none
Removable Storage User Configuration Group Policy not working when Windows Server 2008 R2 is used as a client

    Question

  • Hi,
    I have enabled read write restriction for a group of users, if a user from this group is to log onto a win 8.1 system or Windows 7 system and tries accessing a USB drive it says access is denied, however if the same user logs onto a Windows server 2008 R2 system under the same domain he is allowed to access the USB drive even-though all the registries are updated and policies are applied , why may this be happening?

    My domain controller is a Windows Server 2012 R2 machine.

    Thursday, December 11, 2014 11:15 AM

All replies

  • > same user logs onto a Windows server 2008 R2 system under the same
    > domain he is allowed to access the USB drive even-though all
     
    2008R2 (or more general: Server SKUs) does not support device
    restriction policies.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by AlexAdkin Friday, December 12, 2014 6:26 AM
    • Marked as answer by ankit_kumar5 Friday, December 12, 2014 8:41 AM
    • Unmarked as answer by ankit_kumar5 Friday, December 12, 2014 8:41 AM
    • Marked as answer by ankit_kumar5 Friday, December 12, 2014 8:41 AM
    • Unmarked as answer by ankit_kumar5 Friday, December 12, 2014 9:49 AM
    Thursday, December 11, 2014 12:09 PM
  • why don't you do an gpresult for the same user, one on the server one on the w7 w8.1 is there a difference? 
    Thursday, December 11, 2014 12:12 PM
  • This is the result I got after using gpresult with WIN2K8R2

                        

    Microsoft (R) Windows (R) Operating System Group Policy

    Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 12/12/2014 at 10:42:56 AM



    RSOP data for TORNADO\goli on WIN2K8AD1 : Logging Mode
    -------------------------------------------------------

    OS Configuration:            Member Server
    OS Version:                  6.1.7601
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\goli
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=WIN2K8AD1,CN=Computers,DC=tornado,DC=local
        Last time Group Policy was applied: 12/12/2014 at 10:42:05 AM
        Group Policy was applied from:      avenger.tornado.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        TORNADO
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            WIN2K8AD1$
            Domain Computers
            System Mandatory Level

        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                GPO: Default Domain Policy
                    Policy:            MaximumPasswordAge
                    Computer Setting:  42

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordAge
                    Computer Setting:  1

                GPO: Default Domain Policy
                    Policy:            LockoutBadCount
                    Computer Setting:  N/A

                GPO: Default Domain Policy
                    Policy:            PasswordHistorySize
                    Computer Setting:  24

                GPO: Default Domain Policy
                    Policy:            MinimumPasswordLength
                    Computer Setting:  7

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                N/A

            Security Options
            ----------------
                GPO: Default Domain Policy
                    Policy:            PasswordComplexity
                    Computer Setting:  Enabled

                GPO: Default Domain Policy
                    Policy:            ClearTextPassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            ForceLogoffWhenHourExpire
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            RequireLogonToChangePassword
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            LSAAnonymousNameLookup
                    Computer Setting:  Not Enabled

                GPO: Default Domain Policy
                    Policy:            @wsecedit.dll,-59058
                    ValueName:         MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
                    Computer Setting:  1

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings\Enabled
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings\RemoteAddresses
                    Value:       0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\System\UserPolicyMode
                    Value:       1, 0, 0, 0
                    State:       Enabled


    USER SETTINGS
    --------------
        CN=Nihar Goli,CN=Users,DC=tornado,DC=local
        Last time Group Policy was applied: 12/12/2014 at 10:42:05 AM
        Group Policy was applied from:      avenger.tornado.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        TORNADO
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            Remote Desktop Users
            BUILTIN\Users
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Redirection restricted
            Medium Mandatory Level

        The user has the following security privileges
        ----------------------------------------------

            Bypass traverse checking
            Increase a process working set

        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A

    And this is the result I got with Windows 7 as a client


    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 12/12/2014 at 10:48:14 AM



    RSOP data for TORNADO\goli on WIN7ADUSER : Logging Mode
    --------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.1.7601
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\goli
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=WIN7ADUSER,CN=Computers,DC=tornado,DC=local
        Last time Group Policy was applied: 12/12/2014 at 10:32:19 AM
        Group Policy was applied from:      avenger.tornado.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        TORNADO
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Terminal Servers GPO

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Default Domain Policy
                Filtering:  Not Applied (Unknown Reason)

            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            WIN7ADUSER$
            Domain Computers
            System Mandatory Level
            
        Resultant Set Of Policies for Computer
        ---------------------------------------

            Software Installations
            ----------------------
                N/A

            Startup Scripts
            ---------------
                N/A

            Shutdown Scripts
            ----------------
                N/A

            Account Policies
            ----------------
                N/A

            Audit Policy
            ------------
                N/A

            User Rights
            -----------
                N/A

            Security Options
            ----------------
                N/A

                N/A

            Event Log Settings
            ------------------
                N/A

            Restricted Groups
            -----------------
                N/A

            System Services
            ---------------
                N/A

            Registry Settings
            -----------------
                N/A

            File System Settings
            --------------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Terminal Servers GPO
                    KeyName:     SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
                    Value:       0, 0, 0, 0
                    State:       Enabled


    USER SETTINGS
    --------------
        CN=Nihar Goli,CN=Users,DC=tornado,DC=local
        Last time Group Policy was applied: 12/12/2014 at 10:46:01 AM
        Group Policy was applied from:      avenger.tornado.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        TORNADO
        Domain Type:                        Windows 2000
        
        Applied Group Policy Objects
        -----------------------------
            Default Domain Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            Remote Desktop Users
            BUILTIN\Users
            REMOTE INTERACTIVE LOGON
            NT AUTHORITY\INTERACTIVE
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Redirection restricted
            Medium Mandatory Level
            
        The user has the following security privileges
        ----------------------------------------------

            Bypass traverse checking
            Shut down the system
            Remove computer from docking station
            Increase a process working set
            Change the time zone

        Resultant Set Of Policies for User
        -----------------------------------

            Software Installations
            ----------------------
                N/A

            Logon Scripts
            -------------
                N/A

            Logoff Scripts
            --------------
                N/A

            Public Key Policies
            -------------------
                N/A

            Administrative Templates
            ------------------------
                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Deny_Write
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Deny_Read
                    Value:       1, 0, 0, 0
                    State:       Enabled

                GPO: Default Domain Policy
                    KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
                    Value:       1, 0, 0, 0
                    State:       Enabled

            Folder Redirection
            ------------------
                N/A

            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A

            Internet Explorer Connection
            ----------------------------
                N/A

            Internet Explorer URLs
            ----------------------
                N/A

            Internet Explorer Security
            --------------------------
                N/A

            Internet Explorer Programs
            --------------------------
                N/A



    Friday, December 12, 2014 4:59 AM
  • Martins cleared that one up. Did suspect but wasn't sure.
    Friday, December 12, 2014 6:21 AM
  • Hi Martin

    Thanks for the reply. Is there any way to make it work?

    I also applied the following KB's but in vain

    http://support.microsoft.com/kb/2214863

    http://support.microsoft.com/kb/947294

    It will of great help if you can suggest some workaround.

    Friday, December 12, 2014 9:42 AM
  • > Thanks for the reply. Is there any way to make it work?
     
    Third party products will do...
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, December 12, 2014 10:13 AM
  • > Thanks for the reply. Is there any way to make it work?
     
    Third party products will do...
     


    Can you suggest some products?
    Friday, December 12, 2014 10:47 AM