none
Windows 2008R2 Domain Group Policy for CD/Removable Disk Writing

    Question

  • Following several forum pages for setting up a group policy to restrict writing to CD/DVD and removable drives to a specified Group, I find myself stuck as to why it is not working. 

    I have a 2008R2 AD server with a special group just for writing to CD/DVD and removable drives. I have two group policies: the first , default policy, restricts all users from writing to removable media (among all the other default group policy settings) and the second policy allows certain people in the specified group and Admins to write.

    I modified the following policies:

    User Configuration->Administrative Templates->System->Removable Storage Access

    - Deny write * = Enabled (Base Policy)/Disabled (sub policy)

    User Configuration->Administrative Templates->Windows Components->Windows Explorer

    - Remove CD Burning Features = Enabled (Base policy)/Disabled (Sub policy)

    I have run the gpupdate /force command, logged off, rebooted numerous time. I uninstalled the CD/DVD drivers and reinstalled but each iteration prevents the admin and approved user from writing to the media. Both policies are enabled and linked as I have changed policies on other fields and had them apply on the workstation computers.  The policies are linked as Default is the first (1) policy and then the sub policy (2). 

    Please help!

    Friday, March 18, 2016 6:53 PM

Answers

  • > policies are linked as Default is the first (1) policy and then the sub
    > policy (2).
     
    Swap them - processing order is from highest number to 1, and last
    writer wins...
     
    • Marked as answer by Sraivyn Monday, March 21, 2016 1:27 PM
    Monday, March 21, 2016 11:02 AM

All replies

  • Hi Sraivyn,

    This is an expected behavior. These users cannot Remove or Write but you want them to Remove or Write is caused by the first policy restrict all users from removing and Writing.

    To achieve your goal, you could delegate "deny apply group policy" to these users you want them to Write or Remove the removable media on the first policy.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, March 20, 2016 2:11 PM
    Moderator
  • > policies are linked as Default is the first (1) policy and then the sub
    > policy (2).
     
    Swap them - processing order is from highest number to 1, and last
    writer wins...
     
    • Marked as answer by Sraivyn Monday, March 21, 2016 1:27 PM
    Monday, March 21, 2016 11:02 AM
  • Hopefully a little clarification:

    Basically I want a deny all policy for removable storage to be the default and then ONLY the approved users to have access. Is this possible?

    Thanks,

    Stephen

    Monday, March 21, 2016 12:35 PM
  • That was the piece I was missing! Learning new things everyday. Thanks for the help.
    Monday, March 21, 2016 1:28 PM