• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1607
  • Last Modified:

User can't read from portable devices or removable drives

I have 3 workstations running Windows 7 and a server running 2012 Foundation.

I have a set of users that, for some reason, can't seem to access portable drives or other removable media, such as a DVD ROM.

In GPMC everything under User Configuration\Policies\Administrative Templates: Policy definitions\
All removable storage classes: deny all access = disabled
Allow active content from CDs to run on user machines = disabled
CD and DVD: Deny read access = disabled
CD and DVD: Deny write access = disabled
Floppy Drives: Deny read access = disabled
Floppy Drives: Deny write access = disabled
Prevent access to drives from My Computer = disabled
Removable Disks: Deny read access = disabled
Removable Disks: deny write access = disabled
Tape Drives: Deny read access = disabled
Tape drives: deny write access = disabled
WPD Devices: deny read access = disabled  
WPD Devices: deny write access = disabled

Under Computer Configuration\Policies\Administrative Templates, All settings view, All the same are set to disabled, with the addition of the "execute" permissions.  Everything else is set to "not configured."

When all but one of the users who tries to access a Canon powershot camera, they see the message "you do not have permission to access this device."  When trying to access the DVD drive they see "is not accessible, Access is denied."

I've manually run gpupdate, it appears to be running successfully, I've rebooted the workstations to see if that changes things - no dice.  I have no idea as to why the one workstation can access the camera.  Everybody ought to be under the same security policies.

All three users are associated with the Domain Users and staff groups.

What am I missing?
0
Azra Lyndsey
Asked:
Azra Lyndsey
  • 9
  • 5
1 Solution
 
JAN PAKULACommented:
can you run Resultant set of policies under logon of working user - and after that  under logon of not working user


in cmd as admin


rsop.msc

compare the difference
0
 
Azra LyndseyNerdAuthor Commented:
Looking at RSOP.msc, I see that under User configuration/Administrative Templates/system/ that all the blocks are indeed enabled.  They don't appear to want to change their minds about their current state.

I've not been able to look at the working user's computer at this point - but rsop.msc seems to confirm that the changes aren't propagating.

From and elevated command prompt I've tried to do gpupdate / force and still the same result.  So we're not getting the new GPO over.  

What to try next?
0
 
JAN PAKULACommented:
any loop back policies on this PC/user?

anything under event viewer relating to not working group policy - can you ping your domain controller by ip and fqdn

any errors on rsop user or computer configuration (right click it and choose properties)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Azra LyndseyNerdAuthor Commented:
I ping toes.local  > I get replies
I ping the IP directly > I get replies

Looking at Administrative Events in the Event Viewer I see that earlier today there was an error connecting to the domain controller.  Since this has been a problem, for about 4 weeks now, I see about 6 of the same errors occurring every now and then.   Sill, when I run gpupdate /force, I get a successful message.
In RSoP, I right click on "Computer Configuration" and open the properties window, and I see no errors reported.  A "component names" are noted as "success" and under "details" I see that the last update was today at 4:27pm, "Group Policy Infrastructure completed successfully."
0
 
JAN PAKULACommented:
so it have to be somekind of loopback policy on the user/pc

or user/PC do not have read permission on this new group policy

or user/pc have deny  permission on this new group policy

Can you move user account to top level of the domain  do gpupdate /force  from elevated cmd + restart

test it then

if no joy do the same with computer account
0
 
Azra LyndseyNerdAuthor Commented:
I elevated the user to administrator and domain administrator, rebooted, ran GPUpdate /force as you suggested and restarted the computer.  

Looking at RSoP again, everything appears to be in line.  But I can't adequately check as the staff has left for the day and for some reason took the disk out of the drive - so I can't test to make sure that they're working until tomorrow.

When I log on to the workstation with the domain's administrator credentials, I can get to the drive (as much as possible without a disk.)  But when I click on the drive from the user's account, I'm still seeing an access denied error.  I'm not sure I understand this as the user now is a member of the same groups as the administrator account.

Are you still thinking that loopback is a problem?  If so, I'm not sure how to figure that out... either!
0
 
JAN PAKULACommented:
Dont elevate user to administrator.  Just move user account (in active directory users and computers) to top level organisation unit. (So its out from ou where group policy is aplied) if that doesnt work do the same with computer.

Any funny group memberships for staff ?

You could check default domain group policy and check if staff group doesnt have deny access to external device s there
0
 
JAN PAKULACommented:
any update?
0
 
Azra LyndseyNerdAuthor Commented:
I hope to be able to spend some time on this Friday afternoon or evening.  I've been pulled from this office into another to help with a deployment that went wrong when all the cabinets got installed without cutouts being made.  Fortunately, I know how to cuss, use a saw, and a tape measure.
0
 
Azra LyndseyNerdAuthor Commented:
Staff members are part of the Domain Users and Staff groups.

I moved one of the users from the "users" folder to the top of the OU (I think, ha!).  

User-moved-to-top-of-OU.png
I ran gpupdate from the user's computer then tried to access the D drive.  It's still tossing an access denied error.  I'm awaiting a window where I can reboot the machine and see if that changes things.

What else can I be looking for?
0
 
Azra LyndseyNerdAuthor Commented:
The user just did a reboot, and I see that we still are seeing an "access denied" message when trying to access the DVD ROM.
0
 
Azra LyndseyNerdAuthor Commented:
I just created a test user and added them to the same groups that the current users are part of.  That user was able to access documents just fine.  Is the solution really to wipe and re-create users, or is there a better way?
0
 
Azra LyndseyNerdAuthor Commented:
I ended up just creating new users, that worked.
0
 
Azra LyndseyNerdAuthor Commented:
I would have rather fixed this, but I needed to get this done to meet certain deadlines.
0
 
kathyakhCommented:
I had similar problem and after days of trying reverting GPO deny to allow, I ended up finding solution as simple as uninstalling device, in my case CD/DVD drive. moving PC to OU with no GPO, then rebooting PC to reinstall device. moved back to correct OU containing GPO and all is well again.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now