[Zoom7000]

I work in a school and teachers and students are expected to save documents and files on USB flash drives. However, I have an issue where when the USB flash drive is plugged in Windows tries to install device drivers for "USB Mass Storage Device", "Disk Drive" and "Generic Volume". Obviously regular users can't do this. I have tried going to:

secpol.msc > Security Settings > Local Policies > User Rights Assignment > Load and unload device drivers > Add User or Group

However, the Add User of Group option is greyed out. All I have in the Allowed Users is Administrators and Print Operators.

So is there anyway I can allow users to, in theory, add hardware?

Zoom7000

[Ctrl-X]

Make sure the drivers for these devices are signed and pre-installed. Then it should be possible to have them installed automatically when needed. See *this KB article* for details.

[Zoom7000]

Well, its easy to say the drivers need to be signed and preinstalled, but, there is no way that I can get drivers for all possible USB flash drives. So any other options?

[fizban2]

set a standard for USB devices, maybe start selling them in the library. USB drivers are pretty generic you will find if you go out and look at them,

[Zoom7000]

Well, its a pretty tough measure to do. The area is generally regarded as one of the most deprived areas in London. So kids generally look for the quick bargain outside of school. You'll find cheap MP3 players, cheap USB flash drives, branded drives. So it's a problem I need to work around rather than go back to planning from scratch.

Thanks for the help guys, however any more ideas are very welcome!

[jaclaz]

Well, actually under 2000/XP, the actual drivers, at least those that allow read-write access to standard Mass Storage devices, i.e. those that do not have "private" partitions or other custom or brand specific formatting, are 99,99% the same, USBSTOR.SYS.
Problem is the way that the corresponding .INF file is structured and the number of different ID's the different sticks have.

Open with a Registry editor or viewer the registry on one of the machines of which the sticks have been mounted, at this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
or corresponding
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR

You will see a (LONG) list of all devices that were ever mounted.

This happens because devices have their own identity "coupled" with the driver.

Check this entry also:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\

It should be possible, but mind you, this is just an idea, to install it in the CriticalDeviceDatabase, then you may not have the need to re-install the same driver again and again each time a new device is connected, as it will already be running.

Some info can be taken from this (LOOONG) thread here:
http://www.911cd.net...showtopic=14181

Particularly these posts from sisal:
http://www.911cd.net/forums//index.php?s=&...ost&p=99087
http://www.911cd.net/forums//index.php?s=&...st&p=101267

but you will need to read a lot more if you want to follow this hint.

jaclaz

[Zoom7000]

Thanks jaclaz. I hope it works, however, it will be a rather tedious fix because I would need to do the same for every machine. (400+)

Another way around the issue is to make the "Domain Users" group a member of the Local "Power Users" group and make sure that you have heavily restricted them from running *.cpl and *.msc via group policy. Again, making Domain Users members of the Local Power Users group would need to be done on EVERY machine!

Is there a script that can be run at logon that would allow me to make any Domain User that logs on to the machine a member of the Local Power Users group?

[jaclaz]

It is not really my field, but wouldn't ACL solve the problem?:
http://setacl.sourceforge.net/
(GPL)

jaclaz

This post has been edited by jaclaz: 22 September 2006 - 11:52 AM

[Zoom7000]

Thanks for that suggestion. I might give it a try. Is ACL easy to use?

[allen2]

You could easily make script to make domain user member of power of every computer:
First create a global group in AD add all users you want to have local power users rights for example name it Powdomainusers.
Create a GPO which will run a startup script in local computer policy.
The script will be :

net localgroup "power users" domainname\powdomainusers /add

[Zoom7000]

allen2, on Sep 27 2006, 08:08 AM, said:

You could easily make script to make domain user member of power of every computer:
First create a global group in AD add all users you want to have local power users rights for example name it Powdomainusers.
Create a GPO which will run a startup script in local computer policy.
The script will be :

net localgroup "power users" domainname\powdomainusers /add

Thanks for that allen2. However, although it answers my question, and I thought it would solve the issue. It doesn't seem to want to fix the problem. The message we are getting, and I didn't realise it at first, is that "You need to be a member of the Administrators group on this computer to install this hardware" It then asks for a password.

There is no way we can add kids to the Administrators group! So, looks like I'm back at square 1.

Any ideas?

Zoom7000

[jaclaz]

See if this works:
http://www.novell.co...ools/16306.html

Quote

Allow Users to Install USB Jump Drives
Novell Cool Solutions: Cool Tool

In Brief

Grant Users and Power Users the ability to install USB mass storage devices

jaclaz

P.S.: IF it does, you owe me a beer

[Zoom7000]

I'm gonna give this a try, if it works, then can I get you a coke instead? I don't drink beer!

[jaclaz]

Yep, as long as it is a "real" coke, as john newbigin put it:
http://uranus.it.swi...au/~jn/coke.htm



jaclaz

[snowden]

Ctrl-X, on Sep 20 2006, 05:12 PM, said:

Make sure the drivers for these devices are signed and pre-installed. Then it should be possible to have them installed automatically when needed. See *this KB article* for details.

I have this problem where after I have made a nlite version of windows 2003 datacenter, i input my usb flash drive (and any other usb drives and so on) and i am subsequently prompted to install 'Generic Volume'. However, when I was using the full installation of windows 2003, I have never had to confirm any driver installation, because i would get a notification balloon in the taskbar saying the drive (or flashdrive) device has been recognised, and it would all install automatically. So therefore, having looked at your post above, i have come to the conclusion that somehow nlite breaks signed drivers or something along those lines. Is there something i could do in nlite to prevent this popup from appearing (which at one time asked me to continue, because the drivers weren't marked as signed!), or is there some other thing i am overlooking? Thanx in advance!

[Zoom7000]

jaclaz, on Oct 23 2006, 07:20 AM, said:

See if this works:
http://www.novell.co...ools/16306.html

Quote

Allow Users to Install USB Jump Drives
Novell Cool Solutions: Cool Tool

In Brief

Grant Users and Power Users the ability to install USB mass storage devices

jaclaz

P.S.: IF it does, you owe me a beer

Unfortunately, this didn't fix the problem, so I'm still searching for a solution...

[jaclaz]

Did you try with the suggestion at the bottom of the page?

Quote

Alter permissions on %*WINSYS%\inf\usbstor.inf with r,w,c for the group that you want to have permission to "install" usb devices.

jaclaz

[Zoom7000]

I think you'll find that .exe does that anyway. I've looked at the script:

;AllowUSBJumpDrives.au3
;Created by Jeremy Mlazovsky
If IsAdmin ( ) = 0 Then
	MsgBox ( 0+48+262144, 'Uh oh!', 'You need to have administrator-level access to run this utility!' )
	Exit
EndIf

Dim $file = 'C:\Windows\inf\usbstor.inf'
Dim $group 
$group = 'Power Users'
SplashTextOn ( $group, 'Updating permissions for the file' & @CRLF & $file & ' to' & @CRLF & 'Modify, Read and Execute, Read, Write!', 300, 75 )
RunWait ( 'cacls ' & $file & ' /E /G "' & $group & '":R', '',@SW_HIDE )
RunWait ( 'cacls ' & $file & ' /E /G "' & $group & '":W', '',@SW_HIDE )
RunWait ( 'cacls ' & $file & ' /E /G "' & $group & '":C', '',@SW_HIDE )
Sleep ( 2500 )

$group = 'Users'
SplashTextOn ( $group, 'Updating permissions for the file' & @CRLF & $file & ' to' & @CRLF & 'Modify, Read and Execute, Read, Write!', 300, 75 )
RunWait ( 'cacls ' & $file & ' /E /G "' & $group & '":R', '', @SW_HIDE )
RunWait ( 'cacls ' & $file & ' /E /G "' & $group & '":W', '', @SW_HIDE )
RunWait ( 'cacls ' & $file & ' /E /G "' & $group & '":C', '', @SW_HIDE )
Sleep ( 2500 )

SplashOff()

MsgBox ( 0+262144, @ScriptName, 'Users and Power Users should now be able to install USB Flash drives!', 10 )

Could it be anything to do with Driver Signing? Albeit I have told AD to ignore all instances of Driver Signing.

[jaclaz]

Yes, that's exactly the idea behind the script, i.e. setting ACL permissions, the problem is that the path is "hardcoded" into 'C:\Windows\inf\usbstor.inf', so that it won't work if you have a different %windir%/%SystemRoot%.

The only thing that should prevent installing the USB device should be if the device is not standard, i.e. it does not comply with either the eplicit vid&pid or the general Class&Subclass declared in usbstor.inf.

Also check permissions on the tree above USBSTOR.INF, maybe something needs to be changed there, as said I am not an expert on this, but maybe some Ownership and Inheritance settings do override the file ones.

A test you could make, if you can make a test install, is to setup XP on a FAT32 partition....


Another idea (again of which I have NO experience) could be using NTRIGHTS:
http://www.ss64.com/nt/ntrights.html

with the "SeLoadDriverPrivilege"


jaclaz

This post has been edited by jaclaz: 02 February 2007 - 11:24 AM

[Zoom7000]

Right, I'm gonna give ntrights a try and hope for the best!