User can't read from portable devices or removable drives

I have 3 workstations running Windows 7 and a server running 2012 Foundation.

I have a set of users that, for some reason, can't seem to access portable drives or other removable media, such as a DVD ROM.

In GPMC everything under User Configuration\Policies\Administrative Templates: Policy definitions\
All removable storage classes: deny all access = disabled
Allow active content from CDs to run on user machines = disabled
CD and DVD: Deny read access = disabled
CD and DVD: Deny write access = disabled
Floppy Drives: Deny read access = disabled
Floppy Drives: Deny write access = disabled
Prevent access to drives from My Computer = disabled
Removable Disks: Deny read access = disabled
Removable Disks: deny write access = disabled
Tape Drives: Deny read access = disabled
Tape drives: deny write access = disabled
WPD Devices: deny read access = disabled  
WPD Devices: deny write access = disabled

Under Computer Configuration\Policies\Administrative Templates, All settings view, All the same are set to disabled, with the addition of the "execute" permissions.  Everything else is set to "not configured."

When all but one of the users who tries to access a Canon powershot camera, they see the message "you do not have permission to access this device."  When trying to access the DVD drive they see "is not accessible, Access is denied."

I've manually run gpupdate, it appears to be running successfully, I've rebooted the workstations to see if that changes things - no dice.  I have no idea as to why the one workstation can access the camera.  Everybody ought to be under the same security policies.

All three users are associated with the Domain Users and staff groups.

What am I missing?
Azra LyndseyNerdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JAN PAKULAICT Infranstructure ManagerCommented:
can you run Resultant set of policies under logon of working user - and after that  under logon of not working user

in cmd as admin


compare the difference
Azra LyndseyNerdAuthor Commented:
Looking at RSOP.msc, I see that under User configuration/Administrative Templates/system/ that all the blocks are indeed enabled.  They don't appear to want to change their minds about their current state.

I've not been able to look at the working user's computer at this point - but rsop.msc seems to confirm that the changes aren't propagating.

From and elevated command prompt I've tried to do gpupdate / force and still the same result.  So we're not getting the new GPO over.  

What to try next?
JAN PAKULAICT Infranstructure ManagerCommented:
any loop back policies on this PC/user?

anything under event viewer relating to not working group policy - can you ping your domain controller by ip and fqdn

any errors on rsop user or computer configuration (right click it and choose properties)
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Azra LyndseyNerdAuthor Commented:
I ping toes.local  > I get replies
I ping the IP directly > I get replies

Looking at Administrative Events in the Event Viewer I see that earlier today there was an error connecting to the domain controller.  Since this has been a problem, for about 4 weeks now, I see about 6 of the same errors occurring every now and then.   Sill, when I run gpupdate /force, I get a successful message.
In RSoP, I right click on "Computer Configuration" and open the properties window, and I see no errors reported.  A "component names" are noted as "success" and under "details" I see that the last update was today at 4:27pm, "Group Policy Infrastructure completed successfully."
JAN PAKULAICT Infranstructure ManagerCommented:
so it have to be somekind of loopback policy on the user/pc

or user/PC do not have read permission on this new group policy

or user/pc have deny  permission on this new group policy

Can you move user account to top level of the domain  do gpupdate /force  from elevated cmd + restart

test it then

if no joy do the same with computer account
Azra LyndseyNerdAuthor Commented:
I elevated the user to administrator and domain administrator, rebooted, ran GPUpdate /force as you suggested and restarted the computer.  

Looking at RSoP again, everything appears to be in line.  But I can't adequately check as the staff has left for the day and for some reason took the disk out of the drive - so I can't test to make sure that they're working until tomorrow.

When I log on to the workstation with the domain's administrator credentials, I can get to the drive (as much as possible without a disk.)  But when I click on the drive from the user's account, I'm still seeing an access denied error.  I'm not sure I understand this as the user now is a member of the same groups as the administrator account.

Are you still thinking that loopback is a problem?  If so, I'm not sure how to figure that out... either!
JAN PAKULAICT Infranstructure ManagerCommented:
Dont elevate user to administrator.  Just move user account (in active directory users and computers) to top level organisation unit. (So its out from ou where group policy is aplied) if that doesnt work do the same with computer.

Any funny group memberships for staff ?

You could check default domain group policy and check if staff group doesnt have deny access to external device s there
JAN PAKULAICT Infranstructure ManagerCommented:
any update?
Azra LyndseyNerdAuthor Commented:
I hope to be able to spend some time on this Friday afternoon or evening.  I've been pulled from this office into another to help with a deployment that went wrong when all the cabinets got installed without cutouts being made.  Fortunately, I know how to cuss, use a saw, and a tape measure.
Azra LyndseyNerdAuthor Commented:
Staff members are part of the Domain Users and Staff groups.

I moved one of the users from the "users" folder to the top of the OU (I think, ha!).  

I ran gpupdate from the user's computer then tried to access the D drive.  It's still tossing an access denied error.  I'm awaiting a window where I can reboot the machine and see if that changes things.

What else can I be looking for?
Azra LyndseyNerdAuthor Commented:
The user just did a reboot, and I see that we still are seeing an "access denied" message when trying to access the DVD ROM.
Azra LyndseyNerdAuthor Commented:
I just created a test user and added them to the same groups that the current users are part of.  That user was able to access documents just fine.  Is the solution really to wipe and re-create users, or is there a better way?
Azra LyndseyNerdAuthor Commented:
I ended up just creating new users, that worked.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Azra LyndseyNerdAuthor Commented:
I would have rather fixed this, but I needed to get this done to meet certain deadlines.
I had similar problem and after days of trying reverting GPO deny to allow, I ended up finding solution as simple as uninstalling device, in my case CD/DVD drive. moving PC to OU with no GPO, then rebooting PC to reinstall device. moved back to correct OU containing GPO and all is well again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.