dpeadmin
asked on
Allow non Administrators rights to install Device Drivers for USB printers and scanners
We have a new group of laptop users. We need to be able to allow them to install printer and scanner drivers (plug in USB device and install driver) without being a member of the local Administrators or Power Users groups. We don't want to allow users to login with an Administrators or Power Users account on to the laptop. And we don't want them installing software on the laptops.
Possible solutions are:
1) Runas/New Hardware Install wizard using local Admin account - but it will not work in this scenario.
2) Group Policy install printer rights for Users - works with limited range of devices with MS signed drivers, not third party.
3) Sudowin would work?? Some else in our group has tested it but is does not seem to behave itself in all cases.
Runas
This is the simplest and best solution. I was hoping to use Runas to achieve this, giving them an Administrators account which is a member of Administrators on the laptop, but in Group Policy "Deny log on locally" User Rights Assigment for this Admin account.
It does not work. If I plug in a USB scanner, the Found New Hardware wizard starts, but if I use the account I get the error "Hardware installation can not start with this account. Make sure this user is a member of the Administrators group." Remove the account from "Deny log on locally" and it runs happily.
Runas refuses to use this account when the "Deny log on locally" is set in GP. Error pops up with "Logon failure: the user has not been granted the requested logon type".
Group Policy
There are limited permissions which can be granted through Group Policy for installation of drivers. I have granted to Laptop users group the following:
Local Policies/User Rights Assignment - Load and unload device drivers
Devices: Unsigned driver installation behavior Warn but allow installation
Administrative Templates - Printers - "Disallow installation of printers using kernel-mode drivers" Disabled
When I insert a USB printer, get the Found New Hardware wizard, the error appears "You must be a member of the Administrators group on this computer to install this software", even when the user is a member of the Power Users group. I believe 3rd party drivers now require Admin rights, not just Power Users member with GP "Load and unload device drivers" permission.
I can Add a Printer, and the Local Printer option is available, but again, I am prompted for credentials with "You must be a member of the Administrators group on this computer to install this software" for my USB printer.
On MS Technet articles states:
(3rd party driver install requires you to be member of Administrators group, Power Users with Load and unload device drivers) Windows XP SP1 does not permit regular users or members of the Power Users group to install third-party drivers. In Windows XP SP1, only the following people have permission to install a third-party driver:
" Local administrator
" Members of the Administrators group
" Members of the Power Users group with the "Load and unload device drivers" policy permission
Another states (Article ID: 326473):
When you log on using nonadministrator credentials, the "Load and unload device drivers" user right only allows you to make nonpersistent changes to the state of the drivers that are running on the computer...
If you are logged on as a member of the Power Users group, Windows XP prompts you for administrator credentials because your ACL is not high enough to install a device by means of Plug and Play.
It suggests using Runas!!!??@!
Any solutions? SudoWin seems to be the only choice, but it seems there are problems??
Possible solutions are:
1) Runas/New Hardware Install wizard using local Admin account - but it will not work in this scenario.
2) Group Policy install printer rights for Users - works with limited range of devices with MS signed drivers, not third party.
3) Sudowin would work?? Some else in our group has tested it but is does not seem to behave itself in all cases.
Runas
This is the simplest and best solution. I was hoping to use Runas to achieve this, giving them an Administrators account which is a member of Administrators on the laptop, but in Group Policy "Deny log on locally" User Rights Assigment for this Admin account.
It does not work. If I plug in a USB scanner, the Found New Hardware wizard starts, but if I use the account I get the error "Hardware installation can not start with this account. Make sure this user is a member of the Administrators group." Remove the account from "Deny log on locally" and it runs happily.
Runas refuses to use this account when the "Deny log on locally" is set in GP. Error pops up with "Logon failure: the user has not been granted the requested logon type".
Group Policy
There are limited permissions which can be granted through Group Policy for installation of drivers. I have granted to Laptop users group the following:
Local Policies/User Rights Assignment - Load and unload device drivers
Devices: Unsigned driver installation behavior Warn but allow installation
Administrative Templates - Printers - "Disallow installation of printers using kernel-mode drivers" Disabled
When I insert a USB printer, get the Found New Hardware wizard, the error appears "You must be a member of the Administrators group on this computer to install this software", even when the user is a member of the Power Users group. I believe 3rd party drivers now require Admin rights, not just Power Users member with GP "Load and unload device drivers" permission.
I can Add a Printer, and the Local Printer option is available, but again, I am prompted for credentials with "You must be a member of the Administrators group on this computer to install this software" for my USB printer.
On MS Technet articles states:
(3rd party driver install requires you to be member of Administrators group, Power Users with Load and unload device drivers) Windows XP SP1 does not permit regular users or members of the Power Users group to install third-party drivers. In Windows XP SP1, only the following people have permission to install a third-party driver:
" Local administrator
" Members of the Administrators group
" Members of the Power Users group with the "Load and unload device drivers" policy permission
Another states (Article ID: 326473):
When you log on using nonadministrator credentials, the "Load and unload device drivers" user right only allows you to make nonpersistent changes to the state of the drivers that are running on the computer...
If you are logged on as a member of the Power Users group, Windows XP prompts you for administrator credentials because your ACL is not high enough to install a device by means of Plug and Play.
It suggests using Runas!!!??@!
Any solutions? SudoWin seems to be the only choice, but it seems there are problems??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good suggestion.
Sudowin seems to have a problem with child processes (they don't seem to retain the admin privileges. Correct me if you know better.
M$ should fix this, given security advise is "do not run as administrator" and the only way to install PnP drivers is as Administrator. I know that arguments about "kernel level drivers" can compromise the system, but running as an Admin all the time is a greater security hole.
I would much prefer a fix/hack for Runas to work with an account that could not login interactively. When the USB insertion kicks off the "Found New Hardware" wizard, they could put in credential and continue. But then the problem becomes, this account could use this to Runas anything, such as an application install.
We have licensed RunasSpc for another issue and it does the same as supercrypter.exe. The users don't know the credentials, which are encrypted and RunasSpc only run what it is configured to execute "C:\Windows\system32\contr
Sudowin seems to have a problem with child processes (they don't seem to retain the admin privileges. Correct me if you know better.
M$ should fix this, given security advise is "do not run as administrator" and the only way to install PnP drivers is as Administrator. I know that arguments about "kernel level drivers" can compromise the system, but running as an Admin all the time is a greater security hole.
I would much prefer a fix/hack for Runas to work with an account that could not login interactively. When the USB insertion kicks off the "Found New Hardware" wizard, they could put in credential and continue. But then the problem becomes, this account could use this to Runas anything, such as an application install.
We have licensed RunasSpc for another issue and it does the same as supercrypter.exe. The users don't know the credentials, which are encrypted and RunasSpc only run what it is configured to execute "C:\Windows\system32\contr
"I would much prefer a fix/hack for Runas to work with an account that could not login interactively."
The problem with that is, by definition what you are doing is a local interactive logon.
The problem with that is, by definition what you are doing is a local interactive logon.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
http://www.moernaut.com/default.aspx?item=supercrypt