none
Cannot Re-enable Writes to USB and Optical

    Question

  • Created a policy on a small domain to restrict writing to external media.  Used a GPO (with security filtering set to a specific User Group) to enable the settings found in User Config/Policies/Admin Templates/System/Removable Storage Access - specifically:

    CD and DVD: Deny write access: Enabled
    Floppy Drives: Deny write access: Enabled
    Removable Disks: Deny write access: Enabled
    Tape Drives: Deny write access: Enabled
    WPD Devices: Deny Write access: Enabled

    and also:

    Windows Components/Windows Explorer

    Remove CD Burning features: Enabled

    Now I need to remove these restrictions for ONE user.  Not having much luck.  To troubleshoot, I've tried removing for ALL users, STILL won't work.  More specifically, I've tried:

    1. Creating a new policy that has the opposite settings and applying to a new group (I removed the user from the old group and added them to this one.  Rebooted.  This did not work.

    2. Reset the policy settings to DISABLE those restrictions. Rebooted. That has not worked.

    3. Removed both policies and deleted the contents of HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices (after backing up, of course).  Rebooted.  That did not work.

    4. Tried creating a local user account with the policies disabled but that reports access denied as well when attempting to copy files to a USB flash drive.

    These should be USER settings.  Why are they NOT removing themselves and more importantly, how do I get them removed?

    Monday, March 02, 2015 5:17 AM

Answers

  • Hi,

    >>These should be USER settings.  Why are they NOT removing themselves and more importantly, how do I get them removed?

    Based on the description, what's the operating system we are using? If our operating system is Windows Server 2008, in Windows 7 or in Windows Server 2008 R2, we can install the following hotfix to see if it helps.

    Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2

    https://support.microsoft.com/kb/2738898

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 03, 2015 5:48 AM
    Moderator

All replies

  • Hi,

    >>These should be USER settings.  Why are they NOT removing themselves and more importantly, how do I get them removed?

    Based on the description, what's the operating system we are using? If our operating system is Windows Server 2008, in Windows 7 or in Windows Server 2008 R2, we can install the following hotfix to see if it helps.

    Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2

    https://support.microsoft.com/kb/2738898

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 03, 2015 5:48 AM
    Moderator
  • Hi,

    It's been a while. How is it going? If the issue persists or the above suggestion doesn't help, please don't hesitate to let us know.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 11, 2015 2:49 AM
    Moderator
  • All you need do is remove the user from the group, then to be sure create another policy to be exactly opposite the one to remove access and add the user to this group. run command "gpupdate /force" on the server and run same on the client computer restart the computer twice to be sure. If the deny access remains enabled, use gpedit.msc on the client computer to reverse the setting in the Local computer group policy. Using gpedit.msc on Local computers might not be the most efficient, but it is sufficient in this scenario. And remember it was only a last resort.


    Liyide, A.G.

    Wednesday, March 11, 2015 8:13 AM
  • The download for this KB no longer works.
    Thursday, June 09, 2016 1:37 PM