none
"access denied" when trying to install drivers with Admin credentials

    Question

  • In our domain we have some Group Policies in place to turn off UAC and set local group memberships to:

    BUILTIN\Administrators group contains:
    <domain>\Domain Admins
    <domain>\XX-PC-Admin
    <local admin>

    BUILTIN\Power Users is defined with no members

    BUILTIN\Users group contains:
    <domain>\XX-PC-Users

     

    Now I don't know if UAC or the security permissions above would cause this issue but I've included it for reference. On our Windows 7 computers, a user with local admin rights gets an "Access Denied" error when they try to install any drivers, regardless of if they are signed or un-signed. We know this is not an incompatibility between the driver in question and Windows 7 because we can successfully install the driver on a Windows 7 computer that is NOT joined to the domain.

     

    Does anyone know of a policy/permission that would prevent a user with Admin permission from installing a driver? More info can be provided if requested.

    Thursday, September 30, 2010 10:48 PM

Answers

  • Hi,

     

    Since it’s not related to the UAC setting, I would like to recommend you check the group policy. Because the group policy would influence the user settings.

     

    On the problematic computer,  run cmd as administrator, input “GPRESULT /H GPRESULT.HTML” , then upload the GPRESULT.HTML to me.

     

    Below are the steps to create and view your workspaces for your reference:

     

    1. Access the following URL:

    https://filexfer.partners.extranet.microsoft.com/Default.aspx

     

    2. Click “Create Workspace” blue button in the left.

    3. In Create Workspace,

    Folder Option: Asia

    Customer Email: Your email address

    Check the checkbox

    Type your name for example: Adams Qu in the blank form.

    Click Submit button.

     

    4. Click View Workspaces blue button in the left side.

    5. Click the External URL link in the External URL column to get the URL for customer and password in the Password column.

    6. Send the following email to the customer:

     

    =======================

     

    For your convenience, I have created a workspace for you.  You can upload the information files to the following link.  (Please choose "Send Files to Microsoft")

     

    Workspace URL: (https://sftasia.one.microsoft.com/choosetransfer.aspx?key=2ae67f8d-8c01-4a90-bfd6-f9e5ab1cfbe6)

    Password: P$t^]U)TQGh2ptAC

     

    Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken.  Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser.

     

    Best Regards,

    Miya Yao

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, October 05, 2010 2:49 AM
    Moderator

All replies

  • Hi,

     

    Thanks for posting in Microsoft TechNet Forum.

     

    As I understand that you encounter the situation that the local administrator cannot install any drivers.

     

    With UAC enabled, members of the local Administrators group with the same access token as standard users, it means, have the limited administrative privileges and user rights, they cannot install or uninstall applications that install into %systemroot%. Only when a member of the local Administrators group gives approval can a process use the administrator’s full access token.

     

    I recommend you disable the UAC to see if it works, if works, please give the approval to the local administrator and enable UAC again for security.

     

    Please feel free to give me any update.

     

    Best Regards,

    Miya Yao

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, October 01, 2010 3:19 AM
    Moderator
  • We have already turned OFF UAC for all domain workstations as a permanent setting.

     

    Any ideas if UAC isn't the cause?

    Friday, October 01, 2010 4:28 PM
  • Hi,

     

    Since it’s not related to the UAC setting, I would like to recommend you check the group policy. Because the group policy would influence the user settings.

     

    On the problematic computer,  run cmd as administrator, input “GPRESULT /H GPRESULT.HTML” , then upload the GPRESULT.HTML to me.

     

    Below are the steps to create and view your workspaces for your reference:

     

    1. Access the following URL:

    https://filexfer.partners.extranet.microsoft.com/Default.aspx

     

    2. Click “Create Workspace” blue button in the left.

    3. In Create Workspace,

    Folder Option: Asia

    Customer Email: Your email address

    Check the checkbox

    Type your name for example: Adams Qu in the blank form.

    Click Submit button.

     

    4. Click View Workspaces blue button in the left side.

    5. Click the External URL link in the External URL column to get the URL for customer and password in the Password column.

    6. Send the following email to the customer:

     

    =======================

     

    For your convenience, I have created a workspace for you.  You can upload the information files to the following link.  (Please choose "Send Files to Microsoft")

     

    Workspace URL: (https://sftasia.one.microsoft.com/choosetransfer.aspx?key=2ae67f8d-8c01-4a90-bfd6-f9e5ab1cfbe6)

    Password: P$t^]U)TQGh2ptAC

     

    Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken.  Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser.

     

    Best Regards,

    Miya Yao

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, October 05, 2010 2:49 AM
    Moderator
  • Hi,

     

    Do you resolve the problem?

     

    Please feel free to give me any update.

     

    Regards,

    Miya  


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 07, 2010 9:16 AM
    Moderator
  • I have run into the same problem after deploying a captured and sysprepped image. I've found the problem to be the permissions on the c:\windows\system32\driverstore\*.dat files, but I haven't found a fix yet. I also figured out to set the permissions manually on these files and it solves the problem, but the permissions are deleted when the computer restarts. Has anyone figured this out yet?

    Tuesday, August 14, 2012 2:46 PM