Access denied to CDROM and floppy drives 1

[packdragon]

I cannot access the CDROM or floppy drives of the two domain controllers in the domain. These are both Windows 2000 Servers. Since I was terminaled into the machines, I thought maybe it was because the security policy that restricts CDROM access to only locally logged in users was in effect. I located the policy in the Domain Controllers Security Policy and Disabled it. Still no access. Then I found out that even logged on locally as the enterprise administrator did not grant me access. It merely says "Access is denied".

I've tried searching, but I can't seem to find any other policy that might be enforcing such a silly restriction. Should there ever be a network problem with these machines I would be screwed because of no floppy or CD access. I have not tried booting into safe mode to see if that works, these are also production databases so downtime must be minimal. What could be wrong? Any ideas on where to look?

 

[kameleon80]

Funny that you brought this up. I was messing around with Removable Storage in the computer management MMC and found out that I guess you can kinda permit security settings for CD roms Not for sure but there is securty tab in there. To find this go to Computer Management>Storage>Removeable Storage>Physical Locations> and then you should see your CD Rom drive in there, right click on it, go to properties, and then you should see Security tab.

Good Luck.

Let me know how it comes out

 

[packdragon]

Thanks for the info. I went in and checked the security on the CDROM drive and the permissions in there look correct. Even with just the Users group having read-only access we should be able to read a CD. Administrators have Full Control. It must be a domain controller security policy somewhere... The member servers don't have this restriction. I do appreciate the suggestion though. Anyone else have ideas?

 

[packdragon]

Wouldn't you know it, a plain and simple reboot fixed the problem. Of all the stupid... arrgh. Oh well, problem solved. Chalk it up to another mystery resolved by reboot.

 

[Seaspray0]

When you change a policy, you can update it right away on the machine you are on by typing the following from a command prompt or start/run...

secedit /updatepolicy machine_policy
secedit /updatepolicy user_policy

Sometimes this is useful to see the emmediate effects and change any problems before they are propogated throughout the domain.

 

[buckrogers21c]

Problem: - I can see my inbuilt DVD drive but I get a "Disk is not formatted" response when I try to use it. This problem only occurred today. I have used this PC (Fujitsu Lifebook) for 6 months with few problems. I was changing permissions earlier today (apparently my main C drive had 'sharing' enabled and so naturally I changed this; not sure how this change had occured perhaps due to some downloaded software). I had also encourntered the PageFile problem discussed elsewhere on this site (this problem has been resolved thanks to the advice provided by the contributors to this site). If I check properties on the DVD/CD-rom drive then all is well. I have re-installed the driver and I have followed the advice regarding permissions described on this page. But to no avail. ANyone out there have any further suggestions ?

 

[packdragon]

"Disk is not formatted" doesn't really point to a permissions issue. It seems more like its ability to read the CD. Does the computer see your DVD drive as a DVD drive and not as a hard drive? Do you get this same error for every CD you put in there? Is it possible to try connecting a different CD drive to the laptop and see if that works?

 

[buckrogers21c]

Hi Packdragon,
I mentioned 'permission issues' as earlier in the day I had encountered a 'Pagefile too small error condition' which was possibly as a result of resetting access permissions on my PC. I then further reset access to 'everyone' and the pagefile problem disappeared (I have a vague appreciation as to why this occured)! However, as the CD-ROM 'not formatted' error condition also happened after my original change of access configuration then I assumed that the two conditions were related.

The drive gives the same error condition for DVD or CDs. I don't have access to another Drive at the moment to check. I have re-installed the driver but to no avail. I have checked the drive access permission on the Storage/physical locations etc. and this drive appears to be accessible to everyone.

 

[packdragon]

So you disabled sharing on your C: drive... does re-enabling it get rid of the CD problem?

 

[buckrogers21c]

Hi Packdragon,

Unfortunately not. I have finally found the relevant event log for the device driver. It is displaying a
" The device, \Device\CdRom0, has a bad block. " error message.
This messages is generated for any DVD, CD disk placed into the drive.

Any ideas ?

 

[packdragon]

What is the Event ID of that message? We could look up more info on that particular event.

 

[buckrogers21c]

Hi there,

Event ID is 7.

 

[packdragon]

According to some of the posters at

http://www.eventid.net/display.asp?eventid=7&source=,

maybe you should try cleaning your cd drive.

 

[buckrogers21c]

Hi there Packdragon,
many thanks for your help. Will try and clean drive and see what happens. Thanks for your persistence
Buck.

 

[Breakerfall]

Packdragon,
>>Chalk it up to another mystery resolved by reboot<<

In addition to being applied during their respective initializations, both user and machine settings are applied during a periodic refresh cycle, which by default is 90 minutes.

Seaspray post is correct. By using the secedit command you would be enforcing the policy (this prevents users and computers from avoid policy changes by means of either no-rebooting or no-login off. However, there's an option in both &quot;computer&quot; and a &quot;user&quot; configuration sections to impose a fixed refresh time (minimum time is 7 seconds) for the group policies, so you don't have to reboot the machine or log off the user.

just a tip,
that's all.


Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[packdragon]

The thing is, I DID refresh the machine policy before I even posted here. It wasn't until after reboot that it finally worked. Are there GPO things that a manual refresh doesn't do that a reboot does? Or did I need to refresh both the machine and user policies? I only did machine.

 

[ERBGsys]

have you check the registry entries?. The GPO writes in the registry, and in a few strange ciscunstances they don't write back after disable it.

 

[Breakerfall]

you made changes to machine config. os user config.?
I would do both, just in case.



Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[Breakerfall]

I meant, I would refresh both.


Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[MSMVP]

packdragon,

Absolutely, yes - there are things that cannot be refreshed through a secedit refresh, a gpupdate, whatever the case. Some of these settings must be initilized during the startup of the machine.

If you recall, you will see (especially on Windows 2k) 'Applying Machine Policy' - that is the portion of policy being applied that directly affects the machine. Not all of it can be refreshed via a secedit /refreshpolicy machine_policy

However, a restart will apply and put it into force.



Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone -

http://www.microsoft.com/windowsxp/expertzone