Only Administrator can burn CD/DVDs
-
Friday, September 25, 2009 3:19 PMWe are running Server 2008 as a file server. We have three users: Xadministrator (we renamed administrator) and WECAdmin, both members of administrator group, and User, part of Users group. The Xadministrator can write to CD/DVD, but both WECAdmin and User cannot. Group policy settings are not restricting access to removable media devices. Help.
All Replies
-
Saturday, September 26, 2009 8:44 AM
suggest to login with Xadministrator and run gpresult /v > test.txt then login with WECAdmin again run gpresult /v > test1.txt
after that compare for any suspicious GPO. -
Monday, September 28, 2009 2:30 AMModeratorHi Pat,
In addtion to Sean's suggestion, please paste the error message word by word when the WECAdmin and User cannot burn CD. You may run "rsop.msc" to verify whether USB device restriction policy is applied to WECAdimn and User account.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. -
Monday, September 28, 2009 2:25 PM
I'll try Sean's suggestion shortly. Wilson, There is no error message. In "my computer" the "Burn to Disc" tab is not there in user or wecadmin. Also, the right click context menu for files or folders "Send To" is missing the "DVD RW Drive" option. I will run the rsop.msc and check for the USB drive restriction, but we have went over the group policy options and find nothing obvious that will fix the problem. Thanks for the suggestions. Please note that the problem exists on 5 identical servers, clean installs.
I did run the 2 gpresult tests (ran one for User also). See below.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001Created On 9/28/2009 at 7:29:26 AM
RSOP data for WIN-CXPXU5PZTM9\Administrator on WIN-CXPXU5PZTM9 : Logging Mode
------------------------------------------------------------------------------OS Configuration: Standalone Server
OS Version: 6.0.6002
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 9/28/2009 at 7:13:26 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: WIN-CXPXU5PZTM9
Domain Type: <Local Computer>Applied Group Policy Objects
-----------------------------
Local Group PolicyThe computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
System Mandatory Level
Resultant Set Of Policies for Computer
---------------------------------------Software Installations
----------------------
N/AStartup Scripts
---------------
N/AShutdown Scripts
----------------
N/AAccount Policies
----------------
N/AAudit Policy
------------
N/AUser Rights
-----------
N/ASecurity Options
----------------
N/AN/A
Event Log Settings
------------------
N/ARestricted Groups
-----------------
N/ASystem Services
---------------
N/ARegistry Settings
-----------------
N/AFile System Settings
--------------------
N/APublic Key Policies
-------------------
N/AAdministrative Templates
------------------------
GPO: Local Group Policy
KeyName: Software\Policies\Microsoft\Windows NT\Reliability\ShutdownReasonOn
Value: 0, 0, 0, 0
State: EnabledGPO: Local Group Policy
KeyName: Software\Policies\Microsoft\Windows NT\Reliability\ShutdownReasonUI
State: disabled
USER SETTINGS
--------------
Last time Group Policy was applied: 9/28/2009 at 7:27:02 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: WIN-CXPXU5PZTM9
Domain Type: <Local Computer>
Applied Group Policy Objects
-----------------------------
N/AThe following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)The user is a part of the following security groups
---------------------------------------------------
None
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
NTLM Authentication
High Mandatory Level
The user has the following security privileges
----------------------------------------------Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working setResultant Set Of Policies for User
-----------------------------------Software Installations
----------------------
N/ALogon Scripts
-------------
N/ALogoff Scripts
--------------
N/APublic Key Policies
-------------------
N/AAdministrative Templates
------------------------
N/AFolder Redirection
------------------
N/AInternet Explorer Browser User Interface
----------------------------------------
N/AInternet Explorer Connection
----------------------------
N/AInternet Explorer URLs
----------------------
N/AInternet Explorer Security
--------------------------
N/AInternet Explorer Programs
--------------------------
N/A
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001Created On 9/28/2009 at 7:41:55 AM
RSOP data for WIN-CXPXU5PZTM9\WECAdmin on WIN-CXPXU5PZTM9 : Logging Mode
-------------------------------------------------------------------------OS Configuration: Standalone Server
OS Version: 6.0.6002
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\WECAdmin
Connected over a slow link?: No
USER SETTINGS
--------------
Last time Group Policy was applied: 9/28/2009 at 7:40:56 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: WIN-CXPXU5PZTM9
Domain Type: <Local Computer>
Applied Group Policy Objects
-----------------------------
N/AThe following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)The user is a part of the following security groups
---------------------------------------------------
None
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
NTLM Authentication
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Resultant Set Of Policies for User
-----------------------------------Software Installations
----------------------
N/ALogon Scripts
-------------
N/ALogoff Scripts
--------------
N/APublic Key Policies
-------------------
N/AAdministrative Templates
------------------------
N/AFolder Redirection
------------------
N/AInternet Explorer Browser User Interface
----------------------------------------
N/AInternet Explorer Connection
----------------------------
N/AInternet Explorer URLs
----------------------
N/AInternet Explorer Security
--------------------------
N/AInternet Explorer Programs
--------------------------
N/A
Nothing obvious that I can see.
Pat -
Wednesday, September 30, 2009 7:58 AMModeratorHi Pat,
You may try copy the Xadministrator's SendTo option "DVD RW Drive" from C:\Users\XAdministrator\AppData\Roaming\Microsoft\Windows\SendTo to other problematic user's SendTo list "%userprofile%\AppData\Roaming\Microsoft\Windows\SendTo".
Does these user can burn the CD/DVD via SendTo now?
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. -
Wednesday, September 30, 2009 3:43 PMWilson,
No help, they were identical.
Has Microsoft removed the capability from Server 2008 to write to CD/DVD if not the actual administrator? I tried adding the User to the Backup group, no help. I changed the "Removable Storage Access" service from manual to automatic, all no help. -
Wednesday, November 18, 2009 4:51 PM Hi Pat,
Burning in Server 2008 (and 2008 R2) is *blocked* to any logged in user not running fully elevated. This means that to burn in Windows Server 2008 and later, you have two options that should maintain the security and integrity of your server system:
1. Log in as local system administrator and burn using the built in functionality.
2. Download and use a third party burning solution that has been elevated at runtime.
There are other solutions, however they are not recommended and with the information I've provided, you can probably figure out what they are, but as I stated, they are not recommended because they will diminish the security of the system.
Hope this helps!
Mike Poz [MSFT]- Marked As Answer by Wilson JiaModerator Thursday, November 19, 2009 1:39 AM
-
Thursday, November 19, 2009 4:32 AMls01c
That is not sufficient for this scenario. Making any account part of the administrator's group still runs under UAC and so is not fully elevated.
Thanks!
Mike Poz [MSFT] -
Thursday, November 19, 2009 9:25 AMyeap, that is true. thanks for clarifying.
-
Friday, December 11, 2009 3:46 PMI want to run the built-in 'Windows Disk Image Burner' by right-clicking an ISO file and selecting ‘Burn disk image’. How do I change a right-click command to run with fully elevated privileges (run as if you right-clicked a process and selected ‘Run as administrator’)?
I would like to use ImgBurn without having to right-click and ‘Run as administrator’. How do I run a program with fully elevated privileges without right-clicking and ‘Run as administrator’? (I would be okay with modifying a shortcut.)
-
Friday, December 11, 2009 4:42 PMHi Drew,
For regular executables, you would right click them, select properties. In the Properties dialog, click the Compatibilty tab and check the box at the bottom.
Unfortunately because the image burning software (ISOBurn.exe) relies on information from Explorer and in this case Explorer is not running fully elevated, simply elevating ISOBurn.exe won't be sufficient to make it work.
As I stated previously, your current options are (and remain):
1. Log in as local system administrator and burn using the built in functionality.
2. Download and use a third party burning solution that has been elevated at runtime.
Sorry it's not what you want to hear.
Thanks!
Mike Poz [MSFT] -
Friday, December 11, 2009 9:26 PMWith ImgBurn, located at "C:\Program Files (x86)\ImgBurn\ImgBurn.exe", I was able to right-click on the .exe, Compatibility, Run this program as an administrator. Now when I right-click on an ISO and choose “Burn using ImgBurn”, it works (as does all burning functions in ImgBurn).
With isoburn.exe (the built-in application, 'Windows Disk Image Burner') located at “C:\Windows\System32\isoburn.exe”, I could not set the properties on the .exe due to the tighter default permissions on Windows Server 2008 R2. So the right-click on an ISO and choosing “Burn disk image” (which is the built-in ‘Windows Disk Image Burner’) does not work.
-
Friday, December 11, 2009 10:28 PMHi Drew,
ImgBurn.exe is not a Microsoft product, it is a third party product and very obviously falls within the scope of item #2 in the list that I have posted twice before and once more below:
1. Log in as local system administrator and burn using the built in functionality.
2. Download and use a third party burning solution that has been elevated at runtime.
The inbox ISO burning solution (ISOBurn.exe) works as designed when logged in as local system administrator, also a by design requirement for Windows Server 2008 R2. You very obviously now have a third party solution in place, so I do not understand the purpose of your followup post regarding ISOBurn.exe.
Do you have more questions? If so, could you please state them clearly?
Thanks!
Mike Poz [MSFT] -
Monday, December 14, 2009 1:11 PM
My statement was more of an answer, but I do have a question. How do I use the inbox ISO burning solution (ISOBurn.exe) while logged onto a Windows Server R2 console using a domain account that has admin rights (the account is in the Domain Admins group) but the account is not THE local "Administrator" account?
-
Monday, December 14, 2009 8:29 PM
There are two ways to do this using accounts that are not the LocalSystem\Administrator account and honestly neither are recommended because both greatly reduce security on your server system.
The first is to kill the Explorer.exe process and then relaunch Explorer fully elevated. This has the side effecf of making *every* process you launch also fully elevated, including any malware or viruses that you happen to come across in IE when clicking around the internet. You would have to do this after each reboot so this is the lesser of the two evils.
The second is to turn off UAC. This is the greater of the two evils because it persists across reboots.
Again, neither of these things are recommended, however it is your system and if you choose to do either of these things it is the complete knowledge that you are doing this against advice due to the fact that you are compromising the server's security.
I cannot stress strongly enough that you should NOT do either of these things if you are intent on maintaining the security of your server system.
Thanks!
Mike Poz [MSFT]- Proposed As Answer by DrewW NFS Tuesday, December 15, 2009 9:16 PM
-
Tuesday, December 15, 2009 9:23 PM
Both of those worked! Thanks Mike.
I just wish there was a way to always allow a user with administrator rights to burn a CD/DVD without having to crash Explorer or turn off UAC. It is ridiculous to me that that is not possible.
I do not see, on a server OS, how it is a security risk for a user with administrative rights to burn a disk. -
Wednesday, December 16, 2009 3:18 AM
Both of those worked! Thanks Mike.
I just wish there was a way to always allow a user with administrator rights to burn a CD/DVD without having to crash Explorer or turn off UAC. It is ridiculous to me that that is not possible.
I do not see, on a server OS, how it is a security risk for a user with administrative rights to burn a disk.
I can actually answer that question. There is a Denial of Service hazard in the SCSI Passthrough that will bring a server to it's knees making it completely unavailable. The was determined that the server owners (companies mostly) would rather have a functioning server, immune from this attack vector and make do with third party solutions for burning because of the need to have local user confirmation of elevation of that third party software when you run it. But then again, most companies will use client systems to burn, not use server systems as clients/workstations.
As for marking my post as an answer, please remove that mark, I am not proposing that as the solution, I quite clearly stated that this is NOT something you should do and I do not want this being proposed as a solution to work around something that is actually by design for security reasons. I only posted it to illustrate to you just how vulnerable you need to make your server to use burning.
So if you insist on running your server system without the most basic protection of UAC then anything bad that happens to your system because of this change is entirely your fault, and I hope that you are willing to accept the consequences of that choice.
Thanks!
Mike Poz [MSFT] -
Tuesday, March 09, 2010 3:07 PMSorry to bring this thread back to alive again. I fully understand the risk of lowering my system's security, but since my server is off the internet and use for video capture purpose, so I think i am safe there..
I actually have to enable the CD/DVD Burning functino for a thrid party software that this server was build for, to be able to export video recording out for cd/dvd burning.
I did what you suggested, by crashing the explorer and re-launch it as administrator woudl do the trick; but for UAC, I have it slide it all the way down, that did not do the trick, unless there is another way of turning off UAC in R2?
Since the UAC method is not working out for me, would I be able to script the crashing of explorer.exe and relaunch it with elevated right ?
Thanks a lot ! -
Tuesday, March 09, 2010 10:01 PM
...UAC, I have it slide it all the way down, that did not do the trick, unless there is another way of turning off UAC in R2?
Did you make sure to reboot the computer after making the change?
If not, please do so to see if that makes a difference. If it does not, then there's something else wrong with your system and you should ask on the UAC newsgroup for assistance as killing off the Explorer process is a temporary measure only.
Here is the Server R2 general newsgroup for follow-up if rebooting the system does not resolve the "turning off UAC" issue.
http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/threads
Thanks!
Mike Poz [MSFT]
.png)
