Run unsigned PnP drivers by users without administrative rights

I have been trough a lot of documentation, but I haven't got a good solution
to this problem. We need to run unsigned PnP drivers, by users without
administrative privileges. This has to be done silently without dialogs. We
have tested the drivers and found them ok in our systems. Actually most of
them are drivers included in the Windows XP, but with INF-files for
additional hardware. We have also made packages of the driver installations,
so that everything is in place. We have no control over when the devices are
used for first time, but the device should just work when activated.
Everything work ok except that the users get the "found new hardware" dialog
and is prompted for an administrator account.

Is there any way to get around this? We have full control over the driver
files and the users have no access to change or remove the files. The
computer and user accounts are also fully controllable with GPO's.

Some white papers mention the use of "trusted path" but I can't figure out
how and I assume that is referred to when an unattended installation is done.

I also read something about using a local certificate. I couldn't find more
info about that either.

Any suggestions? Otherwise we have to grant our users administrative rights
and I would really hate that.

Arkady
Fri Oct 14 08:31:27 CDT 2005

You'll receive found dlg even in admin mode if you have unsigned driver,
after
installation you willn't have any problems of run time
Arkady

"Gard" <Gard@discussions.microsoft.com> wrote in message
news:08FF150F-020A-41B7-ABB6-6BB43AB70C45@microsoft.com...
>I have been trough a lot of documentation, but I haven't got a good
>solution
> to this problem. We need to run unsigned PnP drivers, by users without
> administrative privileges. This has to be done silently without dialogs.
> We
> have tested the drivers and found them ok in our systems. Actually most of
> them are drivers included in the Windows XP, but with INF-files for
> additional hardware. We have also made packages of the driver
> installations,
> so that everything is in place. We have no control over when the devices
> are
> used for first time, but the device should just work when activated.
> Everything work ok except that the users get the "found new hardware"
> dialog
> and is prompted for an administrator account.
>
> Is there any way to get around this? We have full control over the driver
> files and the users have no access to change or remove the files. The
> computer and user accounts are also fully controllable with GPO's.
>
> Some white papers mention the use of "trusted path" but I can't figure out
> how and I assume that is referred to when an unattended installation is
> done.
>
> I also read something about using a local certificate. I couldn't find
> more
> info about that either.
>
> Any suggestions? Otherwise we have to grant our users administrative
> rights
> and I would really hate that.

Ray
Fri Oct 14 12:07:34 CDT 2005

It will take you a lot less time and effort to get the drivers signed
than it will to figure out a hack around the OS's unsigned driver
protection.

And you'll end up with a more robust solution.

Gard wrote:
> I have been trough a lot of documentation, but I haven't got a good solution
> to this problem. We need to run unsigned PnP drivers, by users without
> administrative privileges. This has to be done silently without dialogs. We
> have tested the drivers and found them ok in our systems. Actually most of
> them are drivers included in the Windows XP, but with INF-files for
> additional hardware. We have also made packages of the driver installations,
> so that everything is in place. We have no control over when the devices are
> used for first time, but the device should just work when activated.
> Everything work ok except that the users get the "found new hardware" dialog
> and is prompted for an administrator account.
>
> Is there any way to get around this? We have full control over the driver
> files and the users have no access to change or remove the files. The
> computer and user accounts are also fully controllable with GPO's.
>
> Some white papers mention the use of "trusted path" but I can't figure out
> how and I assume that is referred to when an unattended installation is done.
>
> I also read something about using a local certificate. I couldn't find more
> info about that either.
>
> Any suggestions? Otherwise we have to grant our users administrative rights
> and I would really hate that.

--
Ray

Gard
Fri Oct 14 13:49:05 CDT 2005

I'll have to look into that.

I'm not going to do this manually on 2000 computers. I also have to have
this done within a couple of weeks.

I have also considered some solution with a local account with passwords
that are changed every day or something.

"Ray Trent" wrote:

> It will take you a lot less time and effort to get the drivers signed
> than it will to figure out a hack around the OS's unsigned driver
> protection.
>
> And you'll end up with a more robust solution.
>
> Gard wrote:
> > I have been trough a lot of documentation, but I haven't got a good solution
> > to this problem. We need to run unsigned PnP drivers, by users without
> > administrative privileges. This has to be done silently without dialogs. We
> > have tested the drivers and found them ok in our systems. Actually most of
> > them are drivers included in the Windows XP, but with INF-files for
> > additional hardware. We have also made packages of the driver installations,
> > so that everything is in place. We have no control over when the devices are
> > used for first time, but the device should just work when activated.
> > Everything work ok except that the users get the "found new hardware" dialog
> > and is prompted for an administrator account.
> >
> > Is there any way to get around this? We have full control over the driver
> > files and the users have no access to change or remove the files. The
> > computer and user accounts are also fully controllable with GPO's.
> >
> > Some white papers mention the use of "trusted path" but I can't figure out
> > how and I assume that is referred to when an unattended installation is done.
> >
> > I also read something about using a local certificate. I couldn't find more
> > info about that either.
> >
> > Any suggestions? Otherwise we have to grant our users administrative rights
> > and I would really hate that.
>
> --
> Ray
>