Microsoft KB Archive/326473

= You Are Prompted for Administrator Credentials When You Try to Install a Plug and Play Printer =

Article ID: 326473

Article Last Modified on 5/29/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition

-



This article was previously published under Q326473



SYMPTOMS
When you log on to your computer as a member of the Power Users group that has the &quot;Load and unload device drivers&quot; user right and then you connect a Plug and Play printer to a local port on the computer, you may be prompted to provide administrator credentials before you can install the printer.

If you provide administrator credentials, the Add New Hardware Wizard guides you through the installation process. You may be prompted for additional information to install the printer successfully.

If you do not provide administrator credentials and cancel the installation, you receive the following error message, and the printer driver is not installed:

You do not have sufficient security privileges to install hardware on this computer. Please contact your site Administrator, or logout and log in again as an administrator and try again.

NOTE: If you use the Add Printer Wizard to install the printer, you are not prompted for administrator credentials and you can install the printer successfully.

Some Plug and Play printers are installed without any user intervention. You may see some Add New Hardware Wizard messages, but you are not prompted to provide any administrator credentials.



CAUSE
For security reasons, Windows XP cannot permit a user who is not an administrator to install a device on the computer. When you log on using nonadministrator credentials, the &quot;Load and unload device drivers&quot; user right only allows you to make nonpersistent changes to the state of the drivers that are running on the computer. A nonpersistent change is a change that goes away when you restart the computer (for example, a command such as net start or net stop).

Your access control list (ACL) determines if you can make a persistent change to the computer. Your ACL is not the same as your set of user rights. Only members of the Administrator group have an ACL high enough to make persistent changes to the computer. A persistent change (for example, installing a device) is a change that remains in effect even after you restart the computer (for example, making a permanent change in the registry or installing a new file on the hard disk).

The print spooler includes a feature designed to permit installation of network printers. If you are a member of the Power Users group that has the &quot;Load and unload device drivers&quot; user right, you can take advantage of this feature by using the Add Printer Wizard to install a printer. When you do so, the print spooler acts as your proxy to make the persistent changes that are required to install the printer driver. The print spooler does not use Plug and Play installation, so Windows XP does not check your ACL before it installs the printer. However, when you connect a Plug and Play printer to a port on the local computer, Plug and Play detects the printer and uses Plug and Play rules to install the driver. If you are logged on as a member of the Power Users group, Windows XP prompts you for administrator credentials because your ACL is not high enough to install a device by means of Plug and Play. This is true even if you have the &quot;Load and unload device drivers&quot; user right.



STATUS
This behavior is by design.



MORE INFORMATION
Windows XP supports two methods to install a Plug and Play device: server-side installation and client-side installation. Both methods can be used on a single computer.

Windows XP uses server-side installation when you are not required to provide additional information to install your Plug and Play printer. If the manufacturer of your device provides complete preinstallation information in the .inf file and the .pnf file, and the files are trusted (digitally signed), Windows XP can use server-side installation to install the device. Server-side installations do not require intervention by an administrator.

Windows XP uses client-side installation when you have to provide additional information to install your Plug and Play printer. In client-side installation, you can select the driver files, the path to the files, and other options. However, when Windows XP uses client-side installation, you must provide administrator credentials.

Server-side Installations
A server-side installation is a device installation that is performed entirely by the Plug and Play manager. A server-side installation can occur only if the following conditions are true:
 * A bus driver detects the device and notifies Plug and Play Manager.
 * Plug and Play Manager finds an .inf file that contains a hardware ID that matches the hardware ID of the device.
 * The .inf file and the drivers for the device are signed.
 * Windows XP can locate all the drivers for the device without prompting the user for media locations (for example, the drivers are included with the operating system, a vendor-supplied driver was previously installed, or vendor-supplied driver files are preinstalled).
 * The class installer and co-installers for the device do not open properties at the end of the installation.
 * The .inf file for the device does not indicate that the device requires an interactive installation.
 * RunOnce registry entries consist only of calls to the Rundll32.exe file.

A server-side installation does not prompt the user for any additional information and does not require administrator credentials. This type of installation is known as &quot;server-side&quot; because the installation is performed by Plug and Play Manager and interaction with a user-mode client is not required.

Client-side Installations
A client-side installation is a device installation that requires communication with a user. A client-side installation occurs if any of the following conditions are true:
 * Plug and Play Manager cannot find an .inf file that contains a hardware ID that matches the hardware ID of the device.
 * Plug and Play Manager cannot locate all the required driver files.
 * The .inf file or the driver files for the device are not signed.
 * Windows XP must prompt the user for additional information about the installation (for example, where to find the driver files).
 * A class installer or co-installer for the device opens properties at the end of the installation.
 * The device, bus, or bus driver does not support Plug and Play.

A client-side installation requires client installation software (for example, the Add Hardware Wizard, the Found New Hardware Wizard, or a vendor-supplied device installation program). The client software uses the Setup application programming interface (API) to install the device, and the Setup API uses services provided by Plug and Play Manager as required.

Keywords: kbfix kbprb kbprint KB326473

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.