only thing that won't budge is the write/format permission. It's almost as if it's protecting itself from... itself, i.e. blocking a write to that particular security setting, despite what my RSOP shows.
0
 
Nick RhodeIT DirectorCommented:
I have seen this happen mainly with folder redirection.  What can happen is the settings get stuck on the local machine.  You can verify the settings on the local machine to see if they are in fact stuck.  Here is an article that explains the location on the local system.  Check it out

http://www.raymond.cc/blog/disable-write-access-to-removable-storage-devices/
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Michael LPr. SysadminAuthor Commented:
Interesting; however, this affliction extends to CD/DVD writing, too. And my backup drives are RD1000, so I think it's eSATA in the bay it goes in. The only USB device I tried writing to was a USB CD/DVD writer.
0
 
Nick RhodeIT DirectorCommented:
Should be to pretty much anything removable.  Phones, flashdrivers, anything considered removable storage.  A USB CD/DVD rom drive with a DVD is removable storage etc.
0
 
Michael LPr. SysadminAuthor Commented:
I'll try this right now. I'll be back with a report :P
0
 
Michael LPr. SysadminAuthor Commented:
My registry didn't have the StorageDevicePolicies key, but I created one following the instructions. No dice.

Seems this might only be for non-server OS, though? My issue was with Win Server 2008 (not R2).
0
 
Michael LPr. SysadminAuthor Commented:
0
 
McKnifeCommented:
Take a client where the restrictions are seen and run rsop.msc on it to show, what restrictions apply and where they originate.
0
 
Michael LPr. SysadminAuthor Commented:
@McKnife - I did an RSOP on a client the other day and it's receiving gp updates correctly. It's been a couple weeks of this issue, which means my backup is two weeks old :(

As soon as I can get back to my server, I'm going to try the Device Manager trick. It makes sense. If that doesn't work, I'll see about changing some registry key parameters. I'll let you guys know ASAP.
0
 
McKnifeCommented:
Well, it's important to look at the settings rsop reports. Are those restrictions reflected there in?
0
 
Michael LPr. SysadminAuthor Commented:
No, those restictions no longer showed even before the dcgpofix. I ran the dcgpofix after reverting back to no restrictions because the restrictions actually stuck, despite what the RSOP was showing. I'll double check as soon as I can, though.
0
 
Michael LPr. SysadminAuthor Commented:
I removed the device from Device Manager, after making sure nothing in RSOP showed any Deny, then rescanned and added it back. Still cannot format it. Should I have rebooted my server?

Also, I found a Deny_All registry key in HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices,
but it had a zero value.
0
 
McKnifeCommented:
Could you try this script on a client to reset to defaults? http://gallery.technet.microsoft.com/scriptcenter/Reset-Removable-storage-782c9c02 Maybe the client needs to be restarted afterwards.
0
 
Michael LPr. SysadminAuthor Commented:
Download was blocked. Can I paste that code into a text file and save as .reg? If so, where would I put it? Double-clicking a registry file doesn't sound like a thing.

Edit 1: I'm sorry. Looks like I'll be saving it as .bat :P
Edit 2: Is this safe to run on my server?
0
 
McKnifeCommented:
No, this is a .reg file and YES, double clicking would do it - if your user is not local admin, you might need to open the commandline and use
reg import regfile.reg
0
 
McKnifeCommented:
> Is this safe to run on my server?
Of course. The content of any regfile is plain text, no macros or whatever code. If you are worried, please backup the whole branch HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices , first.
0
 
Michael LPr. SysadminAuthor Commented:
Ok, I ran that reg. It created all the keys with 0 values. Rebooted. Still, my permissions are denied in writing to my RD1000. The only resriction showing in RSOP is the format/eject media (Computers and Users), which is set to allow Administrators only. I've been using the Admin account for all of this.
0
 
McKnifeCommented:
Ok, that was HKCU. I suppose you would need to do the same in HKLM now. Please check the keys there.
0
 
Michael LPr. SysadminAuthor Commented:
So, just change all the
[HKEY_CURRENT_USER\
to
[HKEY_LOCAL_MACHINE\
?
0
 
McKnifeCommented:
First check the keys there. Otherwise correct.
0
 
Michael LPr. SysadminAuthor Commented:
Keys were not there, so I ran the reg. It did the same for the LM that it did for the CU. Rebooted. Still cannot format/write, HOWEVER! My backup software, Yosemite, can write to the tape now. I checked it with a restore and it's good.

It still doesn't fix my problem with being able to format/write the backup drive or CD/DVDs, though :(

RSOP looks the same as it did before HKLM edits.
0
 
McKnifeCommented:
At least one thing solved.
Another approach: while you try to write to DVD and you encounter the error message, you should monitor with procmon what windows does to determine it is not allowed.
But that would mean work.

You should get around it with a repair installation, insert your setup dvd while within windows, start setup and choose "upgrade" that will reset security settings to defaults. It should at least :)
0
 
Michael LPr. SysadminAuthor Commented:
I'll give this a shot tomorrow. They're gonna get frustrated with my reboots :P
0
 
Michael LPr. SysadminAuthor Commented:
Let me add something: When I try to write, it does tell me I "do not have permissions" to. It doesn't actually say, insufficient permissions, like it normally would with a GP block.
0
 
McKnifeCommented:
What's the wording AND window title of that message?
0
 
Michael LPr. SysadminAuthor Commented:
When trying to write to backup drive...

Title: Destination Folder Access Denied
Wording: You need permission to perform this action.
Options: Try again/Cancel

I ran Process Monitor. Without knowing what to look for, I don't know what I'm looking at :P
0
 
McKnifeCommented:
What kind of backup drive is it, a hard drive/usb thumb dribe/usb hdd?
0
 
Michael LPr. SysadminAuthor Commented:
Dell RD1000, so basically an enclosed 2.5" hard drive.

http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=corp&sku=341-7183
0
 
McKnifeCommented:
Do the inplace upgrade after performing a full backup.
0
 
Michael LPr. SysadminAuthor Commented:
I'll have to do this Monday when my customers are off. Thanks so far!
0
 
Michael LPr. SysadminAuthor Commented:
Ok, so here's where I'm at... I cannot find my Server 2008 disk :(
The only remaining issue I'm having is the RD1000 bay/drives. I can write to everything else but that. I don't need to do anything but back up to it, but I'd really like to get to the bottom of this.
0
 
McKnifeCommented:
Ask someone with a TechNet or MSDN subscription for an ISO file - they work with your key also.
0
 
Michael LPr. SysadminAuthor Commented:
I'm going to close this out. I think a repair might work, but all other avenues have been exhausted. Thanks, Nick and McKnife!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 19
  • 12
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now