Real Geek Forums > Archives > Operating Systems > Windows Vista > Windows Vista Administration > How to make a "special" administrator in Vista?

How to make a "special" administrator in Vista?

Posted: 01-15-2007, 06:26 PM
Dave R.
Guest
Posts: n/a
 
We have some users that need to be able to install printers, change date
/ time, and install new hardware / drivers. In XP, we found workarounds
for the printer and date/time but since only administrators can install
new hardware / drivers we had to relent and give local administrator
accounts to these users.

In Vista, it looks like standard users can install printers and change
date/time, but cannot install new hardware / drivers (not that this is a
bad thing, mind you). Is it possible (and if so, how) in Vista to give
certain users the ability to install new hardware / drivers, but not
have full administrator capabilities, or will we have to relent and give
local administrator accounts to these users under Vista as well?

Regards,

Dave


Reply With Quote

Responses to "How to make a "special" administrator in Vista?"

Jimmy Brush
Guest
Posts: n/a
 
Re: How to make a "special" administrator in Vista?
Posted: 01-15-2007, 07:07 PM
Hello,

There's two things you can do in Windows Vista to mitigate this problem.

1) Add pre-trusted drivers to the driver store

Drivers in the driver store can be installed by a standard user.
http://www.vistaclues.com/driver-sta...windows-vista/

2) Allow users to install signed drivers for certain device classes

Through group policy, you can assign users the privilege to install drivers
for specific classes of drivers.

- Open an mmc console (click start, type mmc, press enter)
- Click file -> add/remove snapin
- Add group policy object editor to the list and click ok
- browse to local computer policy -> Computer Configuration ->
Administrative Templates -> System -> Driver Installation
- Double-click "Allow non-administrators to install drivers..."
- Set to enabled and click Show...
- Add the GUID's of the classes of hardware you wish to allow non-admins to
install

To see the list of hardware class GUID's, open up the registry editor
(regedit) and browse to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class

Each subkey of "class" is a GUID, and if you click on that subkey, the text
in the Default value will tell you the friendly name of the class of
hardware that GUID refers to. To easily copy the GUID to the clipboard, you
can right-click it, click rename, right-click again and click copy, and then
click off of the guid.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

Reply With Quote
Dave R.
Guest
Posts: n/a
 
Re: How to make a "special" administrator in Vista?
Posted: 01-15-2007, 08:27 PM

"Jimmy Brush" <JimmyBrush@discussions.microsoft.com> wrote in message
news:46932CBC-C566-4F7C-B53F-61420841FEE8@microsoft.com...
> Hello,
>
> There's two things you can do in Windows Vista to mitigate this
> problem.
>
> 1) Add pre-trusted drivers to the driver store
>
> Drivers in the driver store can be installed by a standard user.
> http://www.vistaclues.com/driver-sta...windows-vista/
>
> 2) Allow users to install signed drivers for certain device classes
>
> Through group policy, you can assign users the privilege to install
> drivers for specific classes of drivers.
>
> - Open an mmc console (click start, type mmc, press enter)
> - Click file -> add/remove snapin
> - Add group policy object editor to the list and click ok
> - browse to local computer policy -> Computer Configuration ->
> Administrative Templates -> System -> Driver Installation
> - Double-click "Allow non-administrators to install drivers..."
> - Set to enabled and click Show...
> - Add the GUID's of the classes of hardware you wish to allow
> non-admins to install
>
> To see the list of hardware class GUID's, open up the registry editor
> (regedit) and browse to the following location:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class
>
> Each subkey of "class" is a GUID, and if you click on that subkey, the
> text in the Default value will tell you the friendly name of the class
> of hardware that GUID refers to. To easily copy the GUID to the
> clipboard, you can right-click it, click rename, right-click again and
> click copy, and then click off of the guid.
>
Thanks, I'll give that a go and see how it works for us. Just to
clarify, the second method only allows signed drivers, correct?

Best regards,

Dave


Reply With Quote
Jimmy Brush
Guest
Posts: n/a
 
Re: How to make a "special" administrator in Vista?
Posted: 01-16-2007, 01:23 AM
That's correct, signed drivers only.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/
Reply With Quote
Freak
Guest
Posts: n/a
 
Re: How to make a "special" administrator in Vista?
Posted: 01-16-2007, 03:25 AM
It’s been my finding that you are either an administrator or you are
not. The only thing that "prevents" anyone from doing anything as
an administrator is the warning that pops up and most people ignore it
and continue on. I’m afraid that you will have to give these folks
full access.

Maybe you can set up an administrator’s account that has a generic
name and password (assuming you are on a network) and allow those
persons a certain amount of time to access as an administrator and do
what they have to do and when that time is up, go in and change the
password. Thus, ensuring that they can only access when you are aware
that they are doing so.

"Dave R." wrote:
> We have some users that need to be able to install printers,
> change date
> / time, and install new hardware / drivers. In XP, we found
> workarounds
> for the printer and date/time but since only administrators
> can install
> new hardware / drivers we had to relent and give local
> administrator
> accounts to these users.
>
> In Vista, it looks like standard users can install printers
> and change
> date/time, but cannot install new hardware / drivers (not that
> this is a
> bad thing, mind you). Is it possible (and if so, how) in
> Vista to give
> certain users the ability to install new hardware / drivers,
> but not
> have full administrator capabilities, or will we have to
> relent and give
> local administrator accounts to these users under Vista as
> well?
>
> Regards,
>
> Dave
Reply With Quote
 
LinkBack Thread Tools Display Modes
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
ANS: "What's the deal with UAC (Windows Needs Your Permission screens)" and "...But I thought I was an administrator" Jimmy Brush Windows Vista File Management 193 07-20-2008 11:29 AM
ANS: "What's the deal with UAC (Windows Needs Your Permission screens)" and "...But I thought I was an administrator" Jimmy Brush Windows Vista Administration 194 07-20-2008 11:29 AM
ANS: "What's the deal with UAC (Windows Needs Your Permission screens)" and "...But I thought I was an administrator" Jimmy Brush Windows Vista Security 202 07-20-2008 11:29 AM
can´t change from my "guest-"account to my "administrator-acconut" Lisa Windows XP Help & Support 2 10-25-2003 10:54 PM
How to make the "search text" feature work with non "txt" file Sharon F Windows XP Basics 0 06-30-2003 08:43 PM