none
GPO to allow user install printer driver from exe file without administrative right

    Question

  • Hello,

    We use Windows Server 2008 R2, users have Windows 7. Users are not Local Administrators.

    We would like to allow users to install printer software without administrative rights.

    There was similar topic about this -

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/67e34b3c-8e53-4a38-9e99-92c3dd53e38a/configure-gpo-to-allow-user-install-printer-driver-without-administrative-right?prof=required

    .

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers - Disabled

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation - Disabled

    Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled

     

    Allowed device setup class GUIDs:

    {4d36e979-e325-11ce-bfc1-08002be10318}

    {4658ee7e-f050-11d1-b6bd-00c04fa372a7}

    .

    But this didn't worked. I guess it works only with .inf files.

    Is there way to allow users to launch .exe files which come from, for example, "Epson, America Inc.", "Hewlett-Packard", etc.?







    • Edited by Ph0neutr1a Wednesday, August 21, 2013 11:45 AM
    Wednesday, August 21, 2013 11:14 AM

Answers

All replies

  • Hi,

    Before going further, I need to confirm what the device setup classes of the printers you want to deploy are. For I saw they are the same with ones on the thread you mentioned.

    We could determine device setup class from the related INF file. An INF file is a text file that contains all the information that the device installation components must have in order to install a driver. Microsoft Windows drivers must have an information (INF) file in order to be installed.

    The article below may be referred to for more information about INF files.

    Overview of INF Files

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx

    Before we can grant permission to install a specific device, we must determine the device setup class that Windows uses to uniquely identify that device. We can do this by viewing the .inf file of the device driver package, or by viewing the properties of a currently installed device.

    The following article may be referred to for specific details.

    Configure Computer Policy to Allow Non-Administrators to Install Specific Devices

    http://technet.microsoft.com/en-us/library/cc725772.aspx

    Best regards,

    Frank Shen

    Thursday, August 22, 2013 12:00 PM
    Moderator
  • Thanks for the answer but I guess given solution won't work for exe but only for inf, will it?

    .

    The situation is -

    User uses company laptop at home but wants to use home printer. The user downloads a printer driver but it is not possible to use exe file because the user has no local administrator rights.

    For this situation i have to find best solution.

    .

    For now the best I came up with is to publish an universal printer driver through GPO, most or even all main brands should have it. The user then installs it through ADD programs. I don't know how good universal drivers are but I think simple functions should work. And then next work day user may request driver for his printer model and we roll out it for him.

    .

    Maybe there is a better solution?

    .

    For user installing drivers using INF files may be too difficult.

    Every printer driver (exe) is signed (Epson Inc. for example) maybe it is possible to somehow allow everything that comes from Epson? We have Server 2008 R2.

    And I don't think that I would like to use Software Restriction Policy.




    • Edited by Ph0neutr1a Thursday, August 29, 2013 12:03 PM
    Thursday, August 29, 2013 11:56 AM
  • This does not answer the TOs question, so please unmark it... TIA.

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Thursday, August 29, 2013 12:02 PM
  • After disabling UAC completely user can launch installation (exe) files that are for printer installation. They can't launch any other exe.

    I thought GPO "User Account Control: Detect application installations and prompt for elevation - Disabled" already disabled UAC.

    Anyway, even when I can launch basic printer driver installation file installation goes to like 50% and Access Denied message appears. Probably installation tries to put files in System32 or something.

    So I can start exe but can not finish installation.

    Friday, August 30, 2013 12:08 PM
  • That's the way it is. Users are users, and administrators are administrators. If it is mission critical, use process monitor to detect where access is required and grant users this access - I wouldn't do so...

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Friday, August 30, 2013 12:38 PM
  • That's the way it is. Users are users, and administrators are administrators. If it is mission critical, use process monitor to detect where access is required and grant users this access - I wouldn't do so...

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Is this is the Process Monitor you meant?

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    Just curious, how grant access to user using process monitor? And why would this not be recommended?



    • Edited by Ph0neutr1a Friday, August 30, 2013 2:21 PM
    Friday, August 30, 2013 2:18 PM
  • Yes, that's it.

    And it isn't "not recommended". It's just me who wouldn't do so. ym2c...


    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Sunday, September 01, 2013 8:23 PM