How to make a "special" administrator in Vista?

  • Thread starter Thread starter Dave R.
  • Start date Start date
D

Dave R.

We have some users that need to be able to install printers, change date
/ time, and install new hardware / drivers. In XP, we found workarounds
for the printer and date/time but since only administrators can install
new hardware / drivers we had to relent and give local administrator
accounts to these users.

In Vista, it looks like standard users can install printers and change
date/time, but cannot install new hardware / drivers (not that this is a
bad thing, mind you). Is it possible (and if so, how) in Vista to give
certain users the ability to install new hardware / drivers, but not
have full administrator capabilities, or will we have to relent and give
local administrator accounts to these users under Vista as well?

Regards,

Dave
 
Hello,

There's two things you can do in Windows Vista to mitigate this problem.

1) Add pre-trusted drivers to the driver store

Drivers in the driver store can be installed by a standard user.
http://www.vistaclues.com/driver-staging-in-windows-vista/

2) Allow users to install signed drivers for certain device classes

Through group policy, you can assign users the privilege to install drivers
for specific classes of drivers.

- Open an mmc console (click start, type mmc, press enter)
- Click file -> add/remove snapin
- Add group policy object editor to the list and click ok
- browse to local computer policy -> Computer Configuration ->
Administrative Templates -> System -> Driver Installation
- Double-click "Allow non-administrators to install drivers..."
- Set to enabled and click Show...
- Add the GUID's of the classes of hardware you wish to allow non-admins to
install

To see the list of hardware class GUID's, open up the registry editor
(regedit) and browse to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class

Each subkey of "class" is a GUID, and if you click on that subkey, the text
in the Default value will tell you the friendly name of the class of
hardware that GUID refers to. To easily copy the GUID to the clipboard, you
can right-click it, click rename, right-click again and click copy, and then
click off of the guid.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/
 
Jimmy Brush said:
Hello,

There's two things you can do in Windows Vista to mitigate this
problem.

1) Add pre-trusted drivers to the driver store

Drivers in the driver store can be installed by a standard user.
http://www.vistaclues.com/driver-staging-in-windows-vista/

2) Allow users to install signed drivers for certain device classes

Through group policy, you can assign users the privilege to install
drivers for specific classes of drivers.

- Open an mmc console (click start, type mmc, press enter)
- Click file -> add/remove snapin
- Add group policy object editor to the list and click ok
- browse to local computer policy -> Computer Configuration ->
Administrative Templates -> System -> Driver Installation
- Double-click "Allow non-administrators to install drivers..."
- Set to enabled and click Show...
- Add the GUID's of the classes of hardware you wish to allow
non-admins to install

To see the list of hardware class GUID's, open up the registry editor
(regedit) and browse to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class

Each subkey of "class" is a GUID, and if you click on that subkey, the
text in the Default value will tell you the friendly name of the class
of hardware that GUID refers to. To easily copy the GUID to the
clipboard, you can right-click it, click rename, right-click again and
click copy, and then click off of the guid.
Click to expand...

Thanks, I'll give that a go and see how it works for us. Just to
clarify, the second method only allows signed drivers, correct?

Best regards,

Dave
 
It’s been my finding that you are either an administrator or you are
not. The only thing that "prevents" anyone from doing anything as
an administrator is the warning that pops up and most people ignore it
and continue on. I’m afraid that you will have to give these folks
full access.

Maybe you can set up an administrator’s account that has a generic
name and password (assuming you are on a network) and allow those
persons a certain amount of time to access as an administrator and do
what they have to do and when that time is up, go in and change the
password. Thus, ensuring that they can only access when you are aware
that they are doing so.
 
Back
Top