Non-admin installation of hardware

[Guest]

I have a question about the ability of non-administrator accounts to add new
hardware. From the Knowledge Base
(http://support.microsoft.com/default.aspx?scid=kb;en-us;326473) I see that
"For security reasons, Windows XP cannot permit a user who is not an
administrator to install a device on the computer." However, when I go to my
local library, sit down in front of one of their shared desktops, and pop in
a USB drive, it gets recognized and installs. I'm about 99% certain that the
libraries don't give these "shared" logins Local Administrator rights, so how
is this happening?

 

[Shenan Stanley]

I have a question about the ability of non-administrator accounts
to add new hardware. From the Knowledge Base
(http://support.microsoft.com/default.aspx?scid=kb;en-us;326473) I
see that "For security reasons, Windows XP cannot permit a user who
is not an administrator to install a device on the computer."
However, when I go to my local library, sit down in front of one of
their shared desktops, and pop in a USB drive, it gets recognized
and installs. I'm about 99% certain that the libraries don't give
these "shared" logins Local Administrator rights, so how is this
happening?

USB thumb drives - in most cases (non-U3 essentially) require no special
drivers/software in order to be used.
Therefore - the user does not have to install anything/update anything
special in order to gain access to the resource.

If the driver is already in place, they (the user) are not installing
anything.

It's like if you go to their computer as an administrator and install a USB
scanner (driver, software, etc) and leave... If you did it correctly - even
if they disconnect their system, unplug everything and come back later -
they won't need you (if they can connect tab A into slot B) - and they will
still be able to utilize the hardware in question.

However - it is highly likely that if you just handed the user (without
admin rights) the scanner and let them try to install it - they'd fail - as
most scanners/printers will not already have the drivers/software
pre-installed.

Similar - not exact - to what is going on.

 

[Guest]

Hi Shenan,

Thanks for your reply. Is there any way (short of making the user a Local
Admin / Admin group member) to permit the user to install new hardware? I've
tried setting the "Load and Unload Device Drivers" user right
(http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/543.mspx?mfr=true)
in GPEdit to a non-admin userID, but to no effect. Thanks again for your
help!

- Zak

 

[Lanwench [MVP - Exchange]]

Hi Shenan,

Thanks for your reply. Is there any way (short of making the user a
Local Admin / Admin group member) to permit the user to install new
hardware? I've tried setting the "Load and Unload Device Drivers"
user right
(http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/543.mspx?mfr=true)
in GPEdit to a non-admin userID, but to no effect. Thanks again for
your help!

Pardon my jumping in, but why would you want a non-admin to be able to
install *anything* ?

- Zak

 

[Guest]

For precisely one reason: To permit the hardware manufacturer's rep to
install the updated hardware. Through Software Restrictions I intend to
limit the ID's ability to do anything besides Install and launch Explorer (to
get at the drivers) and the companion application. This is in keeping with a
"deny all unless specifically allowed" policy, rather than the required
"permit all in order to permit one thing" default XP restriction I seem to be
encountering.

- Zak

Hi Shenan,

Thanks for your reply. Is there any way (short of making the user a
Local Admin / Admin group member) to permit the user to install new
hardware? I've tried setting the "Load and Unload Device Drivers"
user right
(http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/543.mspx?mfr=true)
in GPEdit to a non-admin userID, but to no effect. Thanks again for
your help!

Pardon my jumping in, but why would you want a non-admin to be able to
install *anything* ?

- Zak

 

[Lanwench [MVP - Exchange]]

For precisely one reason: To permit the hardware manufacturer's rep to
install the updated hardware. Through Software Restrictions I intend
to limit the ID's ability to do anything besides Install and launch
Explorer (to get at the drivers) and the companion application. This
is in keeping with a "deny all unless specifically allowed" policy,
rather than the required "permit all in order to permit one thing"
default XP restriction I seem to be encountering.

Understood. I'm honestly not sure how you can do this, although it may
indeed be possible. I'd try posting in
microsoft.public.windows.group_policy.

- Zak