How Do I Allow A Standard User to Install Programs?

2

1

Yes, I realize that defeats the purpose of standard user. But here is the situation. A friend of mine wants to set up time limits for his home schooled son, and his son needs to be a standard user in order to use Family Safety. But at the same time, his son (who I personally think is way too old to have time limits), needs to be able to update and install some of his games on his computer. So I guess it's just sort of "light" parental control (just something to help him focus and not get distracted with hours of gaming).

It is the basic version of Windows 8.1, so there is no Group Policy editor (gpedit.msc). However, I'm fairly good with computers and I figured out how to install it. But it doesn't have a lot of the features that the "real" gpedit seems to have. Here is an example of what is in my gpedit:

enter image description here

threehappypenguins

Posted 2015-02-18T13:26:44.157

Reputation: 121

The version of Windows your friend has does not have this capability. You have the Professional version which does include it. While this question and answer talks about Windows 7 the solution is the same. You have to manually grant the permission. Just locate the updated support article.

– Ramhound – 2015-02-18T13:31:18.420

possible duplicate of Alternative to gpedit.msc for Windows Home editions?

– Ramhound – 2015-02-18T13:33:45.723

This isn't a duplicate of that question. The OP already managed to get GPEDIT.MSC on the computer noting I figured out how to install it. The OP assumes the problem can be solved using Group Policy, but that's a presupposition being brought into the question. The root query is how to permit a standard user to perform tasks that require Administrative privileges, something that can be accomplished without group policy. – I say Reinstate Monica – 2015-02-18T13:36:37.340

@Twisty - The question that is a possible duplicate has a solution that will work for this user. – Ramhound – 2015-02-18T13:40:57.100

@Ramhound It possible dup tells you how to apply GP settings to a non-Pro version of Windows. It says nothing about which settings would need to be applied to satisfy the OP's request...so I'm not following you here. – I say Reinstate Monica – 2015-02-18T13:44:16.273

possible duplicate of Grant admin rights on an application

– I say Reinstate Monica – 2015-02-18T13:45:55.017

@threehappypenguins I've linked your question to another one that offers a solution for a non-admin user to run already-installed programs with admin rights. I don't think there's going to be a simple way to facilitate installing a program without admin rights. For that, I suggest having your friend log in and perform the initial installation with his Admin account.

– I say Reinstate Monica – 2015-02-18T13:49:08.323

@Twisty - I assumed the author knew which permission he needed to add just wanted to know how to do that. He doesn't specifically ask what permission he needs to add just how to add that permission. – Ramhound – 2015-02-18T13:49:17.717

@Ramhound OK, I follow you now. I don't think that's the case, but perhaps the OP can clarify for us. – I say Reinstate Monica – 2015-02-18T13:50:31.457

1Thank-you, Twisty. You get what is going on here. You said that it's "something that can be accomplished without group policy." I was hoping that at first, but I couldn't find anything. Isn't there some way to accomplish this using the registry? For example, if you look up how to have UAC password prompt, everything points to, "You need gpedit." But it can be enabled by a simple registry hack by changing ConsentPromptBehaviorAdmin to 1. – threehappypenguins – 2015-02-18T14:09:06.723

Also, while giving admin rights to already installed programs is helpful, my friend's son is going to be bothering me every time he wants to install a program; I'm just too busy for that. I just want to set this up and leave it. And my friend procrastinates on dealing with his son's computer (ie, giving permission to install a program... my friend is really technologically challenged) (P.S. I'm a woman, lol) – threehappypenguins – 2015-02-18T15:00:50.610

I opened MMC.exe, went to File > Add/Remove Snap-in > Local Users and Groups > Add > Finish. Then I get the error (because I have Basic, obviously) "This snapin may not be used with this edition of Windows 8.1." Someone gave this link for registry edits whereas the GP is just an interface for it. I thought that maybe there is some way to enable the Local Users and Groups snapin. I got as far as HKCU\Software\Policies\Microsoft\MMC\ (I can create the keys), but the instructions are only for Restrict_Run. Any ideas?

– threehappypenguins – 2015-02-18T15:27:43.400

I'm still plugging away here. I have also tried going to Start > control userpasswords2 and then fiddling around in there. I can click on the desired Standard User, go to Properties > Group Membership > Other and choose from a list. But I don't see anything about Power Users or anything I need from that list. So I went back to control userpasswords2, and went to Advanced > Advanced, and THAT opened the lusrmgr dialogue box (Local Users and Groups). Lo and behold, it said this snapin couldn't be used with my Windows edition. Isn't there a registry hack to force the snapin to be enabled? – threehappypenguins – 2015-02-18T18:54:09.843

I'm not aware of a way to allow non-administrators to install programs (unless the program is designed to be installed without Admin rights). The answer I linked you to earlier is helpful for allowing your standard user to update programs. I can appreciate what you're trying to accomplish here but you're essentially asking for a way to make your friend's son an Administrator without making him an Administrator--an unfortunate contradiction. – I say Reinstate Monica – 2015-02-19T01:33:47.423

I can save you some frustration and assure you that granting him membership in the Power Users group in Windows Vista and later (e.g. Windows 7) will not let him install programs that require administrative permissions. Membership in this group did grant such permission in Windows XP and that leads to a lot of confusion as the Internet is still full of such claims.

– I say Reinstate Monica – 2015-02-19T01:43:47.593

Here's a better reference showing that Power Users are powerless in Windows Vista and later.

– I say Reinstate Monica – 2015-02-19T01:52:08.950

Answers

4

YES!!! I did it!!! Here is what I did:

  1. Click Start and type cmd. When cmd.exe shows up, right-click and select Run as Administrator (this allows you to run Command Prompt at an elevated level).
  2. Type net localgroup Power Users /add /comment:"Standard User with ability to install programs." and hit enter.
  3. Now you need to assign user/group rights. Download ntrights.exe from here. These are the instructions from sevenforums:

A) Open the downloaded .zip file, and extract (drag and drop) the ntrights.exe file to your desktop.

B) Right click on the ntrights.exe file, click on Properties, General tab, and click on the Unblock button if available. NOTE: If you do not have a Unblock button under the General tab, then the file is already unblocked and you can continue on to step 1C.

C) Right click on the ntrights.exe file and click on Move.

D) Open Windows Explorer and navigate to and open the C:\Windows\System32 folder, then Paste the ntrights.exe file to move it here.

E) If prompted, click on Continue and Yes to approve moving the ntrights.exe file into the System32 folder, then close the Windows Explorer window.

  1. In an elevated command prompt (see step 1), type ntrights -U "Power Users" +R SeNetworkLogonRight and hit enter. Type in the same thing again, only change SeNetworkLogonRightwith something else. You can try the following:
    • SeInteractiveLogonRight
    • SeChangeNotifyPrivilege
    • SeSystemtimePrivilege
    • SeTimeZonePrivilege
    • SeCreatePagefilePrivilege
    • SeCreateGlobalPrivilege
    • SeCreatePermanentPrivilege
    • SeIncreaseWorkingSetPrivilege
    • SeIncreaseBasePriorityPrivilege
    • SeLoadDriverPrivilege
    • SeSystemEnvironmentPrivilege
    • SeManageVolumePrivilege
    • SeProfileSingleProcessPrivilege
    • SeSystemProfilePrivilege
    • SeShutdownPrivilege

For a complete list of User Rights and explanations, see my comment below (I can't post more than two links; if someone wants to edit this to add the link, please feel free).

  1. Once that is complete, you then need to give your new "Power Users" group permission to write to the C drive. Open my computer, right click on the C drive, and go to Properties. Click on the Security tab. Click on Edit... then Add... and in the big box under Enter the object names to select type Power Users and click Check Names and click OK.
  2. Under the heading Group or User Names, you will see "Power Users." Click on it, and click on the checkmark beside Full Control. It should automatically check off everything else, but if not, manually check everything else. The only thing that you can't check because it is grayed out is Special Permissions. Click Apply, and it will give your group permissions. Ignore any errors that come up and continue anyway (I think assigning group rights in step 4 took care if this).

7.Open an elevated command prompt again (step 1), and type net localgroup "Users" "Power Users" /ADD This nests your Power Users Group within Users so that way it is basically a Standard User account, but with additional privileges.

  1. Type net localgroup "Power Users" user_000 /ADD(user_000 being the user name for the account you are trying to keep as a Standard User and allow to install programs). This will still keep your user in the Users group, but will also add the user to the new Power Users group (so it is part of multiple groups). Note: If your user is signed in with a Microsoft Passport, you can find out your username by clicking on Startand typing control userpasswords2 and hitting enter. Then click on the user account you need to find the name for, and click Propertiesand you'll see your actual user name.

ALL DONE! And you will notice that Family Safety is still enforced, yet the user can't change its settings or give additional time or unblock websites or whatever. Nor can the user add another user with the User Accounts feature. Yet the user can install programs. :)

threehappypenguins

Posted 2015-02-18T13:26:44.157

Reputation: 121

Complete list of User Rights Assignment Settings. – threehappypenguins – 2015-02-20T23:28:09.550

1Danger! SeLoadDriverPrivilege allows a user to install drivers that run in kernel mode, effectively allowing that user to execute arbitrary code at the highest level of privilege. Also, allowing a user full access to the C drive lets that user modify any OS file, allowing that user to easily gain full access to the system. This level of access is equivalent to administrator. – Ben N – 2016-03-09T18:57:57.857

0

Parental Controls (or Family Safety) may no longer the correct tool for the task. Depending on the larger situation, alternative approaches may be appropriate:

  1. Perhaps adding son's account to the power user user group might be enough (though I'm uncertain about its access to the Parental Safety features). Power users have privileges beyond the general Users class, but aren't precisely full-fledged admins. This summary of the differences is old, but generally relevant.

  2. Perhaps restricting access to the Internet through the router is an option. Some homes, for example, limit device access to the Internet in order to encourage sleep. The actual process varies according to the actual router (the linked instructions are for Linksys), but should be relatively easy to locate using your preferred search engine.

  3. More ambitiously, you could setup a proxy server and limit access to specific sites throughout the day. This sounds far difficult than it is, though it can be done quite inexpensively these days using either custom router firmware or even an older, dedicated PC.

In my experience, Family Safety is good for a certain set of scenarios, but no replacement for proper access management. Also, it may be time to consider upgrading Windows to a Pro SKU or even a more recent version that no longer uses a Home SKU.

Hope this helps...

-- Lance

P.S. The problem facing the privilege elevation approaches suggested so far is that they require access to elevated credentials. You either end up saving elevation credentials to the hard drive (a security no-no) or you end up having to provide credentials anyway, thus not saving any time/effort. The underlying problem, really, is one of trust and time management. That's a parental question that no software can really manage effectively. (That's my personal opinion, yours may vary.)

Lance Leonard

Posted 2015-02-18T13:26:44.157

Reputation: 404

A) I would love to set up Power Users. Unfortunately, *He (as well as I; for testing purposes) have the Basic version of Windows 8.1. Which is why I'm posting on here in the first place (for help). I would love to add the additional snapins, so if I could please get some sort of hack to do that. – threehappypenguins – 2015-02-18T15:39:39.880

B) I have tomato firmware flashed on their router and I do have something set up for Access Restrictions. It works great for the 8 other younger children. They all do their school during the day. Unfortunately, it's more complicated with the oldest since for one, he has his own computer, and for two, he sometimes works with his dad during the day and needs to do school at night (or vise-versa). So I was going to set up separate profiles. One for his games and everything else (which has the 1 hour limit), and the other for his school, which will have Facebook, games, etc blocked permanently. – threehappypenguins – 2015-02-18T15:42:34.250

Oh, and I forgot to add that it is a HUGE pain to block any https websites (like Facebook) with the router. I can block port 443, but then his blogger website is blocked (needs it for an online class). It involves a cat and mouse game of finding 20 different ip addresses (for just one website), using a timed script (start and stop times) and blocking it on that level. The younger kids don't really use Facebook, but the oldest does. It's easiest just to block it on his computer in his "school" profile (which has unlimited time for the whole day). – threehappypenguins – 2015-02-18T17:12:28.987

1I know of no hacks of the kind you're alluding to. Your knowledge of a search engine may help serve you better in that direction. As far as the rest of it goes, you're talking about a flexible, ad-hoc access policy, one that can be elevated or lowered at will. I don't think a hardware based proxy solution is going to give you that flexibility. You're mostly looking at the freedom gained through managing a proxy server directly...or a separate laptop with elevated privileges, one that is handed out (and recovered) as needed. – Lance Leonard – 2015-02-18T17:22:35.713

@Lance Your summary of differences between the Power Users and Administrative user groups applies only to Windows XP. Those differences are no longer valid on Windows Vista and higher.

– I say Reinstate Monica – 2015-02-19T01:50:24.877

I stand corrected. Thank you. Pity the later doc didn't rank more highly in the search results. Regardless, I stand by my other suggestions. – Lance Leonard – 2015-02-19T03:20:22.477

-2

Try to find some app that elevates the user, in a enterprise environment you can use Avecto's Privilege Guard... Might be some similiar for home usage, like this:

http://www.techrepublic.com/blog/windows-and-office/elevate-privileges-automatically-with-elevation-powertoys/

riro

Posted 2015-02-18T13:26:44.157

Reputation: 527

2I am finding it difficult to understand the reason an article on Windows Vista PowerToys is relevant to the author's question. There is zero substance to the linked article, it basically says, well nothing. Additionally the tools, if you can call them that, are designed for users who are already elevated users. – Ramhound – 2015-02-18T13:39:06.483

Asked: 2015-02-18T13:26:44.157

Viewed: 20 073 times

Active: 2016-09-05T17:50:53.930