Problem: USB device driver package asks for local Admin
I have made packages with the WISE 5.5 device driver template and one described in the https://adelie.ucs.ed.ac.uk/dstwiki/index.php/device%20drivers article.
Both works fine in installing the drivers, but now the problem comes that once a User wants to connect the USB device (Dymo Label) it asks for an administrator to install the new hardware.
The PC's are locked down for the user with a policy in the AD. And they cannot see or write to the ROOT (C:) drive
How to solve this that once a user connects the usb kabel it automatically installs the drivers without asking for an admin.
Tnkx
Dubwize
Both works fine in installing the drivers, but now the problem comes that once a User wants to connect the USB device (Dymo Label) it asks for an administrator to install the new hardware.
The PC's are locked down for the user with a policy in the AD. And they cannot see or write to the ROOT (C:) drive
How to solve this that once a user connects the usb kabel it automatically installs the drivers without asking for an admin.
Tnkx
Dubwize
0 Comments
[ + ] Show comments
Answers (8)
Please log in to answer
Posted by:
Bigge
19 years ago
Posted by:
wiseapp
19 years ago
Posted by:
dubwize
19 years ago
This template is also the default for Device Driver template in Wise Package Studio 5.5, (which only works with one .inf file btw)
So i tried it yes.
I install it initially as the local administrator (also did it with sms). Files are being copied to the driver repository. Once the user login and connects the USB printer, it wants to copy and install the files as a new device. As admin this goes right. But the lockdown user gets a login box that an administrator needs to install this.
I don't want this.
So i tried it yes.
I install it initially as the local administrator (also did it with sms). Files are being copied to the driver repository. Once the user login and connects the USB printer, it wants to copy and install the files as a new device. As admin this goes right. But the lockdown user gets a login box that an administrator needs to install this.
I don't want this.
Posted by:
wiseapp
19 years ago
Hi dub:
Since it's a locked down environment and the users do not have local admin rights , I would ask you to add a registry to your current msi that will give the user elevated privileges just add the following reg key to your package.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
KeyName: AlwaysInstallElevated
Value: 1
Just set these keys and your installation would run in admin context , so it would not ask you to login as an admin for a lock down user.
In case you require more help do let us know.
Since it's a locked down environment and the users do not have local admin rights , I would ask you to add a registry to your current msi that will give the user elevated privileges just add the following reg key to your package.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
KeyName: AlwaysInstallElevated
Value: 1
Just set these keys and your installation would run in admin context , so it would not ask you to login as an admin for a lock down user.
In case you require more help do let us know.
Posted by:
dubwize
19 years ago
Posted by:
wiseapp
19 years ago
Hi Dub:
I believe your GPO settings are overriding the elevated priviliges key , that's why the application is asking for the admin account and password. If you could ask your sys admin whether he has this option that will override the elevated privileges then we need to think of something else.
Moreover you could also edit this property in your MSI along with the registry keys mentioned above:
ALLUSERS=2
either you can hardcode this value in your msi in the properties section or pass it as a command line parameter to your msi:
msiexec.exe /i c:\abc.msi ALLUSERS=2
This would run the msi in system/machine context rather than user's context. If your GPO is allowed to give elevated rights to machine/system then the above should work.
Do let me know
I believe your GPO settings are overriding the elevated priviliges key , that's why the application is asking for the admin account and password. If you could ask your sys admin whether he has this option that will override the elevated privileges then we need to think of something else.
Moreover you could also edit this property in your MSI along with the registry keys mentioned above:
ALLUSERS=2
either you can hardcode this value in your msi in the properties section or pass it as a command line parameter to your msi:
msiexec.exe /i c:\abc.msi ALLUSERS=2
This would run the msi in system/machine context rather than user's context. If your GPO is allowed to give elevated rights to machine/system then the above should work.
Do let me know
Posted by:
dubwize
19 years ago
Nope not working. Tried ALLUSERS=1 ALLUSERS=2
In XP the default localmachine policy is that only PowerUsers and Admins have rights to install new hardware.
The ideal situation is that an users only can plug in a device assigned by us. So that only for this instance they can install new hardware and drivers are installed by the package. That's it.
It seems that not everything can be solved with packages. Or am i wrong?
Satish
In XP the default localmachine policy is that only PowerUsers and Admins have rights to install new hardware.
The ideal situation is that an users only can plug in a device assigned by us. So that only for this instance they can install new hardware and drivers are installed by the package. That's it.
It seems that not everything can be solved with packages. Or am i wrong?
Satish
Posted by:
glwday
19 years ago
We had exactly the same problem with ActiveSync and our company's new phone from Orange. In the end we had to get the user to log a helpdesk call when they where ready to activate the phone connection to the pc and the Active sync software had already been installed remotely. Helpdesk would add them to the local pc admin group via dameware. User logs out and in to pick up new priviledges, plug phone in - it can now install USB drivers. Helpdesk remove user from admin group, user logs out and back in so admin rights are removed. Not a great solution but effective and straight forward.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.