none
Need to enable cdrom drive for a PC which has a domain policy disabling it

    Question

  • Hi,

        We have a desktop that joined to a domain where their a domain policy enabled that disables the cdrom drive on the machine.

        Is their a way to override the cdrom policy on the desktop directly or add a exception to the policy so that we can enable the cdrom drive for a single user.

    Tuesday, January 13, 2015 3:17 PM

Answers

  • You could just create a new GPO specifically to disable the CD ROM and move the settings restricting the CD ROM to this new GPO. That way you can control which machines can use the CD ROM without affecting any of the other policies set in the original GPO.

    It's generally a good idea not to have too many settings in too few GPO's and it can cause the type's of issues you are having now. With more GPO's you can a much finer control about how those are applied which helps and awful lot in situations like this when you need to change something.

    • Edited by MikeeMiracle Tuesday, January 13, 2015 5:24 PM
    • Proposed as answer by TrayG Tuesday, January 13, 2015 9:22 PM
    • Marked as answer by Frank Shen5Moderator Monday, January 26, 2015 7:47 AM
    Tuesday, January 13, 2015 5:21 PM

All replies

  • Find the GPO that is disabling the cdrom, go to the Delegation tab, click on Advanced at the bottom right.  There you can add the computer account of the machine that needs to be an exception, then highlight that machine once it's added right there, then simply click Deny for the Read permission.  So basically that machine will be denied the right to read that GPO, therefore will not apply the settings.

    Or create an AD group, add that machine to the group, then add the group with Deny on the Read permission to that GPO.  That way if you have multiple machines in the future that need to be an exception to that GPO, you can just add them to the AD group.

    • Edited by TrayG Tuesday, January 13, 2015 4:14 PM
    • Proposed as answer by Darshana Jayathilake Tuesday, January 13, 2015 5:03 PM
    Tuesday, January 13, 2015 4:12 PM
  • This domain policy has multiple other rules and settings. Will that first suggestion affect that as well meaning if I have usb devices disabled, this policy going to have usb devices enabled for this user.
    Tuesday, January 13, 2015 4:22 PM
  • Yes, if you tried my suggestion then you would basically be cancelling any setting in that GPO.  If there are multiple other settings within that GPO, then you can't use my suggestion.
    Tuesday, January 13, 2015 4:35 PM
  • Any other options that you might consider for the situation I am in.

    Reason for this policy is due to auditors for this client of ours. I am trying to see what I can do it override it if needed for this kind of situation.

    Tuesday, January 13, 2015 5:00 PM
  • you can do that easily using group policy delegation.please follow the below link

    https://support.microsoft.com/kb/816100?wa=wsignin1.0


    Darshana Jayathilake

    Tuesday, January 13, 2015 5:05 PM
  • Problem is according to TrayG is if I disable the GPO for the user/,machine, it will disable the other settings in that policy which I can't do.
    Tuesday, January 13, 2015 5:14 PM
  • You could just create a new GPO specifically to disable the CD ROM and move the settings restricting the CD ROM to this new GPO. That way you can control which machines can use the CD ROM without affecting any of the other policies set in the original GPO.

    It's generally a good idea not to have too many settings in too few GPO's and it can cause the type's of issues you are having now. With more GPO's you can a much finer control about how those are applied which helps and awful lot in situations like this when you need to change something.

    • Edited by MikeeMiracle Tuesday, January 13, 2015 5:24 PM
    • Proposed as answer by TrayG Tuesday, January 13, 2015 9:22 PM
    • Marked as answer by Frank Shen5Moderator Monday, January 26, 2015 7:47 AM
    Tuesday, January 13, 2015 5:21 PM
  • Hello,

          Pls give the step for create new GPO USB/CD ROM enable..

    pls give the Step by step description. 

    Tuesday, July 25, 2017 9:11 AM