Applies To: Windows 7, Windows Server 2008 R2
By default, only members of the Administrators group on a computer can install devices. This is because only an administrator can place a driver package into the driver store, a necessary step in the installation process. With Windows Vista® and Windows Server® 2008 you can configure computer policy on your computer to allow limited users the ability to install devices from specific device setup classes.
This topic provides procedures you can use to determine the device setup class for a hardware device, and then add that device setup class to the policy to allow a limited user to install drivers for that device without requiring elevated permissions.
Determine the device setup class for a specific hardware device
Configure policy to allow a limited user to stage devices for a specific device setup class
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
Determine the device setup class for a specific hardware device
Before you can grant permission to install a specific device, you must determine the device setup class that Windows uses to uniquely identify that device. You can do this by viewing the .inf file of the device driver package, or by viewing the properties of a currently installed device.
To determine the device setup class by viewing the.inf file of a device driver package
Open the .inf file of device driver package in Notepad.
Find the section beginning with the text [Version].
Find the line in that section beginning with the text ClassGuid=.
Copy the value to the right of the equals sign to the clipboard, and then paste it anywhere it is needed.
To determine the device setup class by viewing the properties of a currently installed device
Install your device on a test computer.
Open Device Manager on that computer.
Find your device in the Device Manager tree.
Double-click your device to display the Properties page.
Click the Details tab.
In the Property list, select Device class guid.
Right-click the GUID, click Copy, and then paste it anywhere it is needed.
Configure policy to allow a limited user to stage devices for a specific device setup class
Windows supports policies that an administrator can use to control which devices can be installed by limited users. By default, only administrators can install devices. Windows enforces this policy during the staging of the device driver in the driver store. For more information about staging, see Stage a Device Driver in the Driver Store.
noteNote
This procedure is appropriate for a small number of computers. To effectively apply policy to a large number of computers, use a tool such as Group Policy. For information about Group Policy, see Group Policy on the Windows Server TechCenter (http://go.microsoft.com/fwlink/?linkid=55625).
To configure computer policy to allow a limited user to stage drivers for a specific device setup class
Follow the steps in one of the previous procedures to determine the device setup class GUID for your device.
Click Start, and then in the Start Search box, type mmc gpedit.msc, and then press Enter to run Local Group Policy Object Editor.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In Local Group Policy Object Editor, under Local Computer Policy, double-click each of the following: Computer Configuration, Administrative Templates, System, and then Driver Installation.
In the details pane, double-click Allow non-administrators users to install drivers for these device classes.
Select Enabled to turn on the computer policy.
Click Show to display the current list of approved device setup classes.
In the Show Contents dialog box, click Add.
In the Add Item dialog box, enter the GUID of the device setup class including the curly braces {}, and then click OK.
Click OK to close the Show Contents dialog box.
Click OK to close the computer policy.
In the State column, the policy is now Enabled.
Limited users on this computer (or any computer to which this policy applies) can now install devices for this device setup class without requiring any elevated rights.
ImportantImportant
The device driver package must still be signed in accordance with computer policy. If the certificate for the driver publisher is not in the Trusted Publishers certificate store, then the user will be prompted to accept the unverified certificate during the installation process.
Additional references
Installing Devices and their Drivers
Stage a Device Driver in the Driver Store
Configure Windows to Search Additional Folders for Device Drivers
Configure Windows to Search Windows Update for Device Drivers
By default, only members of the Administrators group on a computer can install devices. This is because only an administrator can place a driver package into the driver store, a necessary step in the installation process. With Windows Vista® and Windows Server® 2008 you can configure computer policy on your computer to allow limited users the ability to install devices from specific device setup classes.
This topic provides procedures you can use to determine the device setup class for a hardware device, and then add that device setup class to the policy to allow a limited user to install drivers for that device without requiring elevated permissions.
Determine the device setup class for a specific hardware device
Configure policy to allow a limited user to stage devices for a specific device setup class
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
Determine the device setup class for a specific hardware device
Before you can grant permission to install a specific device, you must determine the device setup class that Windows uses to uniquely identify that device. You can do this by viewing the .inf file of the device driver package, or by viewing the properties of a currently installed device.
To determine the device setup class by viewing the.inf file of a device driver package
Open the .inf file of device driver package in Notepad.
Find the section beginning with the text [Version].
Find the line in that section beginning with the text ClassGuid=.
Copy the value to the right of the equals sign to the clipboard, and then paste it anywhere it is needed.
To determine the device setup class by viewing the properties of a currently installed device
Install your device on a test computer.
Open Device Manager on that computer.
Find your device in the Device Manager tree.
Double-click your device to display the Properties page.
Click the Details tab.
In the Property list, select Device class guid.
Right-click the GUID, click Copy, and then paste it anywhere it is needed.
Configure policy to allow a limited user to stage devices for a specific device setup class
Windows supports policies that an administrator can use to control which devices can be installed by limited users. By default, only administrators can install devices. Windows enforces this policy during the staging of the device driver in the driver store. For more information about staging, see Stage a Device Driver in the Driver Store.
noteNote
This procedure is appropriate for a small number of computers. To effectively apply policy to a large number of computers, use a tool such as Group Policy. For information about Group Policy, see Group Policy on the Windows Server TechCenter (http://go.microsoft.com/fwlink/?linkid=55625).
To configure computer policy to allow a limited user to stage drivers for a specific device setup class
Follow the steps in one of the previous procedures to determine the device setup class GUID for your device.
Click Start, and then in the Start Search box, type mmc gpedit.msc, and then press Enter to run Local Group Policy Object Editor.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
In Local Group Policy Object Editor, under Local Computer Policy, double-click each of the following: Computer Configuration, Administrative Templates, System, and then Driver Installation.
In the details pane, double-click Allow non-administrators users to install drivers for these device classes.
Select Enabled to turn on the computer policy.
Click Show to display the current list of approved device setup classes.
In the Show Contents dialog box, click Add.
In the Add Item dialog box, enter the GUID of the device setup class including the curly braces {}, and then click OK.
Click OK to close the Show Contents dialog box.
Click OK to close the computer policy.
In the State column, the policy is now Enabled.
Limited users on this computer (or any computer to which this policy applies) can now install devices for this device setup class without requiring any elevated rights.
ImportantImportant
The device driver package must still be signed in accordance with computer policy. If the certificate for the driver publisher is not in the Trusted Publishers certificate store, then the user will be prompted to accept the unverified certificate during the installation process.
Additional references
Installing Devices and their Drivers
Stage a Device Driver in the Driver Store
Configure Windows to Search Additional Folders for Device Drivers
Configure Windows to Search Windows Update for Device Drivers
No comments:
Post a Comment