none
Configure GPO to allow user install printer driver without administrative right

    Question

  • There were windows 2003 DC and windows 7 client running in the production environment.

    I would like ti configure a GPO to allow user could install the printer driver without the administrative right required.

    I know i need to configure this setting for the GPO, "Computer Configuration\Administrative Template\System\Driver Installation\Allow non-administrator to install drivers for these device setup classes"...

    However, it seem that the above setting only available on windows 2008 and windows 7 machine.

    I could not found the same setting on windows 2003 machine i.e. DC

    So, i would like to know if it were possible to do the same setting from windows 2003 machine.

    If the answer were yes, please let me know the detailed step.

    Thanks for any suggestion.

     

    Tuesday, February 22, 2011 11:00 AM

Answers

  • Hi,

     

    For the first one, if it is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If disabled, any user can install a printer driver as part of connecting to a shared printer. Default on workstations: Disabled. Please make sure it is Disabled.

     

    For the second one, if it is Disabled, application installation packages are not detected and prompted for elevation. If Enabled, when an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

     

    The above settings worked on my test. As you said that “the normal user still could not add the printer if i only set 3) in GPO…”, did you receive any error? If so, please write down the error and describe the scenario more detail. On problematic Windows 7 computer, run Command Prompt with administrator privilege, then run “gpresult/v > C:\policy.txt”

     

    Please paste the results here for research.

     

    Thanks.

    Nina
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 25, 2011 1:44 AM

All replies

  • Read this: http://technet.microsoft.com/en-us/library/cc787926(v=ws.10).aspx

    This explains what you want to do.

    Alternative you can install RSAT tools on a Windows 7 client and manage GPO's from there and set the settings required for Windows 7. (Point and print)

     

    OHM
    www.moe.am

    Tuesday, February 22, 2011 12:16 PM
  • Hi,

     I'd like to reiterate the second part of Oddvar's comment: it is best practice to edit and manage GPOs from the most recent OS being managed. I would strongly recommend deploying RSAT and GPMC on a Windows 7 machine to manage all GPOs going forward. This will make sure you are using the most recent versions of each setting and that you are able to take advantage of recent enhancements to GPOs. Backwards compatibility built into GPOs will make sure that you can apply those policies to older OSes.

     

    Thanks,

    Guy

    Tuesday, February 22, 2011 5:47 PM
  • Hi,

     

    As suggested, you can use the following tool on a Windows 7 client.

     

    Remote Server Administration Tools for Windows 7

    http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d  

     

    Below are sample GPO settings for all kind of printer installations just for your reference:

     

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers - Disabled

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation - Disabled

    Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled

     

    Allowed device setup class GUIDs:

    {4d36e979-e325-11ce-bfc1-08002be10318}

    {4658ee7e-f050-11d1-b6bd-00c04fa372a7}

     

    For more information, please also refer to the following link:

     

    http://technet.microsoft.com/en-us/library/cc770453(WS.10).aspx  

     

    If any trouble is encountered, please let us know.

     

    Thanks.

    Nina


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Leo_IT Wednesday, June 13, 2012 2:09 PM
    Wednesday, February 23, 2011 9:51 AM
  • Hi Nina,

       Thanks for your update.

       I just want to clarify do i have to configure the below three change on the new GPO.

       1) Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers - Disabled


        2) Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation - Disabled


        3) Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled

     

       Because I found that the normal user still could not add the printer if i only set 3) in GPO which show in the document link you provide.

     

       Thanks and look for your clarification so that i could do more test.

     

    B.rgds,

    Jordan

    Wednesday, February 23, 2011 10:34 AM
  • Hi,

     

    For the first one, if it is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If disabled, any user can install a printer driver as part of connecting to a shared printer. Default on workstations: Disabled. Please make sure it is Disabled.

     

    For the second one, if it is Disabled, application installation packages are not detected and prompted for elevation. If Enabled, when an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

     

    The above settings worked on my test. As you said that “the normal user still could not add the printer if i only set 3) in GPO…”, did you receive any error? If so, please write down the error and describe the scenario more detail. On problematic Windows 7 computer, run Command Prompt with administrator privilege, then run “gpresult/v > C:\policy.txt”

     

    Please paste the results here for research.

     

    Thanks.

    Nina
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, February 25, 2011 1:44 AM
  • Disclaimer: After some days struggling, I'm a bit upset about this. That said, go on reading

    MSoft must not achieve security preventing people from working. I's like to avoid car accidents by preventing everybody from driving. Please, be so kind as to publish a hotfix (or update or whatever).

    To add a network printer for a user is day-to-day operation. Non-administrator users is a standard. This thread (and a dozen others I've been reading) ought not exist. BUT it exists. And I could add a dozen other GPO's that -supposedly- resolved this item (see http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/ff0971b5-cd26-40cc-bebe-346137cbce89)

    NONE of them (nor these 3) worked.

    And, at least in my case, step 2 only does something like killing the messenger.

    Regards.

    P.D. I'll log on every comp as admin, I'll install a printer of each brand used in my network and after that I'll take some beer while the login script connects appropriate printers to each user. I'm very happy :-(

    Friday, February 25, 2011 12:46 PM
  • You might see message with “UAC” prompt to install drivers while adding network printers from a windows 7 computer. This behavior is expected as normal users are not allowed to add network printers (drivers installation requires admin rights) in a Windows 7 environment.

    To fix this, you need to enable below group policies with described settings.

    “Computer Configuration\Administrative Templates\PrintersPoint and Print Restrictions”

    If you have windows 2003 domain and you don't have any windows 2008 domain controler in your environtment, you can use windows 7 desktop with RSAT tool.

    Only thing you have to do is….

    1. Install RSAT on your windows 7 desktop ...you can download it from http://www.microsoft.com/download/en/details.aspx?id=7887

    enable GPMC (Group Policy Management Console) on Turn Windows features on
    1. Logon to a windows 7 computer with domain admin account
    2. Open GPMC

    3. Create a new GPO and link it to windows 7 computer OU if you have created a dedicated one.
    4. Now edit the newly created GPO

    “Computer Configuration\Administrative Templates\PrintersPoint and Print Restrictions”

     

     

    Monday, September 12, 2011 6:56 PM