Admin Rights for Devices

[jc999]

Does anybody know the best way of allowing users to use devices (such as palmhelds, usb sticks etc) without needing full admin rights? The problem I have is that lots of users now need to synchronise devices and things with our PCs which are on a 2K domain with group policy. More often than not they need admin rights to both install and use the devices. I am reluctant to give them admin rights as they will all install any viruses that they can get their hand on.

I am guessing that perhaps I can give the user NTFS permissions on the various directories the installation program creates, which is OK. The problem is that users usually need permissions on registry items? How do I know where in the registry to change permissions? How does anybody else in a corporate environment handle these issues?

As a side note, does anybody know how to give a domain user administrator rights on a local machine without visiting that machine? I tried to do this in AD by adding the user to the builtin/administrators group but this doesn't seem to work.

Any help would be good..

 

[bcastner]

You likely need to grant them Power User status, rather than restricted user accounts.

The Group Policy object "Load and unload
device drivers" would be modified to add the Power user group.

Or on a selective basis, use the logon script and NTRIGHTS.EXE:

ntrights.exe +r SeLoadDriverPrivilege -u "Power Users"

NTRIGHTS.EXE is on the Windows 2000 Resource Kit.

A2. Use Sysinternals freeware utility PSEXEC:
PSEXEC \\computername net localgroup administrators dom\user /add

http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

 

[tsuji]

Hello jc999,

This issue is often related to judiciously identify the registry key the hardware (designed not in full accordance to the winlogo program) you need to relax permissions to domain users.

The ms article 816585 may be helpful:

http://support.microsoft.com/default.aspx?scid=kb;en-us;816585

This is one posting, under the handle "Computer Bliss", in ng that shows you how to do it in one specific case with GPO:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&th=1b891096c26d1a70&rnum=12

regards - tsuji

 

[bcastner]

Tsuji,

This issue is often related to judiciously identify the registry key the hardware (designed not in full accordance to the winlogo program) you need to relax permissions to domain users.

Or several registry keys. The case of a Palm Pilot and its software, and a USB pen drive are quite different.

It becomes even more difficult under Windows XP, as greater restrictions are placed on the Power Users Group. This quotation from an XP KB article discussing PnP ACL issues is indicative of the problem:

Server-side Installations
A server-side installation is a device installation that is performed entirely by the Plug and Play manager. A server-side installation can occur only if the following conditions are true:
A bus driver detects the device and notifies Plug and Play Manager.
Plug and Play Manager finds an .inf file that contains a hardware ID that matches the hardware ID of the device.
The .inf file and the drivers for the device are signed.
Windows XP can locate all the drivers for the device without prompting the user for media locations (for example, the drivers are included with the operating system, a vendor-supplied driver was previously installed, or vendor-supplied driver files are preinstalled).
The class installer and co-installers for the device do not open properties at the end of the installation.
The .inf file for the device does not indicate that the device requires an interactive installation.
RunOnce registry entries consist only of calls to the Rundll32.exe file.

A server-side installation does not prompt the user for any additional information and does not require administrator credentials. This type of installation is known as "server-side" because the installation is performed by Plug and Play Manager and interaction with a user-mode client is not required.

Client-side Installations
A client-side installation is a device installation that requires communication with a user. A client-side installation occurs if any of the following conditions are true:
Plug and Play Manager cannot find an .inf file that contains a hardware ID that matches the hardware ID of the device.
Plug and Play Manager cannot locate all the required driver files.
The .inf file or the driver files for the device are not signed.
Windows XP must prompt the user for additional information about the installation (for example, where to find the driver files).
A class installer or co-installer for the device opens properties at the end of the installation.
The device, bus, or bus driver does not support Plug and Play.

A client-side installation requires client installation software (for example, the Add Hardware Wizard, the Found New Hardware Wizard, or a vendor-supplied device installation program). The client software uses the Setup application programming interface (API) to install the device, and the Setup API uses services provided by Plug and Play Manager as required.

What is really needed are some additional predefined policy objects for these many new USB devices.

 

[tsuji]

Hello bcastner & jc999 again,

From ms 816585

Compatible (Compatws.inf)

This template changes the default file and registry permissions that are granted to the members of the Users group in a manner that is consistent with the requirements of most programs that do not belong to the Windows Logo Program for Software. The Compatible template also removes all members of the Power Users group.

For more information about the Windows Logo Program for Software, visit the following Microsoft Web site:

http://www.microsoft.com/winlogo/default.mspx

NOTE: Do not apply the Compatible template to domain controllers.

Also the win2000 version could be helpful as well:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;309689

As to the concrete need of jc999, I have nothing to add.

regards - tsuji