none
Give users permission to install fonts under Windows 7

    问题

  • I want to give non-admin users permission to install fonts in Windows 7. Ive tried giving permission to the fonts folder and fontcache.dat file as seen in the policy below, but it is not working.

    Any help is greatly appreciated.

    -John

    File System hide
    C:\WINDOWS\FONTS hide
    Winning GPOStudentsInstallFonts
    Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
    Owner
    Permissions
    TypeNamePermissionApply To
    AllowCREATOR OWNERFull ControlSubfolders and files only
    AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
    AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
    AllowEXP\studentsModifyThis folder, subfolders and files
    AllowBUILTIN\UsersRead and ExecuteThis folder, subfolders and files
    Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
    Auditing
    No auditing specified
    C:\WINDOWS\SYSTEM32\FNTCACHE.DAT hide
    Winning GPOStudentsInstallFonts
    Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
    Owner
    Permissions
    TypeNamePermissionApply To
    AllowCREATOR OWNERFull ControlSubfolders and files only
    AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
    AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
    AllowEXP\studentsModifyThis folder, subfolders and files
    AllowBUILTIN\UsersRead and ExecuteThis folder, subfolders and files
    Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
    2010年4月15日 17:17

答案

  • I managed to get this working in XP by giving everyone write access to the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Fonts - not sure if this works in Windows 7 though.
    2010年4月20日 15:03

全部回复

  • Hi,

    it seems like there is no official and easy way to do this. Apparently, you have to be local administrator to do that. Have you seen the following discussion on this:

    http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/9a0938f5-9851-48bd-bbe8-8078647b6fd2

    hope that helps,
    Gunter

    2010年4月15日 20:09
  • Thanks for that link Gunther, not the answer I want but helpful.

     

    Best, John

     

    2010年4月15日 20:34
  • Hi,

    there is currently another discussion with the same topic:

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/fc178004-d0b0-40c3-b41a-da8129c8d3ef

    hope that helps.

    Gunter

    2010年4月16日 10:51
  •  

    Please try the following suggestions:

    How To Install Fonts in Windows Without Administrator Power
    http://www.dailygyan.com/2008/05/how-to-install-fonts-in-windows-without.html 

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    2010年4月20日 10:15
  • I managed to get this working in XP by giving everyone write access to the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Fonts - not sure if this works in Windows 7 though.
    2010年4月20日 15:03
  • Thanks all I think weve got this figured out. We are testing now and ill post our solution once proven.

     

    Cheers-John

    2010年4月20日 15:49
  • Using what I read in other threads I figured out this solution and tested it working today on Windows 7 Enterprise.

    Let me know if it helps.

    -----------------------------------------------------------------------------------------

    Log on as administrator. Open command prompt as admin.

    attrib -r -s %systemroot%\fonts

    takeown /f "%systemroot%\fonts" /r /d n


    (optional - gives administrators full rights on the fonts folder):  icacls "%systemroot%\fonts" /grant administrators:F /t

    You can now add or change permissions on the Fonts folder like any regular folder.

    Give user(s) modify access to %systemroot%\Fonts

    icacls "%systemroot%\fonts" /grant USERNAMEorGROUP:M /t

    Give user(s) modify access to %systemroot%\system32\FNTCACHE.dat

    icacls "%systemroot%\system32\FNTCACHE.dat" /grant USERNAMEorGROUP:M /t

    Give user(s) modify access to HKLM\Software\Microsoft\Windows NT\Current Version\Fonts
    2010年5月13日 17:25
  • This seems to work with TrueType Fonts, but not with Type 1 Fonts.  It will say they're invalid if I try to install them as a user, but they will install as an administrator.
    2010年5月26日 16:52
  • I suppose you don't have UAC on?
    2010年12月2日 10:28
  • No this does not work with uac. I've only found 1 solution to use UAC and admin rights. I've done alot of searching and I don't think anyone has been able to get both.

     

    First you need a 3rd party Font installer/viewer AMP Font viewer is good its free infact its better than what windows has http://www.ampsoft.net/utilities/FontViewer.php

    Once installed right click the short cut and then click left compatibility and select run as administrator.  

     

     

    Second you need to use script logic privilege authority. http://www.scriptlogic.com/ I use this program a lot to give basic users rights to certain .exe or folder paths. It uses GPO so it can push its policy right away to many machines its awesome. A good example is I allow users with this program to update adobe reader and Java since I can give them admin rights to those 2 things and NOT the whole machine.

    In privilege authority you create a policy to give admins rights to the AMP .exe.

    Now they can open the program it will run as admin and I have given them rights to do so. This allows them not to have full admin rights to the whole PC and it allows that 1 program to install fonts even with uac enbled.

    2010年12月7日 22:41
  • @tacktick This basically worked, but after completing your steps, you cannot install fonts by copying them to c:\windows\fonts. To remedy this, run this command at the end:

    attrib +s %systemroot%\fonts

    @h0dg3s, I'm also only able to get this working with TTF/OTF fonts. Type 1 fonts (.PFM,.PFB) are only able to be installed by a user with admin rights. Annoying, but since most of my font install requests are from users with .TTF's, this still saves me some headaches.

     

    My complete steps are as follows:

     

    Run this first:

    attrib -r -s %systemroot%\fonts

    Now, go into the security tab for C:\Windows\Fonts

    Grant <DOMAIN>\administrator: Full control
    Grant everyone: r/w & modify permissions

    Go into security tab for C:\Windows\system32\FNTCACHE.dat

    Grant <DOMAIN>\administrator: Full control
    Grant everyone: r/w & modify permissions

    Open Regedit and navigate to:

    HKLM\Software\Microsoft\Windows NT\Current Version\Fonts
    On that folder, right click > Permissions
    Grant everyone: full control

    Finally, run this to reenable installing fonts by copying to C:\Windows\Fonts

    attrib +s %systemroot%\fonts

    2010年12月29日 3:39
  • This is a good solution but without using UAC. If you want UAC to be enabled then there you have to play with other software to replace fontview.exe because using ACT and modifying shim database doesn't help.

    Here are the screenshots:  http://tompopov.blogspot.com/2011/05/allowing-non-admin-users-to-install.html

    2011年5月17日 14:03
  • Billy- would you mind filling me in on how hard it was for you to accomplish the Adobe reader and java update access? Any tips to make the process easier? This is something I've wanted to do for quite a while, would appreciate your advice.
    2012年6月4日 18:32
  • This works.

    Apparently it is not possible to set the rights on the fonts folder through GPO. This was possible under WXP.

    2013年11月5日 13:47
  •  
    > Apparently it is not possible to set the rights on the fonts folder
    > through GPO. This was possible under WXP.
     
    That's true, because beginning with Vista, the Trusted Installer owns
    the Fonts folder, not SYSTEM. This results in GPO being unable to change
    ACLs.
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    2013年11月5日 15:11
  • I tried a few other methods without success but this worked for me and took two minutes. Thx 
    2014年6月6日 13:58
  • why is this marked as answer? However, its not a full solution to the question. I tried it with Windows 7 and still fonts cannot be installed.
    2014年7月8日 7:13
  • Any updates. Still looking for a solution that works. Is there a font manager that can do this?
    2014年8月21日 18:11