Right to load and unload device drivers on Win2003 DC

[dude]

I'm totally stumped by the design change on this one. We encountered a
problem that non-domain admin staff in our branch office need to reload some
device drivers on their brand new Win2003 DC. Our AD structure is based off
Win2k however. I modified the Default Domain Controller GPO so that the
regional staff global groups have "Load and Unload Device Driver" right ->
under Win2k. The same policy exists on Win2003 DC and applies, however, I
was pissed to see on Microsoft's website, "this right does not apply to
plug-n-play drivers." What gives?! It works for Win2k, but permission
denied to load drivers on Win2003 Server. Is there another group policy or
right somewhere I can use to permit non-admin users to load drivers on DC?

shed some light pleeeeeez.

thanks

 

[Jerold Schulman]

I'm totally stumped by the design change on this one. We encountered a
problem that non-domain admin staff in our branch office need to reload some
device drivers on their brand new Win2003 DC. Our AD structure is based off
Win2k however. I modified the Default Domain Controller GPO so that the
regional staff global groups have "Load and Unload Device Driver" right ->
under Win2k. The same policy exists on Win2003 DC and applies, however, I
was pissed to see on Microsoft's website, "this right does not apply to
plug-n-play drivers." What gives?! It works for Win2k, but permission
denied to load drivers on Win2003 Server. Is there another group policy or
right somewhere I can use to permit non-admin users to load drivers on DC?

shed some light pleeeeeez.

thanks

The right or policy doesn't apply to Png?
Where di you see this.
Have you seen http://support.microsoft.com?kbid=317498

You could try setting the SeLoadDriverPrivilege
using NTRights, which you can download from tip 6705 in the 'Tips & Tricks' at
http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[dude]

Right here,
http://www.microsoft.com/resources/...wsserv/2003/datacenter/proddocs/en-us/543.asp

a specific sentence states, "This user right does not apply to Plug and Play
device drivers. It is recommended that you do not assign this privilege to
other users. Instead, use the StartService() API. "

I've tried this myself. I indeed can't load or unload device drivers even
if the right is given on Windows 2003. It works on Windows 2000.

 

[Trust No One®]

I'm totally stumped by the design change on this one. We encountered
a problem that non-domain admin staff in our branch office need to
reload some device drivers on their brand new Win2003 DC. Our AD
structure is based off Win2k however. I modified the Default Domain
Controller GPO so that the regional staff global groups have "Load
and Unload Device Driver" right -> under Win2k. The same policy
exists on Win2003 DC and applies, however, I was pissed to see on
Microsoft's website, "this right does not apply to plug-n-play
drivers." What gives?! It works for Win2k, but permission denied to
load drivers on Win2003 Server. Is there another group policy or
right somewhere I can use to permit non-admin users to load drivers
on DC?

shed some light pleeeeeez.

Hi "dude"

Thanks for the "heads up" on this one!

Like yourself we use this policy in our Windows 2000 forest to allow
overseas support staff to do maintenance on domain controllers without
giving them domain admin or server operator privilege.

I'm in the midst of working on a plan/design for our Windows 2003 migration,
and if what you say is the case then this would be a major headache.

I'll have a play in our test lab next week sometime and perhaps have a chat
with Microsoft PSS.

Best Wishes