none
Removable storage access policy on Windows Server 2008 not working.

    Pregunta

  • Start -> Run -> gpedit.msc -> User configuration -> Administrative templates -> System -> Removable storage access

    All the components under this are not configured, but still when i push a USB drive (flash drive) on the server, i get a message : Access denied . The USB drive is detected on the system and shows the drive under [My Computer].

    OS : Windows Server 2008
    System type : 32 bit Operating system
    lunes, 23 de noviembre de 2009 5:53

Respuestas

  • Sunil

    I did my best to analyze the problem at my end. Also I tried with a Windows Server 2008 machine here to reproduce the issue but with no success.

    If you could try connect the removal drive on a fresh installed Windows Server 2008 machine, to check if the problem persists.

    Additionally, to troubleshoot the existing Windows Server 2008 problem you can directly connect to Microsoft.  You can find the Microsoft support details in the following links:

    Windows Server 2008 support (http://www.microsoft.com/windowsserver2008/en/us/support.aspx )

    Microsoft Support (http://support.microsoft.com/ )

    I hope this helps

    Thanks

    Tanbirul
    lunes, 07 de diciembre de 2009 18:53
    Moderador

Todas las respuestas

  • Hi Sunil

    Thank you for your post.

    I think this error is caused by a change to the Autorun.inf file on your flash drive. (It's just an annoyance from some spyware/malware)

    You can try the following steps to repair the Autorun.inf file (The auto run file is hidden and labeled as protected OS file):

     

    1.    Open Windows Explorer (or My Computer)

    2.    Click on Organize menu

    3.    Go to Folder and search options

    4.    In Folder Options dialog box click on the View tab

    5.    Under Advanced settings: look for Hidden files and Folders. Click on the Show hidden files and folders option

    6.    Next make sure you scroll down and uncheck the Hide protected operating system files (Recommended) option. Then click OK

     

    Once done with the above. Try these steps to setup the USB drive:

     

    1.    Right click on your USB Drive and from context menu click on Explore OR type your USB drive name in Windows Explorer/My Computer address bar (Example E:, G: etc) then press enter

    2.    Find Autorun.inf (most likely grayed out and labeled just autorun)

    3.    Right click the file and choose properties

    4.    Uncheck Read Only option on the bottom

    5.    Click on the Change button and choose Notepad as the default application. Click Ok

    6.    Launch Autorun.inf file. It opens with the default notepad

    7.    When the file opens, erase/delete everything and save it. (You can go back and hide the hidden files and folders again also make sure that you make the Autorun file Read Only

    8.    Unplug/disconnect the drive, and then reconnect it.

     

    Additionally, If you unable to explore/open the USB drive. Please try in some other machine.

    I hope this helps.

    Thanks

    Tanbirul


    NOTE - Disclaimer


    By using the following materials or sample code you agree to be bound by the license terms below and the Microsoft Partner Program Agreement the terms of which are incorporated herein by this reference. These license terms are an agreement between Microsoft Corporation (or, if applicable based on where you are located, on of its affiliates) and you. Any materials (other than sample code) we provide to you are for your internal use only. Any sample code is provided for the purpose of illustration only and is not intended to be used in a production environment. We grant you a nonexclusive, royalty-free right to use and modify the sample code and to reproduce and distribute the object code form of the sample code, provided that you agree: (i) to not use Microsoft's name, logo, or trademarks to market your software produced in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; (iii) to provide on behalf of and for the benefit of your subcontractors a disclaimer of warranties, exclusion of liability for indirect and consequential damages and a responsible limitation of liability; and (iv) to indemnify, hold harmless, and defend Microsoft, its affiliates and suppliers from and against any third party claims or lawsuits, including attorney's fees, that arise or result from the use or distribution of the sample code.

    martes, 24 de noviembre de 2009 19:10
    Moderador
  • Hi Tanbir,

    It not the problem with the USB drive. I have tried the USB drive on other PC and it works. I am able to explore it.
    Only on the server (Server 2008), i get Access Denied .

    Thanks
    Sunil Kumar
    miércoles, 25 de noviembre de 2009 5:54
  • Hi Sunil

    Could you please follow the steps which I have mentioned to fix your issue with USB on windows server 2008, and let me know if the issue is still exists.

    Thanks

    Tanbirul

    miércoles, 25 de noviembre de 2009 20:25
    Moderador
  • Hi Tanbirul,

    I have done what you have mentioned in the first part.
    When i go to the second part -> right click on the USB drive -> properties i get the following ::

    I:\ is not accessible.
    Access is denied.


    I connected this USB drive on another PC and did the process mentioned in the second part and then connected it back on the server. The same issues still continues.

    I have connected a Seagate FreeAgent Drive on the server. The icon also does not show up. I have tried connected another USB drive also on the server, the same issue.


    Thanks & Regards
    Sunil Kumar


    jueves, 26 de noviembre de 2009 13:21
  • Hi Sunil

    Is your machine in a workgroup or domain?

    If it is in a domain then I need to see the Group Policy result, which you can see by-

       1. Open command prompt 

       2. Type gpresult -r and press enter


    It would give you the group policy result, where we can see what all are the settings applied in Domain Controller. So if the setting is Not Applied in Domain Controller then it would be reflected as access denied. So, you need to enable it on DC and then try further.

    However, can you double click on the item under Start -> Run -> gpedit.msc -> User configuration -> Administrative templates -> System -> Removable storage access and see if you can enable it on your own.

    Thanks

    Tanbirul

    jueves, 26 de noviembre de 2009 19:54
    Moderador
  • Hi Tanbirul,

    Thanks for your mail.
    The USB storage is connected on Server 2008 which is configured as Domain Controller.

    All the items under Start -> Run -> gpedit.msc -> User configuration -> Administrative templates -> System -> Removable storage access is set to Not Configured, which means that USB Storage is enabled.

    I am accessing this server from an XP client by Remote Desktop Connection. I am using the Administrator credentials to  Remote Connect.

    On the XP clients, the users were not able to change the system date/time. But now they are able to change. Does this means that there is some issues with the Domain policy? Please give a thought on this.


    Thanks & Regards
    Sunil Kumar

    viernes, 27 de noviembre de 2009 6:00
  • Hi Sunil

    Please correct if I’m wrong in understanding the problem you are facing, when you are trying to

    connect a USB drive on Server 2008 an error message is displayed “Access Denied”? .

     

    Confirm on the same so that I can go ahead with research.

    Also, for changing Date and Time Please use this link for your reference:

    http://support.microsoft.com/default.aspx/kb/300022


    Note: For any questions related to domain policy you can post your questions on this forum:

    http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/threads

    Thanks

    Tanbirul
    lunes, 30 de noviembre de 2009 22:04
    Moderador
  • Hi Tanbirul,

    Thank you so much in taking the effort to write to me.

    Date/Time issue is sorted out after seeing this link which you have given.

    With regards to the USB Drive, the issue is :

    1. When i connect the USB Drive on the server, it gets detected, and also shows as a drive under My computer .
    2. When i right click on the USB Drive and click on properties, this also works.
    3. When i right click and click Explore, then i get the following in a message box:
    I:\ is not accessible.
    Access is denied.

    4. All the items under Start -> Run -> gpedit.msc -> User configuration -> Administrative templates -> System -> Removable storage access is set to Not Configured, which means that USB Storage is enabled.
    5. I connect to my server, by using Remote Desktop Connection

    Thanks & Regards
    Sunil Kumar

    martes, 01 de diciembre de 2009 5:24
  • gpedit.msc -> User Configuration -> Administrative Templates
    gpedit.msc -> Computer Configuration -> Administrative Templates


    When i right click and choose Add/Remove Templates, I don't see anything under Current Policy Templates.
    Do you think this is why the Removable storage access policies are not working for me???
    jueves, 03 de diciembre de 2009 6:19
  • Sunil

    It should be okay, that you are not seeing any templates when you go to Add/Remove Templates.

     

    That is because there were no policy templates under C:\windows\inf

     

    Basically, all the administrative template files are registry based.

    So, if the policy has been implemented at any time (either local policy or from domain policy), it reflects as a registry key.

     

    Logon to the server and check if anything is defined under these keys?

     

    HKey_Current_User\Software\Policies\Microsoft\Windows\RemovableStorageDevices

    HKey_Local_Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices

     

    If you find something defined there like Deny_Read or Deny_Write or Deny_All that should explain why.

     

    If they are empty, what you could do next is to find out the registry / file activity in real time.

     

    You can download Procmon from the following link:

     

    <http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx>

     

    Extract and run procmon.exe on to any folder or on to the desktop.

     

    One you run it, it will automatically start capturing data.

    Reproduce the problem immediately. As soon as you get the access is denied error message, stop the capture. You could click on File menu >> Capture Events to stop capturing data.

    Once it’s done, search for “Access denied” within the trace and it will show you which key is responsible.

    I hope this helps.

    Thanks

    Tanbirul

    viernes, 04 de diciembre de 2009 2:13
    Moderador
  • Thanks so much Tanbirul.
    I think we are near to our goals.

    HKey_Local_Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices
    Name                    Type                           Data
    Deny_All              
    REG_DWORD              0x00000001(1)

    Now i have two options:
    1. Delete this key from the registry
    2. Change the value to 0

    What should i do to enable Access to Removable Storage Devices?
    viernes, 04 de diciembre de 2009 4:39
  • Sunil

    This is not here:

    Start -> Run -> gpedit.msc -> User configuration -> Administrative templates -> System -> Removable storage access

    If all the items under Start -> Run -> gpedit.msc -> Computer configuration -> Administrative templates -> System -> Removable storage access is still “Not configured” (which can happen if this was ever enabled and then set back to not configured), then you can change it and make it “disabled” so that the registry key can revert.


    I hope this helps.

    Thanks

    Tanbirul

    sábado, 05 de diciembre de 2009 3:43
    Moderador
  • Hi Tanbirul,

    I forgot to mention that there is one more key which is mentioned there.

    HKey_Local_Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices
    Name                      Type                           Data
    Deny_All                
    REG_DWORD            0x00000001(1)
    AllowRemoteDASD    REG_DWORD            0x00000001(1)

    I have disabled all the following and re-stared the server, but still no luck:
    Removable Disks: Deny read access
    Removable Disks: Deny write access
    All Removable Storage classes: Deny all access

    What do you suggest??

    Thanks
    Sunil
    sábado, 05 de diciembre de 2009 5:20
  • Sunil

    I did my best to analyze the problem at my end. Also I tried with a Windows Server 2008 machine here to reproduce the issue but with no success.

    If you could try connect the removal drive on a fresh installed Windows Server 2008 machine, to check if the problem persists.

    Additionally, to troubleshoot the existing Windows Server 2008 problem you can directly connect to Microsoft.  You can find the Microsoft support details in the following links:

    Windows Server 2008 support (http://www.microsoft.com/windowsserver2008/en/us/support.aspx )

    Microsoft Support (http://support.microsoft.com/ )

    I hope this helps

    Thanks

    Tanbirul
    lunes, 07 de diciembre de 2009 18:53
    Moderador
  • Hi Sunil,

    whats happen when you right click on the latter name of your USB drive and choose "properties"

    may be there r some security in the ACLs

    also if you get a solutions plz share it for us

    Regards
    lunes, 01 de febrero de 2010 23:12
  • Hi. I have same problem on Server 2008 after my changes in RemovableStorageDevices Local Group Policy. Now I want to Enable usb drives again, but Windows doesn't want....

    Changes to the Local GPO (as Disabled, Enabled, Not Configured) have No effect !

    HKey_Local_Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices

    Deny_All REG_DWORD 0

    HKey_Local_Machine\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

    Deny_Read REG_DWORD 0

    Deny_Write REG_DWORD 0

    under hkey_current_user RemovableStorageDevices doesn't exist.

    but i still see the error message "F:\ is not accessible. Access is denied." when i try to explore any usb-flash disk.

     

    I have disabled USB before this server got status "reserve DC".

    Now gpresult said that local_policy wasn't applied.

    On the domain policy I didn't touch these policies, so there they are Not Configured.

    No Acer Software or smth "bad" 3rd-party software was never installed on this server.

    miércoles, 10 de marzo de 2010 19:50