Zoom7000 Posted September 20, 2006 Posted September 20, 2006 I work in a school and teachers and students are expected to save documents and files on USB flash drives. However, I have an issue where when the USB flash drive is plugged in Windows tries to install device drivers for "USB Mass Storage Device", "Disk Drive" and "Generic Volume". Obviously regular users can't do this. I have tried going to:secpol.msc > Security Settings > Local Policies > User Rights Assignment > Load and unload device drivers > Add User or GroupHowever, the Add User of Group option is greyed out. All I have in the Allowed Users is Administrators and Print Operators.So is there anyway I can allow users to, in theory, add hardware?Zoom7000
Ctrl-X Posted September 20, 2006 Posted September 20, 2006 Make sure the drivers for these devices are signed and pre-installed. Then it should be possible to have them installed automatically when needed. See *this KB article* for details.
Zoom7000 Posted September 20, 2006 Author Posted September 20, 2006 Well, its easy to say the drivers need to be signed and preinstalled, but, there is no way that I can get drivers for all possible USB flash drives. So any other options?
fizban2 Posted September 20, 2006 Posted September 20, 2006 set a standard for USB devices, maybe start selling them in the library. USB drivers are pretty generic you will find if you go out and look at them,
Zoom7000 Posted September 21, 2006 Author Posted September 21, 2006 Well, its a pretty tough measure to do. The area is generally regarded as one of the most deprived areas in London. So kids generally look for the quick bargain outside of school. You'll find cheap MP3 players, cheap USB flash drives, branded drives. So it's a problem I need to work around rather than go back to planning from scratch.Thanks for the help guys, however any more ideas are very welcome!
jaclaz Posted September 21, 2006 Posted September 21, 2006 Well, actually under 2000/XP, the actual drivers, at least those that allow read-write access to standard Mass Storage devices, i.e. those that do not have "private" partitions or other custom or brand specific formatting, are 99,99% the same, USBSTOR.SYS.Problem is the way that the corresponding .INF file is structured and the number of different ID's the different sticks have.Open with a Registry editor or viewer the registry on one of the machines of which the sticks have been mounted, at this key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTORor correspondingHKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTORYou will see a (LONG) list of all devices that were ever mounted.This happens because devices have their own identity "coupled" with the driver.Check this entry also:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\It should be possible, but mind you, this is just an idea, to install it in the CriticalDeviceDatabase, then you may not have the need to re-install the same driver again and again each time a new device is connected, as it will already be running.Some info can be taken from this (LOOONG) thread here:http://www.911cd.net/forums//index.php?showtopic=14181Particularly these posts from sisal:http://www.911cd.net/forums//index.php?s=&...ost&p=99087http://www.911cd.net/forums//index.php?s=&...st&p=101267but you will need to read a lot more if you want to follow this hint. jaclaz
Zoom7000 Posted September 22, 2006 Author Posted September 22, 2006 Thanks jaclaz. I hope it works, however, it will be a rather tedious fix because I would need to do the same for every machine. (400+)Another way around the issue is to make the "Domain Users" group a member of the Local "Power Users" group and make sure that you have heavily restricted them from running *.cpl and *.msc via group policy. Again, making Domain Users members of the Local Power Users group would need to be done on EVERY machine! Is there a script that can be run at logon that would allow me to make any Domain User that logs on to the machine a member of the Local Power Users group?
jaclaz Posted September 22, 2006 Posted September 22, 2006 (edited) It is not really my field, but wouldn't ACL solve the problem?:http://setacl.sourceforge.net/(GPL) jaclaz Edited September 22, 2006 by jaclaz
Zoom7000 Posted September 27, 2006 Author Posted September 27, 2006 Thanks for that suggestion. I might give it a try. Is ACL easy to use?
allen2 Posted September 27, 2006 Posted September 27, 2006 You could easily make script to make domain user member of power of every computer:First create a global group in AD add all users you want to have local power users rights for example name it Powdomainusers.Create a GPO which will run a startup script in local computer policy. The script will be :net localgroup "power users" domainname\powdomainusers /add
Zoom7000 Posted October 13, 2006 Author Posted October 13, 2006 You could easily make script to make domain user member of power of every computer:First create a global group in AD add all users you want to have local power users rights for example name it Powdomainusers.Create a GPO which will run a startup script in local computer policy. The script will be :net localgroup "power users" domainname\powdomainusers /addThanks for that allen2. However, although it answers my question, and I thought it would solve the issue. It doesn't seem to want to fix the problem. The message we are getting, and I didn't realise it at first, is that "You need to be a member of the Administrators group on this computer to install this hardware" It then asks for a password. There is no way we can add kids to the Administrators group! So, looks like I'm back at square 1. Any ideas?Zoom7000
jaclaz Posted October 23, 2006 Posted October 23, 2006 See if this works:http://www.novell.com/coolsolutions/tools/16306.htmlAllow Users to Install USB Jump DrivesNovell Cool Solutions: Cool ToolIn BriefGrant Users and Power Users the ability to install USB mass storage devicesjaclazP.S.: IF it does, you owe me a beer
Zoom7000 Posted November 7, 2006 Author Posted November 7, 2006 I'm gonna give this a try, if it works, then can I get you a coke instead? I don't drink beer!
jaclaz Posted November 7, 2006 Posted November 7, 2006 Yep, as long as it is a "real" coke, as john newbigin put it:http://uranus.it.swin.edu.au/~jn/coke.htm B) jaclaz
snowden Posted January 14, 2007 Posted January 14, 2007 Make sure the drivers for these devices are signed and pre-installed. Then it should be possible to have them installed automatically when needed. See *this KB article* for details.I have this problem where after I have made a nlite version of windows 2003 datacenter, i input my usb flash drive (and any other usb drives and so on) and i am subsequently prompted to install 'Generic Volume'. However, when I was using the full installation of windows 2003, I have never had to confirm any driver installation, because i would get a notification balloon in the taskbar saying the drive (or flashdrive) device has been recognised, and it would all install automatically. So therefore, having looked at your post above, i have come to the conclusion that somehow nlite breaks signed drivers or something along those lines. Is there something i could do in nlite to prevent this popup from appearing (which at one time asked me to continue, because the drivers weren't marked as signed!), or is there some other thing i am overlooking? Thanx in advance!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now