How to authorize standard users to install drivers on Windows XP

Solution 1:

The answer realistically is to upgrade. This is functionality was requested about 8 years ago and provided for in windows vista on up. There are specfic security enhancements pertaining to drivers and controlled by security policies now (Computer Configuration\Administrative Templates\System\Driver Installation). While there are partial workarounds that kinda get you there, all of them cause more headaches and other issues then they are worth. You'll spend more time fiddling around with this issue than you would dealing with any potential compatability issues with windows 7.

If you are really stuck with windows XP for some reason your best option is to preinstall the USB drivers required for the devices.

Solution 2:

Are you talking about Win7/Vista environment?

I would try this

1) Open up a GPO/policy editor 2)Computer Configuration\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled

Allowed device setup class GUIDs:

You might find the GUID you need here:

http://msdn.microsoft.com/en-us/library/ff553426%28v=VS.85%29.aspx

Solution 3:

I think for the average user, where the devices they may add are unknown ahead of time (and constantly changing), this is not possible or easily managed. However, for your specific scenario, is adding a USB device the only device they need to be able to add? If so, can you control what kind\brand\make\model of USB device? IF so, you can pre-install signed drivers and allow local users to load them. Note the difference here between load and install. Using the GPO setting in User Rights Assignment>Load and unload device drivers this below might work for you.

Copying with my own edits in brackets from an experts-exchange article:

Only Administrators can add device drivers.

The only way to accomplish this without giving users this permission is to due the following:

  1. Create a [network share with appropriate permissions]
  2. Create a folder structure [in this share for all devices but try to keep the full UNC paths as short as possible]

Each subfolder [should] contain just the drivers for each device you want to install.

Once you have your drivers copied there, you must change the following registry key on each machine by script in a GPO>Startup script.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion :: DevicePath

Add the UNC path to this key to where the drivers are located. You MUST point to each subfolder in your Drivers folder - example \servername\share$\A\0; etc...

A great tool for this is SetDevicePath - which can be run on a reference machine each time you add drivers so it will modify this key for you. All you have to do then is export the key then modify the reg file you're pushing out.

SetDevicePath: http://www.flachestirn.de/msfn/SetDevicePath.exe

Simply drop into a CMD prompt where this tool is located and run SetDevicePath \servername\Share$. It will parse all folders in there for you and set your key accordingly.

By using this key and the share, Windows will install drivers that you have available automatically without needing the user to be an Admin.

Additionally:

be careful of the length of your Path in this key. Keep the foldernames to 1 or 2 digits to conserve characters...

You are limited to 4096 characters in Windows 2000. In XP, the key can only be 64Kb.

Start with one driver to see how it behaves. Add others as you see the need to.

Some additional clarification, the policy setting mentioned above assumes the drivers are already installed.

Also from the same article

If you set this up correctly then all a user needs to do is call in when they need something new and you can add it to the share. The user then just needs to reboot and log into the domain.