Issue with implementing group policy to allow users to install Fonts
-
Friday, January 15, 2010 3:40 PMI'm running Windows SBS 2008 and my clients are predominately Windows 7 with some Vista and XP machines.I want to be able to configure a group policy so that regular users can install Fonts without having an administrator come over to input their username and password.
I've currently created a policy to allow Domain Users full access to folders:
%systemroot%\fonts
%systemroot%\system32\FNTCACHE.dat
and registry key:
KLM\Software\Microsoft\Windows NT\Current Version\Fonts
This is how I understand it if you want to allow users to install Fonts, give them access to these directories and registry key and you are good. The policy has pushed successfully as I see the permissions have changed on the folders but the regular users still get prompted to input an administrative login and password.
I also created a test OU in Active Directory and created a new Group Policy group that had only this one policy in it to ensure that none of my other group policies were effecting it but still no luck. Can anyone help out on this?
All Replies
-
Friday, January 15, 2010 4:04 PMtake a look at this it might help
http://kudratsapaev.blogspot.com/2009/07/installing-program-as-simple-user-or.html -
Monday, January 18, 2010 2:31 PMThank you for replying but I'm looking for more of a way to allow them to install fonts only and not be able to install anything else. This looks like a solution to be able to give users access to be able to install any and all types of programs. I only want them to be able to add their own fonts. I know there is a way to do this but just not sure why this isn't working on my server.
-
Wednesday, January 20, 2010 12:48 PMModerator
Hi,
You may try the following suggestions:
How To Install Fonts in Windows Without Administrator Power
http://www.dailygyan.com/2008/05/how-to-install-fonts-in-windows-without.htmlPlease Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. -
Thursday, January 21, 2010 10:18 PMWell I'm making some process here but not all the way there yet. One issue that is stopping me is the User Account Control (UAC) on Windows 7. Once I took off the restrictions under the UAC to never notify, it tries to install but then comes up with the error:
"Cannot install *.ttf
The files c:\Users\username....\*.ttf does not appear to be a valid font."
The * is whatever font I try to install as a regular user. Once I login as an administrator, I don't get that error to come up.
I went and looked at winlogon.txt file under c:\windows\security\logs and this error comes up
"Configure c:\windows\fonts.
Warning 5: Access is denied.
Error setting security on c:\windows\fonts
Configure c:\windows\system32\fntcache.dat.
File Security configuration was completed successfully."
So now this tells me it's an issue with permissions on the Font folder. The crazy thing is that this policy pushes down correctly but doesn't change the permissions on the Font folder. When I go and look at the font folder, I can't even pull up the permissions on it, even as an admin. Only options that come up is General and Previous Versions. Anyone know why that is? -
Tuesday, March 16, 2010 5:14 PMI am also looking for a way for students to install fonts for a graphics arts program. We really do not want to give admin rights out... but not looking to have to go to each computer to install a font each time they need a new font.
-
Wednesday, March 24, 2010 10:17 PM
Hi NMERSMAN,
I too am looking for a solution to this problem:
UAC stops standard users from installing fontsI have been further down the permissions path than you were at your last post. Under XP it was simply a matter of changing the permissions on %windir\fonts to allow Users or Authenticated users Change access with any of the tools including explorer Xcacls etc. and we implemented it in Group Policy.
Under Vista and Windows 7 all system files have been installed by and are Owned by the account NT SERVICE\TrustedInstaller - do dir /q on the folder. Administrators only have Change access and Users RX permissions. This I assume is how all system files are setup in Windows 6.x Also Explorer no longer lists the Security TAB for some system folders.
I tried using TAKEOWN to set the Adminstrators as owner of the folder and all files:
takeown /s %PC_Name% /f %Windir%\fonts /a
followed by
takeown /s %PC_Name% /f %Windir%\fonts\*.* /a /r
Then granting Administrators Full and Users Change with ICACLS:
icacls %Windir%\fonts /grant:r Administrators:F Users:M /t /c
All to no avail. UAC still prompts for administrator credentials when a standard user account is used to install fonts. It's because the UAC has been set to use RunAsAdmin privilege and it appears this can't be changed.
However you'll see from my thread above that there is a workaround provided by a third party utility! But the fonts installed are not persistent between user sessions. But with a bit of batch or logon script or GPO VBS tinkering it should be possible to install fonts for every session.
Chris
-
Wednesday, April 07, 2010 3:11 PM
Well I'm making some process here but not all the way there yet. One issue that is stopping me is the User Account Control (UAC) on Windows 7. Once I took off the restrictions under the UAC to never notify, it tries to install but then comes up with the error:
"Cannot install *.ttf
The files c:\Users\username....\*.ttf does not appear to be a valid font."
The * is whatever font I try to install as a regular user. Once I login as an administrator, I don't get that error to come up.
I went and looked at winlogon.txt file under c:\windows\security\logs and this error comes up
"Configure c:\windows\fonts.
Warning 5: Access is denied.
Error setting security on c:\windows\fonts
Configure c:\windows\system32\fntcache.dat.
File Security configuration was completed successfully."
So now this tells me it's an issue with permissions on the Font folder. The crazy thing is that this policy pushes down correctly but doesn't change the permissions on the Font folder. When I go and look at the font folder, I can't even pull up the permissions on it, even as an admin. Only options that come up is General and Previous Versions. Anyone know why that is?
I am at this exact place too, NMERSMAN.Any update?
-
Sunday, April 11, 2010 9:50 PM
Hi Ohiobearsfan,
If you read my last post you'll see that the some System Folders have different treatment since Windows 6.x - Vista Win7 2008 etc.
If you look at the other thread I started about font installation you'll see that I have given up on this one.
Good luck,
Chris
-
Friday, April 16, 2010 9:46 AM
Hi Ohiobearsfan,
i too have an issue like what you are facing. Eventhough i am an admin i am not able to select the fonts through Windows\fonts\*.ttf . i tried with all permissions still not able to solve the issue with fonts folder in Windows 7.
if you have any solution or ideas , let me know
thanks & regards,
Shrikanth GC
Thanks & regards, Shrikanth GC- Proposed As Answer by Tord Bergset Monday, April 19, 2010 12:50 PM
- Unproposed As Answer by NMERSMAN Monday, April 19, 2010 4:26 PM
-
Monday, April 19, 2010 1:32 PM
Try this:
From command prompt:
ren %windir%\font\nameoffonttoreplace.ttf nameoffonttoreplace.ttf.old
copy newfont.ttf %windir%\font\newfont.ttfAfter the server boots the next time you will be able to clean up by deleting old file:
del %windir%\font\nameoffonttoreplace.ttf.old -
Monday, April 19, 2010 4:24 PM
Well what a pain in the ____ this all is. I do like the functionality of UAC but it does add a headache here.
The way that I found around this was to disable the UAC. Go under the Control Panel > User Accounts > Change User Account Control settings. Once this screen comes up, select it to "Never Notify". This is the very bottom selection.
Now you have to ensure that your users have the correct access to Font Directory / registry. You will notice that the Font Directory is a System folder and you can't view or change who has permissions. You can change this by going to a command prompt, ensure you open it by right clicking and selecting " Run as Administrator", and then type in attrib -r -s %systemroot%/fonts. This will remove the System folder settings.
Now you have to take ownership of the directory so you can add your users to have access to that directory. Don't forget to give them access to %systemroot%/system32/FNTCACHE.dat and registry setting KLM\Software\Microsoft\Windows NT\Current Version\Fonts.
Basically all of these things can be done via group policy but it's a multiple steps. I'm going to test this out with a couple of test users and see if I see any issues with it before I push it out to my network via group policy.
Once this is all done, reboot your machine. Now your users can install fonts on Vista or Windows 7. What a pain.
If someone finds a way to allow this to work with UAC, please let me know. As I understand it, disabling UAC will make me log off users to install needed software and it gives me a less secure desktop. Is this how everyone else sees it?
- Marked As Answer by NMERSMAN Monday, April 19, 2010 9:07 PM
-
Thursday, April 22, 2010 6:07 PM
Did you try my commands after opening command prompt using "run as administrator"?
ren %windir%\font\nameoffonttoreplace.ttf nameoffonttoreplace.ttf.old
copy newfont.ttf %windir%\font\newfont.ttfAfter the server boots the next time you will be able to clean up by deleting old file:
del %windir%\font\nameoffonttoreplace.ttf.old -
Friday, April 23, 2010 7:59 PMNo Tord, I didn't. When looking at your solution, this looks like a command for each individual font and not the font directory itself. Some of my users get 4 to 5 fonts to install a day, as they work in graphic design, and this would be a little too much and complex for them. I do appreciate the information though.
-
Thursday, May 13, 2010 5:11 PM
Thank you Nmersman!
Your solution is the only one I found that worked fully.
I codified your answer using your directions and others that I found.
-----------------------------------------------------------------------------------------
Log on as administrator. Open command prompt as admin.
attrib -r -s %systemroot%\fonts
takeown /f "%systemroot%\fonts" /r /d n
(optional - gives administrators full rights on the fonts folder): icacls "%systemroot%\fonts" /grant administrators:F /t
You can now add or change permissions on the Fonts folder like any regular folder.
Give user(s) modify access to %systemroot%\Fonts
icacls "%systemroot%\fonts" /grant USERNAMEorGROUP:M /t
Give user(s) modify access to %systemroot%\system32\FNTCACHE.dat
icacls "%systemroot%\system32\FNTCACHE.dat" /grant USERNAMEorGROUP:M /t
Give user(s) modify access to HKLM\Software\Microsoft\Windows NT\Current Version\Fonts
- Proposed As Answer by Ohiobearsfan Friday, June 11, 2010 7:40 PM
-
Monday, May 31, 2010 9:35 AM
Hi ticktack,
I tried all of that back in March and it acheives nothing as the UAC still insists on controlling the installation of fonts for non admin users. The problem is not the font permissions or ownership (as it was in XP) but the application which installs the fonts - Fontview.exe. Windows 7 will only allow installing with Admin privilege.
The temporary (ie per session) solution I talked about before here (and in the other thread )using RegisterFont is the only workable solution other than turning off the UAC which ain't gunna happen in a Government network! (yes I'm an aussie! :))
But we'll all keep trying.
Chris
-
Friday, June 11, 2010 7:40 PM
This worked for us! Thank you.
However, when installing a Post Script Font, the user gets the "not a good font file" message?
Any additional permissions changes for Post Script?
Thoughts?
-
Thursday, August 26, 2010 2:40 PM
> If someone finds a way to allow this to work with UAC, please let me know
I found three ways
Prerequisite for 1 and 3: Apply the ACLs to c:\windows\fonts and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts using GPOs. Please note: To correctly apply to the folder, we have to use the option "Configure this file or folder, then replace existing permissions...", the other option does not work for some reason. Afterwards you can...
1) Use a different fontview.exe that does not trigger UAC. Take http://www.gljakal.com/fontviewer/fontview_setup.exe or
2) Deploy a scheduled task that uses system rights and is set to run with highest privileges. Have it start a batch file that copies a given list of fonts to c:\windows\system32 using a for-loop. This way you can also modify the registry. The font list has to be writeable by the user, the batch itself must be read only. or
3) Deploy a shim to remove the UAC trigger from windows' fontview.exe. See http://technet.microsoft.com/en-us/library/dd837648(WS.10).aspx
I am sure, all 3 will work although I only tested 1). 1) is the quickest but I would prefer 3) because it does not use non-system executables.
-
Tuesday, December 07, 2010 11:15 PM
Hi All,
While this is not really a group policy solution, it is a solution that will let your users install fonts...
a developer has created a utility which does not rely on .Net and will install fonts for the login session - it can be found here:
http://marshwiggle.net/regfont/
PS. you just need to type regfont *.* for it to register all fonts in that directory, and obviously this can be put into a batch file, into the startup in windows, or scripted some other way.
Enjoy
Asaf -
Wednesday, August 03, 2011 3:41 PM
Has anyone made this work?
I cannot disable UAC, and I cannot install third-party executables. We need users to be able to install fonts without giving them administrative privileges. This shouldn't be difficult.
Two posts up, someone mentioned "shims". Frankly, after looking through that link, I'm no better off than I was before. It looks like information which might be useful to a developer, which I am not. Since fixing this issue ought to be pretty universal, has someone created such a "shim" that can be downloaded? Or is there any chance of Microsof fixing this issue properly?
-
Friday, October 14, 2011 4:46 AMhi can you tell me how did you do step by step. how you gave access to install font only by group policy
-
Monday, November 07, 2011 5:28 AM
how you did can you tell me step by step pls...
-
Wednesday, March 14, 2012 2:13 PM
I have a problem with good facilities in windows 7 sources are not the same
SettlingI spend my bat and my scrip the same load on the computer but does not appear...
batattrib -r -s %systemroot%\fonts
takeown /F %systemroot%\fonts\ /A
cacls %systemroot%\fonts /E /G Usuarios:FScrip
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "xcopy.exe ""\\server\instalar\V100020_.TTF"" ""C:\windows\fonts"" /C /I /S /E /H /Y /Q", 1,TrueSet WshShell = WScript.CreateObject("WScript.Shell")
WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\C39HrP36DmTt (TrueType)", "V100020.TTF", "REG_SZ"
but only with windows 7 xp without problems..
from already thank you very much!
-
Wednesday, March 14, 2012 4:25 PM
me funciono ya el sgte esquema: este es mi script.
attrib -r -s %systemroot%\fonts
takeown /F %systemroot%\fonts\ /A
cacls %systemroot%\fonts /E /G Usuarios:F' ****************************************************************************
' Copy Fonts From Network Share To C:\WINDOWS\FONTS Folder Of Workstation
' ****************************************************************************
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "xcopy.exe ""\\Server\instalar\V100020.TTF"" ""C:\windows\fonts"" /C /I /S /E /H /Y /Q", 1,True' ****************************************************************************
' Imports The Registry Information For The New Fonts - Add A New Line For Each New Font
' Example : WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\%FONT REG KEY%", "%FONT REG KEY ENTRY%", "REG_SZ"
' ****************************************************************************Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\C39HrP36DmTt (TrueType)", "V100020.TTF", "REG_SZ"
mi error estaba en el _ que le coloque en el valor del RGZ.adjunto para que ayude al que necesita realizar una tarea similiar.
-
Thursday, March 22, 2012 11:50 AM
Try this one for Windows 7 :-)
http://www.cloudtec.ch/blog/tech/install-font-command-line-script-windows-7.html
/Tord
-
Wednesday, March 27, 2013 3:32 PM
I had this exact same issue and was never able to allow standard users to install fonts. I created shims, modified permissions, everything. I did get the fonts to deploy with Group Policy Software Installation. It takes me about 5 minutes to deploy any number of fonts. Now, we have our staff members save fonts in a central location for deployment.
I documented the process here: http://deployhappiness.com/2013/03/installing-fonts-with-group-policy/
If this helps you, just let me know.
If my answer helped you, check out my blog (and subscribe): DeployHappiness.com
.png)
