Allowing Users to Install Hardware Device Drivers

[Zoom7000]

I work in a school and teachers and students are expected to save documents and files on USB flash drives. However, I have an issue where when the USB flash drive is plugged in Windows tries to install device drivers for "USB Mass Storage Device", "Disk Drive" and "Generic Volume". Obviously regular users can't do this. I have tried going to:

secpol.msc > Security Settings > Local Policies > User Rights Assignment > Load and unload device drivers > Add User or Group

However, the Add User of Group option is greyed out. All I have in the Allowed Users is Administrators and Print Operators.

So is there anyway I can allow users to, in theory, add hardware?

Zoom7000

[Ctrl-X]

Make sure the drivers for these devices are signed and pre-installed. Then it should be possible to have them installed automatically when needed. See *this KB article* for details.

[Zoom7000]

Well, its easy to say the drivers need to be signed and preinstalled, but, there is no way that I can get drivers for all possible USB flash drives. So any other options?

[fizban2]

set a standard for USB devices, maybe start selling them in the library. USB drivers are pretty generic you will find if you go out and look at them,

[Zoom7000]

Well, its a pretty tough measure to do. The area is generally regarded as one of the most deprived areas in London. So kids generally look for the quick bargain outside of school. You'll find cheap MP3 players, cheap USB flash drives, branded drives. So it's a problem I need to work around rather than go back to planning from scratch.

Thanks for the help guys, however any more ideas are very welcome!

[jaclaz]

Well, actually under 2000/XP, the actual drivers, at least those that allow read-write access to standard Mass Storage devices, i.e. those that do not have "private" partitions or other custom or brand specific formatting, are 99,99% the same, USBSTOR.SYS.

Problem is the way that the corresponding .INF file is structured and the number of different ID's the different sticks have.

Open with a Registry editor or viewer the registry on one of the machines of which the sticks have been mounted, at this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

or corresponding

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR

You will see a (LONG) list of all devices that were ever mounted.

This happens because devices have their own identity "coupled" with the driver.

Check this entry also:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\

It should be possible, but mind you, this is just an idea, to install it in the CriticalDeviceDatabase, then you may not have the need to re-install the same driver again and again each time a new device is connected, as it will already be running.

Some info can be taken from this (LOOONG) thread here:

http://www.911cd.net/forums//index.php?showtopic=14181

Particularly these posts from sisal:

http://www.911cd.net/forums//index.php?s=&...ost&p=99087

http://www.911cd.net/forums//index.php?s=&...st&p=101267

but you will need to read a lot more if you want to follow this hint.

jaclaz

[Zoom7000]

Thanks jaclaz. I hope it works, however, it will be a rather tedious fix because I would need to do the same for every machine. (400+)

Another way around the issue is to make the "Domain Users" group a member of the Local "Power Users" group and make sure that you have heavily restricted them from running *.cpl and *.msc via group policy. Again, making Domain Users members of the Local Power Users group would need to be done on EVERY machine!

Is there a script that can be run at logon that would allow me to make any Domain User that logs on to the machine a member of the Local Power Users group?

[jaclaz]

It is not really my field, but wouldn't ACL solve the problem?:

http://setacl.sourceforge.net/

(GPL)

jaclaz

Edited September 22, 2006 by jaclaz

[Zoom7000]

Thanks for that suggestion. I might give it a try. Is ACL easy to use?

[allen2]

You could easily make script to make domain user member of power of every computer:

First create a global group in AD add all users you want to have local power users rights for example name it Powdomainusers.

Create a GPO which will run a startup script in local computer policy.

The script will be :

net localgroup "power users" domainname\powdomainusers /add

[Zoom7000]

You could easily make script to make domain user member of power of every computer:

First create a global group in AD add all users you want to have local power users rights for example name it Powdomainusers.

Create a GPO which will run a startup script in local computer policy.

The script will be :

net localgroup "power users" domainname\powdomainusers /add

Thanks for that allen2. However, although it answers my question, and I thought it would solve the issue. It doesn't seem to want to fix the problem. The message we are getting, and I didn't realise it at first, is that "You need to be a member of the Administrators group on this computer to install this hardware" It then asks for a password.

There is no way we can add kids to the Administrators group! So, looks like I'm back at square 1.

Any ideas?

Zoom7000

[jaclaz]

See if this works:

http://www.novell.com/coolsolutions/tools/16306.html

Allow Users to Install USB Jump Drives

Novell Cool Solutions: Cool Tool

In Brief

Grant Users and Power Users the ability to install USB mass storage devices

jaclaz

P.S.: IF it does, you owe me a beer

[Zoom7000]

I'm gonna give this a try, if it works, then can I get you a coke instead? I don't drink beer!

[jaclaz]

Yep, as long as it is a "real" coke, as john newbigin put it:

http://uranus.it.swin.edu.au/~jn/coke.htm

B)

jaclaz

[snowden]

Make sure the drivers for these devices are signed and pre-installed. Then it should be possible to have them installed automatically when needed. See *this KB article* for details.

I have this problem where after I have made a nlite version of windows 2003 datacenter, i input my usb flash drive (and any other usb drives and so on) and i am subsequently prompted to install 'Generic Volume'. However, when I was using the full installation of windows 2003, I have never had to confirm any driver installation, because i would get a notification balloon in the taskbar saying the drive (or flashdrive) device has been recognised, and it would all install automatically. So therefore, having looked at your post above, i have come to the conclusion that somehow nlite breaks signed drivers or something along those lines. Is there something i could do in nlite to prevent this popup from appearing (which at one time asked me to continue, because the drivers weren't marked as signed!), or is there some other thing i am overlooking? Thanx in advance!