I am having a little problem with applying some group policies relating to enabling and disabling CD/DVD Read/Write access. Here is what I have setup so far.
There is an OU called Users which is a sub OU of "Company Name"
There is OU called workstations which is a sub OU of "Company Name"
There is a GPO called "Desktop Security" linked to the Workstations OU which has the "User Config>Policies>Admin Templates>System>Removable Storage Access> CD and DVD: Deny write access" set to Enable
When a user from the Users OU logs in it has the policy applied denying access.
I created a second GPO called "Enable CD/DVD RW" which is also linked to the workstations OU which has the "User Config>Policies>Admin Templates>System>Removable Storage Access> CD and DVD: Deny write access" set to Disable. The link order of this is set at a lower number then the one above. There is also a security filter on this for a group called "Allow CD/DVD RW"
When a user, who is a member of the allow CD/DVD RW group and in the users OU logs on to a workstation in the workstation OU, access to write to the CD/DVD drive is disabled, however, if we add the workstation to the "allow CD/DVD RW" group it allows access.
Can anyone advise me what I am doing wrong as we want to grant access to that user on any computer in the workstations OU which has a CD/DVD burner, and most importantly we want to disable access for staff who are not part of this group no matter what computer they log in to.
Appreciate any help.
DCs = Server 2008 R2
Workstations = Windows 7 RTM
As far as I know, all policies under "User Configuration" only work when the GPO was linked to user OU unless Loopback was enabled.
Did you enable loopback in "Desktop Security" GPO to enable User configuration?
If so, I suggest creating two GPO "Enable CD/DVD RW" and "Disable CD/DVD RW" and link them to User OU, configure Security Filter to control users.
As per your request, I can suggest to create a single GPO - User Config>Policies>Admin Templates>System>Removable Storage Access> CD and DVD: Deny write access" set to Enable and linked to users OU.
And select those users who wants to access for burning in the security tab of same gpo and grant deny permission. So that permission will not apply to these users.
Then GPO will apply for only uers who are present in that OU and without deny permission.
Thanks for your reply.
Sorry, I should of mentioned that Loopback processing is enabled on both policies. The idea of applying it at the User OU rather than the workstation OU does not make sense as the GPO which disables it is working fine and is being applied to the same workstations OU.
Any other suggestions?
You have mentioned you have configured Security Filter, it should be enough. Add user to this group to allow access and delete them to block access.
This posting is provided "AS IS" with no warranties, and confers no rights.
Yes, it should be enough, but it doesn't seem to be. Still does not work when you add a user, but works for a workstation as per the first post.