HP ProtectTools - Windows Vista and Windows XP
Device Access Manager for HP ProtectTools
Short description Details Solution
Users have been denied
access to devices within
Device Access Manager,
but the devices are still
accessible.
Simple Configuration and/or Device
Class Configuration have been used
within Device Access Manager to deny
users access to devices. Despite being
denied access, users can still access the
devices.
Verify that the HP ProtectTools Device Locking service
has started.
As an administrative user, browse to Control Panel >
Administrative Tools > Services. In the Services
window, search for the HP ProtectTools Device
Locking/Auditing service. Be sure that the service is
started and that the startup type is Automatic.
A user has unexpected
access to a device or a
user is unexpectedly
denied access to a device.
Device Access Manager has been used
to deny users access to some devices
and allow users access to other devices.
When the user is using the system, they
can access devices they believe Device
Access Manager has denied and are
denied access to devices they believe
Device Access Manager should allow.
The Device Class Configuration within Device Access
Manager should be used to investigate the Users
device settings.
Click Security Manager, click  Device Access
Manager, and then click Device Class
Configuration. Expand the levels in the Device Class
tree and review the settings applicable to the User.
Check for any “Deny” permissions that may be set on
the user or any Windows Group of which they may be
a member, e.g., Users, Administrators.
Allow or deny—which
takes precedence?
Within Device Class Configuration, the
following configuration has been set:
●
The Allow permission has been
granted to a Windows group (e.g.,
BUILTIN\Administrators) and the
Deny permission has been granted
to another Windows group (e.g.,
BUILTIN\Users) at the same level in
the device class hierarchy (e.g.,
DVD/CD-ROM Drives).
If a user is a member of both those
groups (e.g., Administrator), which takes
precedence?
The user is denied access to the device. Deny takes
precedence over Allow.
Access is denied due to the way in which Windows
works out the effective permission for the device. One
group is denied, and one group is allowed, but the user
is a member of both groups. The user is denied
because denying access is given precedence over
allowing access.
One workaround is to deny the Users group at the DVD/
CD-ROM Drives level and to allow the Administrators
group at the level below DVD/CD-ROM Drives.
A further workaround would be to have specific
Windows groups, one for allowing access to DVD/CD
and one for denying access to DVD/CD. Specific users
would then be added to the appropriate group.
88 Chapter 9 Troubleshooting










