Reducing users accounts from Administrator level to User level means there are certain things that the users cannot do. Of course that is usually the point, to prevent users from doing things that might upset the stability and security of the system. However there are a number of tasks which IT would like users to be able to do without calling the Help desk.
One of these is to add simple hardware devices. Application Control Solution makes this possible.
To do this:
- Create a filter to capture rundll32.exe. Note: You can use Process Explorer to view the actual command line which was executed when the New Hardware Wizard starts and you can use the additional information to create a Command Line filter to make it very specific when the wizard is elevated and when it is not.
- Create a policy for this process.
- Add the filter (and the command line filter if created as an include condition)
- Add the Application action of Add Administrator rights (as a possibly even more reduced rights option you can try adding either or or both Power Users and the specific privilege to Load and Unload Device drivers instead of Administrators).
- Add the other necessary settings - correct Resource Target, priority, settings for child processes and enable the policy.
- Most hardware additions will have the same needs, but there could be specific requirements for some. So the same setting may not work for all hardware. Test and adjust as necessary.