Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Device manager access for non admins
Windows 7, 64bit.
Is it possible to allow non admins access to edit the device manager?
Currently when logged in as a non admin and I try to access the device manager I see the following;
I have tried to make the changes in gredit.msc but they don't seem to make any difference.
local computer policy > computer configuration > windows settings > security settings > local policies > user rights assignment > Load and unload device drivers > add specific user/group
The only thing that works is by adding my non admin user into the admin user group, this works fine. I'd rather not do this though, I'd prefer to give them access to the device manager only .
Any advice is appreciated.
- group-policy
- device-manager
- administration
- Changing the local group policy will have zero effect if the machine is connected to a domain. Is that the case? I currently have access to the device manager, and I am logged into a domain controlled machine, as a normal user. So is it possible: YES – Ramhound Commented Feb 11, 2016 at 17:14
- It's connected to an AD domain yes. However I have full admin control over the PC – jonboy Commented Feb 11, 2016 at 17:15
- You are a local user. You being a local Administrator on the machine means nothing if you are a normal user on the domain itself. A group domain policy overrides a local group policy always. Relevant Microsoft Documentation – Ramhound Commented Feb 11, 2016 at 17:17
- So is there any way I can resolve my issue? – jonboy Commented Feb 12, 2016 at 9:06
- As a non-administrator domain user, no, request your role be changed to an administrator – Ramhound Commented Feb 12, 2016 at 18:03
Try this im Curious.
If it does not work let me know I dont have a non admin account at my work desk.
Open a Text file and save the code below as DeviceManger.bat
Run the .bat and press 1 and hit Enter .
- Thanks @NetworkKingPin - I'm very keen to try this! Can you tell me what this does? Before I mess up my PC completely lol – jonboy Commented Feb 12, 2016 at 9:23
- Basically it Pushes you to get admin privileges if you do not have them already. The code is safe i use it very often to elevate my batch scripts in my work place. First it tries to get admin access if denied it provides it temp Admin Access. And it wont kill your pc. – NetworkKingPin Commented Feb 12, 2016 at 9:24
- There is nothing in that script that would change the user group of a user – Ramhound Commented Feb 12, 2016 at 18:02
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged windows-7 group-policy device-manager administration gpedit ..
- The Overflow Blog
- The world’s largest open-source business has plans for enhancing LLMs
- Featured on Meta
- User activation: Learnings and opportunities
- Site maintenance - Mon, Sept 16 2024, 21:00 UTC to Tue, Sept 17 2024, 2:00...
Hot Network Questions
- Browse a web page through SSH? (Need to access router web interface remotely, but only have SSH access to a different device on LAN)
- Very simple CSV-parser in Java
- How can I make the curves react to the texture's values?
- How was Adam given the 7 Noahide laws without animals or women in existence?
- What is the oldest open math problem outside of number theory?
- The consequence of a good letter of recommendation when things do not work out
- Is it ok for a plugin to extend a class in some other module without declaring the other module as a dependency?
- Stuck as a solo dev
- Are positive definite linear operator always invertible?
- I am an imaginary variance
- Which cartoon episode has Green Lantern hitting Superman with a tennis racket and sending him flying?
- Boon of combat prowess when you can only attack once
- Rich Mental Images
- Function with memories of its past life
- Is it really a "space walk" (EVA proper) if you don't get your feet wet (in space)?
- Arduino Uno Serial.write() how many bits are actually transmitted at once by UART and effect of baudrate on other interrupts
- XeLaTeX does not show latin extended characters with stix2
- What would a planet need for rain drops to trigger explosions upon making contact with the ground?
- 120V on fridge door handle when ground broken
- Could a Gamma Ray Burst knock a Space Mirror out of orbit?
- A coworker says I’m being rude—only to him. How should I handle this?
- Convert base-10 to base-0.1
- Copyright on song first performed in public
- crontab schedule on Alpine Linux runs on days it's not supposed to run on
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Task manager requiring elevation for regular users in Windows 10
Run into a little bit of a snag with Windows 10, and it's a fairly well known one - the problem is that I'm struggling to find a Windows 10 compatible fix that actually works!
It's the old "regular users have to input their password to load task manager" chestnut again. How, exactly, do I work around this? Seeing as that inputting any valid credentials in gives you access to the task manager, I don't see why this is needed. I've mucked around with the UAC GPOs to try and get it to work, but that hasn't helped. I've also tried to start task manager with Windows, which in itself would be ideal as I can do that without elevation - but I can't see how to start it minimized, as everything I've seen simply doesn't take effect.
Any solutions would be much appreciated. As to why our users need task manager; well, Microsoft Office likes to tie itself in knots every now and again. It's much better for everyone's productivity to be able to actually kill the rogue tasks themselves!
- task-manager
- Can you be more specific? I can log onto Windows 10 with a standard (non admin user) and Task Manager opens just fine (?). – Bill_Stewart Commented Feb 27, 2017 at 21:31
- I know, that's what it should be doing. But for whatever reason, probably an old GPO somewhere, we don't get that - it prompts for a password if you're not an admin! – Luke Milum Commented Mar 1, 2017 at 8:38
- What password does it prompt for? Is it a UAC prompt? (Please be more specific.) – Bill_Stewart Commented Mar 3, 2017 at 19:36
- It is a UAC prompt, yes. It asks for admin details, but in fact it is actually just fine with any user, as long as the details are correct. Interestingly enough, I've only observed this behaviour on our Windows 10 Anniversary edition computers - the one remaining on version 1511 (which has a broken taskbar... still) worked just fine, even with the same GPOs! – Luke Milum Commented Mar 6, 2017 at 10:49
- Build a brand new Windows 10 machine, do not join it to a domain, and update it fully. Do you see the behavior? If not, then you know the behavior is likely caused by one of the GPO settings. – Bill_Stewart Commented Mar 6, 2017 at 17:44
3 Answers 3
Run this, and logoff/on
If you have Admin rights and run this then some commands [e.g. gpedit.msc] will no longer auto-elevate and you will need to "Run as Administrator"
- Didn't work on W10_1803 – CMy Commented Jul 30, 2018 at 14:58
Finally I have found the solution to this. Props go to a reddit post .
The issue is with the group policy "load and unload device drivers". Computer configuration -> Policies -> windows settings -> security settings -> local policies -> user rights assignment -> load and unload device drivers.
if this is set to a group the limited user is a member of (everyone, domain users, etc) then the prompt is displayed. if you set it instead to Administrators, the prompt is suppressed and everything works fine. I am not sure the ramifications of changing this value as it has been set for us since time immemorial. Seems to have to do with accepting unsigned device drivers. If everything suddenly stops working then i will have to set it back, but the setting goes all the way back to win2k so it may no longer be relevant (except to F up my shiz)...
I've had this problem for past 4 months. I used to be a domain admin and removed that from my daily account. It was driving me mad getting UAC prompted for basic tasks like you mentioned. I finally took a deeper look at my group memberships. The key for me was looking at indirect (nested) memberships (I used Adaxes to do so, not sure best way to do so using standard AD tools). My account was a member of Group Policy Creator Owners. After removing that, doing gpupdate and finally a reboot I was able to launch stuff like Event Viewer, Task Manager, etc without the UAC prompt!!
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged windows-10 uac task-manager ..
- The Overflow Blog
- The world’s largest open-source business has plans for enhancing LLMs
- Featured on Meta
- User activation: Learnings and opportunities
- Site maintenance - Mon, Sept 16 2024, 21:00 UTC to Tue, Sept 17 2024, 2:00...
Hot Network Questions
- 1950s comic book about bowling ball looking creatures that inhabit the underground of Earth
- Will there be Sanhedrin in Messianic Times?
- How to make a soundless world
- How to change my document's font
- Is it really a "space walk" (EVA proper) if you don't get your feet wet (in space)?
- Python script to renumber slide ids inside a pptx presentation
- A coworker says I’m being rude—only to him. How should I handle this?
- How was Adam given the 7 Noahide laws without animals or women in existence?
- Arduino Uno Serial.write() how many bits are actually transmitted at once by UART and effect of baudrate on other interrupts
- Enumerate in Beamer
- press the / key to isolate an object, my blueprint background images also disappear
- How do I annotate a molecule on Chemfig?
- Browse a web page through SSH? (Need to access router web interface remotely, but only have SSH access to a different device on LAN)
- If one is arrested, but has a baby/pet in their house, what are they supposed to do?
- I am an imaginary variance
- Can't find AVI Raw output on Blender (not on video editing)
- Are positive definite linear operator always invertible?
- Can the concept of a perfectly good God creating beings vulnerable to sin be philosophically justified?
- What properties of the fundamental group functor are needed to uniquely determine it upto natural isomorphism?
- Is it true that before European modernity, there were no "nations"?
- Find conditions for a cubic to have three positive roots without explicitly using the Root objects?
- Is Entropy time-symmetric?
- Little spikes on mains AC
- Where are the DC-3 parked at KOPF?
WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Load and unload device drivers
Load and unload device drivers
AKA: SeLoadDriverPrivilege, Load and unload device drivers
Default assignment: Administrators
This highly sensitive right allows you to load executable code into kernel mode where device drivers run. Code running in kernel mode is fully trusted and not subject to normal Windows security restrictions. This right would allow malicious code to be installed into the systems Trusted Computing Base. For XP and Windows Server 2003 documentation is conflicting on whether this right is required to install drivers for plug and play devices. XP says it is required for PnP; 2003 says it does not apply to PnP. MS KB 219435 indicates you do not need this right as long as the PnP device “is supported hardware with a Plug and Play device ID to driver match.”
You may be able to install device drivers if you have this right but unless you are an administrator the change will not be persistent; you will have to reinstall the driver each time you connect the device.
Back to top
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | Load and unload device drivers |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • |
Tim’s Tech Blurbs Tim’s tech ramblings about Intune, Modern Management, Powershell and every thing else. How to move Windows 10 User Rights Assignment to Endpoint Manager / IntuneShould you change the default user rights assignments in Windows 10? That’s the question. If you ask my college the AD expert, he will tell you to run away and don’t even think about changing the defaults. (He will back it up with some pretty funny stories as well about who someone did it and locked out a company and maybe even a ship) If you ask the Security team, the answer is a yes. We should set them. Let taks a look. We will start at my favourite site. The Windows 2004 security baseline. MS recommend quite a few setting to be applied. When we add another baseline from the Security team we end up with the table below.
First things first. Let’s check the CSP and see what we need to do. To note, you can user the nice name for the account. (i.e Administrators). But we have ever lanuguage under the sun. So we need a better way to define the accounts. Lets check the Well know SID Structures for what we need. Lets start with the local administrator. When you check for the SID, be sure to look for the BUILTIN groups and not the domain Groups. Looking at the table the SID is S-1-5-32-544. Now we check the local account and we get S-1-5-113.
So Lets set up a polcy. Lets open Endpoint Mananger. Goto Devices -> Configuration Profiles. Select Add new. Select “Windows 10 and Later” and Custom in the profile  Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save.  Lets Start with “Load and unload device drivers.” Select Add on the next Page. Enter in the name for the setting. I am preceding the name with URA (for User Rights Assignment). In the OMA-URI after in ./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers The Data Type should be string. Andter in the desired SID for the setting. In this case it will be *S-1-5-32-544. (Add the * in before to distinguish its a SID) Pres Save.  Done. What’s next. Lets go “Access Credential Manager as a trusted caller”. According the baseline no one should have access to this. But how do we define it so no one can access it. Well don’t press save with a blank field. It will fail (I learn the hard way) Add a new one and add in the name URA – Access Credential Manager as a trusted caller. Then for the OMA-URI enter in ./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller. Select String again. In the data field I have set the value as </>. If you leave it black you get an error when saving it. Its really annoying if you have added 20 on and then relies they have all failed.  Repeat until you have added them all in. Select Next, and then assign them to your test group. Sync your device, and reboot. You should also do the testing on a test machine. Just in case you lock your self out.
How can you check the User rings assignments have worked? Lets ask Mark. He usually know these things. Lets download AccessChk from here. https://docs.microsoft.com/en-gb/sysinternals/downloads/accesschk . It allows you to check various permissions fo r files register etc. We will use it with the -a to give us the Windows account right. Lets check SeSystemtimePrivilege or Change the System time. According to the baseline, only Admin and Local services should have this right. Lets run accesschk.exe -a SeSystemtimePrivilege Great the values are as we expect. What about the checking all the permissions. Let’s run accesschk.exe -a * to show all the permissions. Now all the rights look good. So lets plan to roll it out and hope we don’t become a funny storey for my college  Published by Tim WoodPrivacy overview. 
The Load and unload device drivers user right must only be assigned to the Administrators group.
This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Load and unload device driversApplies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8 This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Device drivers run as highly privileged code. Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the computer. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices. Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted. This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic. Constant: SeLoadDriverPrivilege Possible valuesUser-defined list of accounts Default valuesNot Defined Best practices
GPO_name \Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment By default this setting is Administrators and Print Operators on domain controllers and Administrators on stand-alone servers. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Operating system version differencesThere are no differences in the way this policy setting works between the supported versions of Windows that are designated in the Applies To list at the beginning of this topic. Policy managementThis section describes features, tools, and guidance to help you manage this policy. A restart of the computer is not required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Group PolicySettings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: Local policy settings Site policy settings Domain policy settings OU policy settings When a local setting is greyed out, it indicates that a GPO currently controls that setting. Security considerationsThis section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. VulnerabilityDevice drivers run as highly privileged code. A user who has the Load and unload device drivers user right could unintentionally install malicious software that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures. You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing. CountermeasureDo not assign the Load and unload device drivers user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins. Potential impactIf you remove the Load and unload device drivers user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. User Rights Assignment Additional resources |
IMAGES
VIDEO
COMMENTS
Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Load and unload device drivers" user right allows a user to load device drivers dynamically on a system. This could be used by an attacker to install malicious code.
User Rights Assignment. Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
This tutorial will show you how to change User Rights Assignment security policy settings to control users and groups ability to perform tasks in Windows 10. You must be signed in as an administrator to change User Rights Assignment.
local computer policy > computer configuration > windows settings > security settings > local policies > user rights assignment > Load and unload device drivers > add specific user/group. The only thing that works is by adding my non admin user into the admin user group, this works fine.
The issue is with the group policy "load and unload device drivers". Computer configuration -> Policies -> windows settings -> security settings -> local policies -> user rights assignment -> load and unload device drivers.
Load and unload device drivers. AKA: SeLoadDriverPrivilege, Load and unload device drivers. Default assignment: Administrators. This highly sensitive right allows you to load executable code into kernel mode where device drivers run.
Lets open Endpoint Mananger. Goto Devices -> Configuration Profiles. Select Add new. Select “Windows 10 and Later” and Custom in the profile. Let’s enter in a Logical name. “Windows 10 User Rights Assignment” and select Save. Lets Start with “Load and unload device drivers.”.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions.
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. The "Load and unload device drivers" user right allows device drivers to dynamically be loaded on a system by a user. This could potentially be used to install malicious code by an attacker. STIG.
This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer. Device drivers run as highly privileged code.