Device Installation - Elevated Privileges

Posted: 02-12-2008, 05:17 PM
Hi, I have a quesiton which has been bugging me since we rolled out Vista to
our desktops almost a years ago....

Whenever I have to go to a users PC to install a new device (USB Storage Key
for example) I usually have to spend about 10 minutes there as the Elevated
Privileges dialoge box will pop up several times, as each component of the
device tries to install itself...

Is there any way to set this up so that when you apporve a device for
installation, all the drivers and components for that device are also
approved for install - it's quite frustratring having to spend 10 minutes
doing a task which should take 30 seconds!

Thanks in advance for any help/advice

Mike Dower
Sys admin - Ministry of Sound

Device Installation - Elevated Privileges


Responses to "Device Installation - Elevated Privileges"

Darrell Gorter[MSFT]
Guest
Posts: n/a
 
RE: Device Installation - Elevated Privileges
Posted: 02-13-2008, 12:52 AM
Hello Mike,
You can use Group Policy to change this setting.
MMC.exe, load snap-in, Group Policy, Local machine.

Local Computer Policy
-Windows Settings
- - Security Settings
- - - Local Policies
- - - - User Rights Assignment
- - - - - Load and unload device drivers

This user right determines which users can dynamically load and unload
device drivers or other code in to kernel mode. This user right does not
apply to Plug and Play device drivers. It is recommended that you do not
assign this privilege to other users.
Caution
Assigning this user right can be a security risk. Do not assign this user
right to any user, group, or process that you do not want to take over the
system.
Default on workstations and servers: Administrators.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|> Thread-Topic: Device Installation - Elevated Privileges
|> thread-index: AchtmxdrcPQDeEMKRuKxpKeDsyKiOw==
|> X-WBNR-Posting-Host: 62.244.189.242
|> From: =?Utf-8?B?TWlrZSBEb3dlcg==?= <MikeDower@discussions.microsoft.com>
|> Subject: Device Installation - Elevated Privileges
|> Date: Tue, 12 Feb 2008 09:17:06 -0800
|> Lines: 18
|> Message-ID: <A283328A-2127-47ED-B761-BB8AB5107138@microsoft.com>
|> MIME-Version: 1.0
|> Content-Type: text/plain;
|> charset="Utf-8"
|> Content-Transfer-Encoding: 7bit
|> X-Newsreader: Microsoft CDO for Windows 2000
|> Content-Class: urn:content-classes:message
|> Importance: normal
|> Priority: normal
|> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
|> Newsgroups:
microsoft.public.windows.vista.administration_acco unts_passwords
|> Path: TK2MSFTNGHUB02.phx.gbl
|> Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.administration_acco unts_passwords:8650
|> NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
|> X-Tomcat-NG:
microsoft.public.windows.vista.administration_acco unts_passwords
|>
|> Hi, I have a quesiton which has been bugging me since we rolled out
Vista to
|> our desktops almost a years ago....
|>
|> Whenever I have to go to a users PC to install a new device (USB Storage
Key
|> for example) I usually have to spend about 10 minutes there as the
Elevated
|> Privileges dialoge box will pop up several times, as each component of
the
|> device tries to install itself...
|>
|> Is there any way to set this up so that when you apporve a device for
|> installation, all the drivers and components for that device are also
|> approved for install - it's quite frustratring having to spend 10
minutes
|> doing a task which should take 30 seconds!
|>
|> Thanks in advance for any help/advice
|>
|> Mike Dower
|> Sys admin - Ministry of Sound
|>
|>

Mike Dower
Guest
Posts: n/a
 
RE: Device Installation - Elevated Privileges
Posted: 02-13-2008, 08:45 AM
Hi Darrell,

Thanks for getting back to me......we actually restrict device installation
through the Device Installation GPO and block users installing devices such
as USB Keys, External HDDs etc as a way of locking down our desktops, so I
wouldn't want to grant users access to install Drivers in this way

My question was just that if I am going to a users desktop and saying 'ok,
you can use this device' is there a way of me just entering my Admin username
and password once and the elevated priviliges being applied to all subsequent
driver installs for that device at that time? Rather than the being promopted
to enter my logon each time a differn't component of the device needs to
downlod and install a driver?

Thanks again

Mike

""Darrell Gorter[MSFT]"" wrote:
> Hello Mike,
> You can use Group Policy to change this setting.
> MMC.exe, load snap-in, Group Policy, Local machine.
>
> Local Computer Policy
> -Windows Settings
> - - Security Settings
> - - - Local Policies
> - - - - User Rights Assignment
> - - - - - Load and unload device drivers
>
> This user right determines which users can dynamically load and unload
> device drivers or other code in to kernel mode. This user right does not
> apply to Plug and Play device drivers. It is recommended that you do not
> assign this privilege to other users.
> Caution
> Assigning this user right can be a security risk. Do not assign this user
> right to any user, group, or process that you do not want to take over the
> system.
> Default on workstations and servers: Administrators.
>
> Thanks,
> Darrell Gorter[MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no rights
> --------------------
> |> Thread-Topic: Device Installation - Elevated Privileges
> |> thread-index: AchtmxdrcPQDeEMKRuKxpKeDsyKiOw==
> |> X-WBNR-Posting-Host: 62.244.189.242
> |> From: =?Utf-8?B?TWlrZSBEb3dlcg==?= <MikeDower@discussions.microsoft.com>
> |> Subject: Device Installation - Elevated Privileges
> |> Date: Tue, 12 Feb 2008 09:17:06 -0800
> |> Lines: 18
> |> Message-ID: <A283328A-2127-47ED-B761-BB8AB5107138@microsoft.com>
> |> MIME-Version: 1.0
> |> Content-Type: text/plain;
> |> charset="Utf-8"
> |> Content-Transfer-Encoding: 7bit
> |> X-Newsreader: Microsoft CDO for Windows 2000
> |> Content-Class: urn:content-classes:message
> |> Importance: normal
> |> Priority: normal
> |> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
> |> Newsgroups:
> microsoft.public.windows.vista.administration_acco unts_passwords
> |> Path: TK2MSFTNGHUB02.phx.gbl
> |> Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.vista.administration_acco unts_passwords:8650
> |> NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
> |> X-Tomcat-NG:
> microsoft.public.windows.vista.administration_acco unts_passwords
> |>
> |> Hi, I have a quesiton which has been bugging me since we rolled out
> Vista to
> |> our desktops almost a years ago....
> |>
> |> Whenever I have to go to a users PC to install a new device (USB Storage
> Key
> |> for example) I usually have to spend about 10 minutes there as the
> Elevated
> |> Privileges dialoge box will pop up several times, as each component of
> the
> |> device tries to install itself...
> |>
> |> Is there any way to set this up so that when you apporve a device for
> |> installation, all the drivers and components for that device are also
> |> approved for install - it's quite frustratring having to spend 10
> minutes
> |> doing a task which should take 30 seconds!
> |>
> |> Thanks in advance for any help/advice
> |>
> |> Mike Dower
> |> Sys admin - Ministry of Sound
> |>
> |>
>
>
Darrell Gorter[MSFT]
Guest
Posts: n/a
 
RE: Device Installation - Elevated Privileges
Posted: 02-14-2008, 12:43 AM
Hello Mike,
Not that I am aware for that situation.
Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|> Thread-Topic: Device Installation - Elevated Privileges
|> thread-index: AchuHLgKTse8Vw2BQ6CeU2imlnZN6g==
|> X-WBNR-Posting-Host: 62.244.189.242
|> From: =?Utf-8?B?TWlrZSBEb3dlcg==?= <MikeDower@discussions.microsoft.com>
|> References: <A283328A-2127-47ED-B761-BB8AB5107138@microsoft.com>
<NCaCErdbIHA.6372@TK2MSFTNGHUB02.phx.gbl>
|> Subject: RE: Device Installation - Elevated Privileges
|> Date: Wed, 13 Feb 2008 00:45:00 -0800
|> Lines: 98
|> Message-ID: <24542A46-EF7B-45F4-A938-4EF02A50CC4F@microsoft.com>
|> MIME-Version: 1.0
|> Content-Type: text/plain;
|> charset="Utf-8"
|> Content-Transfer-Encoding: 7bit
|> X-Newsreader: Microsoft CDO for Windows 2000
|> Content-Class: urn:content-classes:message
|> Importance: normal
|> Priority: normal
|> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
|> Newsgroups:
microsoft.public.windows.vista.administration_acco unts_passwords
|> Path: TK2MSFTNGHUB02.phx.gbl
|> Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.administration_acco unts_passwords:8671
|> NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
|> X-Tomcat-NG:
microsoft.public.windows.vista.administration_acco unts_passwords
|>
|> Hi Darrell,
|>
|> Thanks for getting back to me......we actually restrict device
installation
|> through the Device Installation GPO and block users installing devices
such
|> as USB Keys, External HDDs etc as a way of locking down our desktops, so
I
|> wouldn't want to grant users access to install Drivers in this way
|>
|> My question was just that if I am going to a users desktop and saying
'ok,
|> you can use this device' is there a way of me just entering my Admin
username
|> and password once and the elevated priviliges being applied to all
subsequent
|> driver installs for that device at that time? Rather than the being
promopted
|> to enter my logon each time a differn't component of the device needs to
|> downlod and install a driver?
|>
|> Thanks again
|>
|> Mike
|>
|> ""Darrell Gorter[MSFT]"" wrote:
|>
|> > Hello Mike,
|> > You can use Group Policy to change this setting.
|> > MMC.exe, load snap-in, Group Policy, Local machine.
|> >
|> > Local Computer Policy
|> > -Windows Settings
|> > - - Security Settings
|> > - - - Local Policies
|> > - - - - User Rights Assignment
|> > - - - - - Load and unload device drivers
|> >
|> > This user right determines which users can dynamically load and unload
|> > device drivers or other code in to kernel mode. This user right does
not
|> > apply to Plug and Play device drivers. It is recommended that you do
not
|> > assign this privilege to other users.
|> > Caution
|> > Assigning this user right can be a security risk. Do not assign this
user
|> > right to any user, group, or process that you do not want to take over
the
|> > system.
|> > Default on workstations and servers: Administrators.
|> >
|> > Thanks,
|> > Darrell Gorter[MSFT]
|> >
|> > This posting is provided "AS IS" with no warranties, and confers no
rights
|> > --------------------
|> > |> Thread-Topic: Device Installation - Elevated Privileges
|> > |> thread-index: AchtmxdrcPQDeEMKRuKxpKeDsyKiOw==
|> > |> X-WBNR-Posting-Host: 62.244.189.242
|> > |> From: =?Utf-8?B?TWlrZSBEb3dlcg==?=
<MikeDower@discussions.microsoft.com>
|> > |> Subject: Device Installation - Elevated Privileges
|> > |> Date: Tue, 12 Feb 2008 09:17:06 -0800
|> > |> Lines: 18
|> > |> Message-ID: <A283328A-2127-47ED-B761-BB8AB5107138@microsoft.com>
|> > |> MIME-Version: 1.0
|> > |> Content-Type: text/plain;
|> > |> charset="Utf-8"
|> > |> Content-Transfer-Encoding: 7bit
|> > |> X-Newsreader: Microsoft CDO for Windows 2000
|> > |> Content-Class: urn:content-classes:message
|> > |> Importance: normal
|> > |> Priority: normal
|> > |> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
|> > |> Newsgroups:
|> > microsoft.public.windows.vista.administration_acco unts_passwords
|> > |> Path: TK2MSFTNGHUB02.phx.gbl
|> > |> Xref: TK2MSFTNGHUB02.phx.gbl
|> > microsoft.public.windows.vista.administration_acco unts_passwords:8650
|> > |> NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
|> > |> X-Tomcat-NG:
|> > microsoft.public.windows.vista.administration_acco unts_passwords
|> > |>
|> > |> Hi, I have a quesiton which has been bugging me since we rolled out
|> > Vista to
|> > |> our desktops almost a years ago....
|> > |>
|> > |> Whenever I have to go to a users PC to install a new device (USB
Storage
|> > Key
|> > |> for example) I usually have to spend about 10 minutes there as the
|> > Elevated
|> > |> Privileges dialoge box will pop up several times, as each component
of
|> > the
|> > |> device tries to install itself...
|> > |>
|> > |> Is there any way to set this up so that when you apporve a device
for
|> > |> installation, all the drivers and components for that device are
also
|> > |> approved for install - it's quite frustratring having to spend 10
|> > minutes
|> > |> doing a task which should take 30 seconds!
|> > |>
|> > |> Thanks in advance for any help/advice
|> > |>
|> > |> Mike Dower
|> > |> Sys admin - Ministry of Sound
|> > |>
|> > |>
|> >
|> >
|>

 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Elevated privileges for MSI Package in Vista. Marimuthu Windows Vista Security 2 01-13-2007 02:07 PM
Installation device Redorusso Windows Vista Hardware & Devices 0 10-16-2006 11:20 AM
USB device installation error Fusen He Windows Vista Hardware & Devices 2 06-05-2006 08:45 PM
Elevated operations fail Hansjörg Reister Windows Vista File Management 1 05-15-2006 05:30 AM
Serial PCI device installation Omer Levy Windows XP Hardware 0 08-13-2003 12:36 PM