Storage

USB permissions puzzle

When Ed Bott challenged TechRepublic members to solve a pesky Windows 2000 permissions issue, many answered the call. Check out readers' recommendations; then see if you can shed any light on Ed's new Challenge.


I don't know exactly when it happened, but suddenly I'm surrounded by USB hardware. Every PC I've purchased for the past two or three years has had a pair of USB ports. This year, I've finally begun using them in earnest.

My (admittedly messy) office is overrun with a menagerie of incredibly useful USB devices: A miniature MOBILE Mouse from NewMedia Technology that lets me avoid fussing with finicky touch pads and eraser-style pointers on a notebook; Microsoft's ultracool IntelliMouse Explorer, with its glowing red taillight; Hewlett-Packard's Jornada 545 handheld computer, running Windows CE; Xircom's USBnet network adapter, which lets me connect any PC at Ethernet speeds (well, almost) without cracking the case; A Kodak DC240 megapixel digital camera. And that's just the tip of the iceberg, as you can see from this searchable catalog of USB products, put together by the USB Implementers Forum.

Why the sudden USB population explosion? Windows 2000, of course, with its built-in support for USB peripherals and full plug and play functionality. After six months, a critical mass of Windows 2000 drivers has appeared as well. Notebook users have the most to gain, because other expansion solutions are impractical or expensive. For this week's Microsoft Challenge, I offered, appropriately, 2000 TechPoints to anyone who could help solve a pesky Windows 2000 permissions issue. When a mobile user who isn't in the Administrators group plugs in a USB device, Windows 2000 throws up an error message— the user is not authorized to install a new device. The driver is there, but the only way to make the device work is to log on with administrative rights first, install the device, and then let the user log on. Obviously, this is impractical for notebook users.

TechRepublic member fraysier_rj was first to respond, but took the easy way out: "Can't you just add them to the local Administrators [group]? I've found in NT 4.0 that takes care of problems such as this. We have policies in place for the network and we've never run into any problems with users being able to do any damage." Well, that does work, but not on my network, where security policy says no one logs in under an administrative account for everyday work. Ever. When logged-in users have administrative rights, they can click on a virus or Trojan horse, and it immediately inherits those rights, including the power to tamper with crucial system settings. Every admin has two accounts, and the more powerful one is strictly reserved for administrative tasks.

A few TechRepublic members offered some basic troubleshooting advice: “It sounds like a permissions problem.” (Yep.) “The solution might be as simple as adding the user to the Power Users group.” (Nope.) “Have you looked in the Active Directory and Local Security settings? I'm sure it’s there somewhere.” (Good idea, but you only get the points if you do the work!)

A longtime contributor to this column, calves, nailed the problem with this response. (He earns the entire 2000 points.) I've filled in a few missing details so you can follow along reliably:
  1. Go to Control Panel and double-click on Administrative Tools.
  2. Open the Local Security Policy object. If you're logged on with administrator's rights to the machine, just double-click. If you're logged on with a user's account, right-click on the Local Security Policy icon and choose Run As; then enter the Administrator's username and password.
  3. Double-click the Local Policies object and double-click User Rights Assignment.
  4. Select the "Load and unload device drivers" entry from the list. By default, only the Administrators group has this right. Double-click (or right-click and select Security).
  5. Click the Add button. Select one or more users (or an appropriate group, such as Power Users) and add those accounts to the list. Reboot to make the changes effective.

Setting permissions properly is one of the biggest challenges that Windows 2000 administrators face. Thanks to all this week's participants for helping to clear up this permissions puzzle.

Here's Ed's new Challenge
While prowling through the most recent batch of Windows NT/2000 questions on TechRepublic's forums, I ran across an intriguing one from a network administrator. He's baffled because he hasn't seen any improvement in performance on his five-user network after increasing server RAM from 64 MB to 128 MB. That should be plenty of memory for such a small network, but he isn't seeing the performance gains he expected; in fact, performance seems to be dropping. How can this TechRepublic member figure out where his memory is being used up? Are Windows 2000's performance monitoring tools enough, or should he invest in third-party tools? If you think you’ve got the answers, click here to tackle this week's Microsoft Challenge. I've got 2000 TechPoints reserved for the best responses.

Editor's Picks

Free Newsletters, In your Inbox