Device Access Manager for HP ProtectTools
Users have been denied
access to devices within
Device Access Manager,
but the devices are still
A user has unexpected
access to a device or a
user is unexpectedly
denied access to a device.
Allow or deny—which
Chapter 8 Troubleshooting
Simple Configuration and/or Device
Class Configuration have been used
within Device Access Manager to deny
users access to devices. Despite being
denied access, users can still access the
Device Access Manager has been used
to deny users access to some devices
and allow users access to other devices.
When the user is using the system, they
can access devices they believe Device
Access Manager has denied and are
denied access to devices they believe
Device Access Manager should allow.
Within Device Class Configuration, the
following configuration has been set:
The Allow permission has been
granted to a Windows group (e.g.,
BUILTIN\Administrators) and the
Deny permission has been granted
to another Windows group (e.g.,
BUILTIN\Users) at the same level in
the device class hierarchy (e.g.,
If a user is a member of both those
groups (e.g., Administrator), which takes
Verify that the HP ProtectTools Device Locking service
As an administrative user, browse to Control Panel >
Administrative Tools > Services. In the Services
window, search for the HP ProtectTools Device
Locking/Auditing service. Be sure that the service is
started and that the startup type is Automatic.
The Device Class Configuration within Device Access
Manager should be used to investigate the Users
Select Security Manager > Device Access Manager
> Device Class Configuration. Expand the levels in
the Device Class tree and review the settings
applicable to the User. Check for any "Deny"
permissions that may be set on the user or any
Windows Group of which they may be a member, e.g.,
The user is denied access to the device. Deny takes
precedence over Allow.
Access is denied due to the way in which Windows
works out the effective permission for the device. One
group is denied, and one group is allowed, but the user
is a member of both groups. The user is denied
because denying access is given precedence over
One workaround is to deny the Users group at the DVD/
CD-ROM Drives level and to allow the Administrators
group at the level below DVD/CD-ROM Drives.
A further workaround would be to have specific
Windows groups, one for allowing access to DVD/CD
and one for denying access to DVD/CD. Specific users
would then be added to the appropriate group.