I created a GPO to lock down removable drives and later disabled it.
But now my test machine still gives "Access Denied" even after I've removed this GPO and also rebooted a few times. Why is that? I've also done gpresult /v and the gpo isn't showing up, yet I can't connect and access any USB drives still...
April 12th, 2011 12:52am

What policy setting did you set specifically? If you tell me I can tell you the reg key to go check. Was it this one? Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of removable devices If so, check out this registry key: HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions Is it set to: DenyRemovableDevices If so, this is the problem. I'm making a lot of assumptions so please give more information if this does not help. Thanks!
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 1:41am

It was Computer Config\Admin Templates\System\Removable Storage Access and basically enabled all the settings in there. I've disabled this GPO and removed any links to it, but still affecting the test machine after several reboots. Thanks
April 12th, 2011 1:55am

On Mon, 11 Apr 2011 22:55:21 +0000, MarcGel wrote: It was?Computer Config\Admin Templates\System\Removable Storage Access and basically enabled all the settings in there. I've disabled this GPO and removed any links to it, but still affecting the test machine after several reboots. Thanks You've fallen into a common trap for those who don't really understand GPOs (no offense intended). There's a big difference between disabling settings in a GPO object versus disabling the GPO completely. For the latter, which is what you've done, you've basically told the OS, "I don't care what the current settings are, leave them as they are". So, since you previously had those settings enabled, you've told the OS, by disabling the GPO itself, "Leave those settings as they are". Which means they remain enabled. What you really want to do is tell the OS, "Turn those settings off". In order to do that, you need to re-enable the GPO, and inside of that GPO, disable the settings that you'd previously enabled, make sure that the GPO has been applied, and then, and only then, disable the GPO. That tells the OS, "Take these settings that I'd previously turned on, and turn them off". Once the settings in question have been turned off, you can then disable the GPO. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca One man's constant is another man's variable. -- Perlis
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2011 4:36pm

No offense taken. GPO's are not my forte but I'm learning a lot by asking questions on this forum. I'll give this a try but I'm sure you are correct. Thanks!
April 13th, 2011 7:48pm

Ok, it still doesn't seem to be coming down to the machine in question. There are a couple standard domain policies that are coming down, but not the one I create for Removable Storage. So, if it doesn't come down then the settings aren't going back to "Not Configured", right? So, why isn't this Policy getting to the machine? I created an OU and put the machine in there and then linked it. I also put the username in the Filtering. I must be missing something again. Sorry :(
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 11:34pm

Hi, I am unable to find HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions on windows XP, is this applicabe for XP too?
May 19th, 2011 1:07pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics