Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How can Everyone or PowerUser add a USB Pen Drive?
- Thread starter mlbasso
- Start date
Only if the device is PnP.
You can then allow Power Users to add or remove device drivers, and act as part of the operating system.
In the main, the anser is no.
There has to be a revision of GPOs to handle these USB devices, but at the moment there is not, other than using a very relaxed security template, or making them Administrators.
You can then allow Power Users to add or remove device drivers, and act as part of the operating system.
In the main, the anser is no.
There has to be a revision of GPOs to handle these USB devices, but at the moment there is not, other than using a very relaxed security template, or making them Administrators.
- Thread starter
- #3
Let me restate things, as what I posted above is not as clear as I intended.
From a Windows security perspective, a new device can be installed either in a "client-side" or "server-side" context.
A client-side installation requires client installation software (for example, the Add Hardware Wizard, the Found New Hardware Wizard, or a vendor-supplied device installation program). The client software uses the Setup application programming interface (API) to install the device, and the Setup API uses services provided by Plug and Play Manager as required.
A server-side installation does not prompt the user for any additional information and does not require administrator credentials. This type of installation is known as "server-side" because the installation is performed by Plug and Play Manager and interaction with a user-mode client is not required.
To force the first type of installation, client-side, you need to satisfy both security requirements and software needs to allow the PnP manager (which runs in the System context) to do the task without user interaction.
So by making sure the workstation has installed the .inf required by the device, making certain all drivers are signed, making sure the device supplied a PnP serial ID, would permit the non-administrator user to install the device without Administrator credentials.
As a practical measure, install the device with user interaction as administrator (or use RunAs). Then remove the device and try again in a user context and on a different USB port. If the device firmware (or user installed software) is sufficiently Windows aware, the needed .inf files should then exist on the user machine and no administrator access should be necessary.
Please read the link to the MS KB above for further details.
From a Windows security perspective, a new device can be installed either in a "client-side" or "server-side" context.
A client-side installation requires client installation software (for example, the Add Hardware Wizard, the Found New Hardware Wizard, or a vendor-supplied device installation program). The client software uses the Setup application programming interface (API) to install the device, and the Setup API uses services provided by Plug and Play Manager as required.
A server-side installation does not prompt the user for any additional information and does not require administrator credentials. This type of installation is known as "server-side" because the installation is performed by Plug and Play Manager and interaction with a user-mode client is not required.
To force the first type of installation, client-side, you need to satisfy both security requirements and software needs to allow the PnP manager (which runs in the System context) to do the task without user interaction.
So by making sure the workstation has installed the .inf required by the device, making certain all drivers are signed, making sure the device supplied a PnP serial ID, would permit the non-administrator user to install the device without Administrator credentials.
As a practical measure, install the device with user interaction as administrator (or use RunAs). Then remove the device and try again in a user context and on a different USB port. If the device firmware (or user installed software) is sufficiently Windows aware, the needed .inf files should then exist on the user machine and no administrator access should be necessary.
Please read the link to the MS KB above for further details.
- Status