none
"Windows Can't Open Add Printer. Access is Denied."

    Question

  • Hi there, hoping to get some help on some printer issues on our server... Here are the symptoms and some information from troubleshooting I've been doing.

    1. Last saturday for no apparent reason, MOST users are unable to see any of the printers under Devices and Printers, and are unable to start the Add Printer wizard... they get the "Windows cant open add printer. Access is Denied." This only applies when logging onto the server, either directly or through remote desktop... behavior is normal on everyone's individual workstations.

    2. When I say "most users", I am not seeing any patterns.

    for example, these users can still see their printers and start the app printer wizard. 

    COMPNAME\Administrator (Computer administrator), DOMAINNAME\POINTOFSALE7 (domain user), DOMAINNAME\SUPERVISOR (domain administrator and computer administrator)

    However, these users cannot:

    COMPNAME\Testuser (computer user), DOMAINNAME\POINTOFSALE2 (domain user), DOMAINNAME\LINDA (domain administrator and computer administrator).

    In other words, the status as a computer/domain administrator or user, or as a local or domain user has 0 effect. We only have "users" and "administrators", so there's no special permissions granted to any individual users or groups (that I'm aware of at least).

    3. When I'm logged on to a user that can't see the printers or run the add printer wizard, I can run an elevated cmd with the command "rundll32 printui.dll,PrintUIEntry /il" This command DOES successfully start the add printer wizard. Interestingly, I can enter DOMAINNAME\LINDA's credentials to start the elevated CMD, and the command will run successfully. But DOMAINNAME\LINDA is unable to start the wizard logged on as herself. I can log in as DOMAINNAME\LINDA and start a normal cmd... but the command will yeild the same "access denied" error. I need to elevate it to run as an administrator for it to run successfully. Of course, when I'm logged in as DOMAINNAME\LINDA , no password is required to elevate the CMD, I just need to press OK.

    4. One of the differences I noticed between the accounts that could still see the printers and start the wizard is that they didn't need to manually elevate many operations... for example, the administrator DOMAINNAME\LINDA has to elevate her CMD to run the rundll32 printui.dll,PrintUIEntry /il DOMAINNAME\SUPERVISOR does not. Similarly, accessing C:Windows\System32\Spool\PRINTERS requires elevation for DOMAINNAME\LINDA to access, but not for DOMAINNAME\SUPERVISOR. I suspect that there are a variety of files/folders that require elevation for Linda, and that may be why linda (and most other users) can't start the wizard or see the printers.

    5. Yes, the spooler service has been started and re-started.

    6. Yes, we've restarted the server

    7. Copying tne of the users that can still see the printers and start the wizard to create a new user has no effect - the new user is incapable of seeing printers or starting the wizard. This applies both to domain and local users.

     8. The only patterns I've been able to identify in distinguishing why one user has the problem while the other doesn't is the likelyhood that the account was logged on at the time the change happened. Each of the accounts that I mentioned can still access their printers and start the wizard are almost always logged in (except for COMPNAME\Administrator). All of the other ones log off pretty reliably at night, so were likely logged off at the time when whatever changes took effect. The server has been restarted since then, and these accounts still have access. New accounts do not have access.

     9. I did not try the hotfix found here http://support.microsoft.com/kb/981070 as the error it specified is not the same one I get. I get the access denied error, not the "Operation could not be completed (error 0x0000007e)." error

     

    Thanks for any help you can provide.

     

     

    Jeff

    Sunday, November 13, 2011 9:28 PM

Answers

  • Found the solution.

    First step, you have to be able to open up the print server properties. There's probably several ways to get there, but I opened an elevated command prompt (non-elevated didn't work) and ran

    RUNDLL32 PRINTUI.DLL,PrintUIEntry /s

    Second, I went to the Security tab and added "Computername\Users" (substituting "Computername" with the name of my computer). Computername\Users were given the permission to "Print" and "View Server". No other permissions were granted to Computername\Users. Computername\Administrators had full permissions.

    Pressed OK, logged out and back in. Printers were then visible again, and the Add Printer Wizard was again accessable.

    The exact steps may not work for everyone, but it does appear the permissions here in the Print Server Properties is at the root at least one of the causes of the problem.

    • Marked as answer by jmworkman Sunday, December 04, 2011 11:49 PM
    Sunday, December 04, 2011 11:48 PM

All replies

  • I suppose I should specify, the server is running Server 2008 R2 Standard. A separate server, windows server 2003, runs the domain. Both servers are members of the domain, and the domain admins are set up as administrators on both servers. The issues mentioned above effect even local users of the 2008 serer, in addition to domain users and domain administrators.

    Sunday, November 13, 2011 10:40 PM
  • Found the solution.

    First step, you have to be able to open up the print server properties. There's probably several ways to get there, but I opened an elevated command prompt (non-elevated didn't work) and ran

    RUNDLL32 PRINTUI.DLL,PrintUIEntry /s

    Second, I went to the Security tab and added "Computername\Users" (substituting "Computername" with the name of my computer). Computername\Users were given the permission to "Print" and "View Server". No other permissions were granted to Computername\Users. Computername\Administrators had full permissions.

    Pressed OK, logged out and back in. Printers were then visible again, and the Add Printer Wizard was again accessable.

    The exact steps may not work for everyone, but it does appear the permissions here in the Print Server Properties is at the root at least one of the causes of the problem.

    • Marked as answer by jmworkman Sunday, December 04, 2011 11:49 PM
    Sunday, December 04, 2011 11:48 PM