none
Programmatically Setting *Global* Printing Permissions on Windows 7 Client

    Question

  • By default, Windows 7 allows a user to create a local printer in the Printers and Devices dialog (via Add Printer -> Add A Local Printer).  

    We would like to prevent unprivileged users from doing this.   We found that we can pull up Print Server Properties (as Administrator), Security Tab, select INTERACTIVE, and remove the check for "Manage Server".    After that, the "Add a Local Printer" has a Shield, meaning it takes elevated privileges to install a local printer.    This is exactly how we want it. 

    How do we implement this modification on 10,000+ machines?   There does not seem to be a Group Policy setting to do this, nor any obvious commandline utilities or powershell commands to change this particular permission setting. 

    Thursday, May 15, 2014 6:50 PM

Answers

  • Yes, I was confirming how the policy worked after the first response.  I can't remember everything.  Would you be running the utility locally on the machines?  It can also be run remotely but you would need to have a policy in place to open the remote RPC endpoint on the client machines.  Depending on the security policies in your environment.  You can validate print driver versions on the clients machines when this endpoint is open.

    Computer \Admin templates\ Printers \ Allow Print Spooler to accept client connections

    Instructions for performing the task you want to do are in the second post above.  You will need to use the -show option to obtain the security setting from a machine that is using the configuration you want.  Once you have the security blob, you can set that on other machines.

    I confirmed that the tool will set the changes you wish to make locally and remotely.


    Alan Morris Windows Printing Team

    • Marked as answer by Steve Kane Friday, May 16, 2014 6:49 PM
    Friday, May 16, 2014 5:19 PM

All replies

  • It would be better to roll out the policy that blocks people from running the Add Printer Wizard.

    Arrg, the User policy setting "Prevent addition of printers"  also blocks adding connections to shared printers.

    There is not a way to set the *Default* Printer permissions using powershell or the setprinter.exe command available for download from Microsoft.  If you have a support contract with Microsoft,  ask your contact for a current version.  There are a couple posts in this forum where people have obtained the utility that supports what you wish to do, they might be able to share.

    Hint if you have a support contract and the person does not have a clue what you are asking for: give them my name.


    Alan Morris Windows Printing Team



    Thursday, May 15, 2014 7:41 PM
  • I would be better to roll out the policy that blocks people from running the Add Printer Wizard

    Alan Morris Windows Printing Team

    To clarify, we want unprivileged users to be able to add Network printers, but not Local printers.   The policy you reference would block both.

    To clarify even more, if a (smart) user knows the IP address of a network printer, they could create their own TCP/IP port on their machine and a local queue.  We would much prefer the centralized control of print servers, in case the IP address changes, etc.  Having a bunch of users creating their own "local network" printers might turn into a support headache. 

    Thursday, May 15, 2014 8:01 PM
  • I think Alan understood your concern and shared your displeasure with blocking the Add Printer Wizard via GPO since it removes the ability to add a network printer.  If I'm reading his suggestion correctly he advised you to contact Microsoft and ask for the utility that can set *Default* Printer permissions and give them his name if you get blank stares on the other side of the phone.
    Thursday, May 15, 2014 8:24 PM
  • I think Alan understood your concern and shared your displeasure with blocking the Add Printer Wizard via GPO since it removes the ability to add a network printer.  If I'm reading his suggestion correctly he advised you to contact Microsoft and ask for the utility that can set *Default* Printer permissions and give them his name if you get blank stares on the other side of the phone.

    Yes, he edited his initial one-liner post after I replied.  :-) 
    Friday, May 16, 2014 1:29 PM
  • Thanks, Alan.  Yes, we do have a PSS contract with MS, so I'll have my people talk to your people. 
    Friday, May 16, 2014 1:31 PM
  • Yes, I was confirming how the policy worked after the first response.  I can't remember everything.  Would you be running the utility locally on the machines?  It can also be run remotely but you would need to have a policy in place to open the remote RPC endpoint on the client machines.  Depending on the security policies in your environment.  You can validate print driver versions on the clients machines when this endpoint is open.

    Computer \Admin templates\ Printers \ Allow Print Spooler to accept client connections

    Instructions for performing the task you want to do are in the second post above.  You will need to use the -show option to obtain the security setting from a machine that is using the configuration you want.  Once you have the security blob, you can set that on other machines.

    I confirmed that the tool will set the changes you wish to make locally and remotely.


    Alan Morris Windows Printing Team

    • Marked as answer by Steve Kane Friday, May 16, 2014 6:49 PM
    Friday, May 16, 2014 5:19 PM
  • I would probably run this utility either as part of a machine startup script, or as part of our build Task Sequence. So, basically local.

    Thanks much for the information, Alan! 

    Friday, May 16, 2014 6:49 PM