How to make a "special" administrator in Vista?

We have some users that need to be able to install printers, change date
/ time, and install new hardware / drivers. In XP, we found workarounds
for the printer and date/time but since only administrators can install
new hardware / drivers we had to relent and give local administrator
accounts to these users.

In Vista, it looks like standard users can install printers and change
date/time, but cannot install new hardware / drivers (not that this is a
bad thing, mind you). Is it possible (and if so, how) in Vista to give
certain users the ability to install new hardware / drivers, but not
have full administrator capabilities, or will we have to relent and give
local administrator accounts to these users under Vista as well?

Regards,

Dave

Hello,

There's two things you can do in Windows Vista to mitigate this problem.

1) Add pre-trusted drivers to the driver store

Drivers in the driver store can be installed by a standard user.
http://www.vistaclues.com/driver-sta...windows-vista/

2) Allow users to install signed drivers for certain device classes

Through group policy, you can assign users the privilege to install drivers
for specific classes of drivers.

- Open an mmc console (click start, type mmc, press enter)
- Click file -> add/remove snapin
- Add group policy object editor to the list and click ok
- browse to local computer policy -> Computer Configuration ->
Administrative Templates -> System -> Driver Installation
- Double-click "Allow non-administrators to install drivers..."
- Set to enabled and click Show...
- Add the GUID's of the classes of hardware you wish to allow non-admins to
install

To see the list of hardware class GUID's, open up the registry editor
(regedit) and browse to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class

Each subkey of "class" is a GUID, and if you click on that subkey, the text
in the Default value will tell you the friendly name of the class of
hardware that GUID refers to. To easily copy the GUID to the clipboard, you
can right-click it, click rename, right-click again and click copy, and then
click off of the guid.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

"Jimmy Brush" <> wrote in message
news:46932CBC-C566-4F7C-B53F-...
> Hello,
>
> There's two things you can do in Windows Vista to mitigate this
> problem.
>
> 1) Add pre-trusted drivers to the driver store
>
> Drivers in the driver store can be installed by a standard user.
> http://www.vistaclues.com/driver-sta...windows-vista/
>
> 2) Allow users to install signed drivers for certain device classes
>
> Through group policy, you can assign users the privilege to install
> drivers for specific classes of drivers.
>
> - Open an mmc console (click start, type mmc, press enter)
> - Click file -> add/remove snapin
> - Add group policy object editor to the list and click ok
> - browse to local computer policy -> Computer Configuration ->
> Administrative Templates -> System -> Driver Installation
> - Double-click "Allow non-administrators to install drivers..."
> - Set to enabled and click Show...
> - Add the GUID's of the classes of hardware you wish to allow
> non-admins to install
>
> To see the list of hardware class GUID's, open up the registry editor
> (regedit) and browse to the following location:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Class
>
> Each subkey of "class" is a GUID, and if you click on that subkey, the
> text in the Default value will tell you the friendly name of the class
> of hardware that GUID refers to. To easily copy the GUID to the
> clipboard, you can right-click it, click rename, right-click again and
> click copy, and then click off of the guid.
>

Thanks, I'll give that a go and see how it works for us. Just to
clarify, the second method only allows signed drivers, correct?

Best regards,

Dave

That's correct, signed drivers only.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

It’s been my finding that you are either an administrator or you are
not. The only thing that "prevents" anyone from doing anything as
an administrator is the warning that pops up and most people ignore it
and continue on. I’m afraid that you will have to give these folks
full access.

Maybe you can set up an administrator’s account that has a generic
name and password (assuming you are on a network) and allow those
persons a certain amount of time to access as an administrator and do
what they have to do and when that time is up, go in and change the
password. Thus, ensuring that they can only access when you are aware
that they are doing so.

"Dave R." wrote:
> We have some users that need to be able to install printers,
> change date
> / time, and install new hardware / drivers. In XP, we found
> workarounds
> for the printer and date/time but since only administrators
> can install
> new hardware / drivers we had to relent and give local
> administrator
> accounts to these users.
>
> In Vista, it looks like standard users can install printers
> and change
> date/time, but cannot install new hardware / drivers (not that
> this is a
> bad thing, mind you). Is it possible (and if so, how) in
> Vista to give
> certain users the ability to install new hardware / drivers,
> but not
> have full administrator capabilities, or will we have to
> relent and give
> local administrator accounts to these users under Vista as
> well?
>
> Regards,
>
> Dave