none
Non-admins unable to install Network Printers: Windows 7

    Question

  • I'm hoping someone might have a concrete answer for this issue. We have Windows 7 (32 and 64-bit) Professional being deployed, a Server 2008 R2 print server with 400 printers and about 50 different print drivers. We have applied a GPO with the following settings:

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers - Disabled

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation - Disabled

    Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled

    Allowed device setup class GUIDs:

    {4d36e979-e325-11ce-bfc1-08002be10318} 

    {4658ee7e-f050-11d1-b6bd-00c04fa372a7} 

    User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and print restrictions - Disabled

    User Configuration\Policies\Administrative Templates\Control Panel\Printers\Prevent addition of printers - Disabled

    User Configuration\Policies\Administrative Templates\System\Driver Installation\Code signing for device drivers - Enabled - Setting: ignore

     

    And we have verified that the GPO is being applied in gpresult's RSoP.

    No matter what, though, non-admins can not install the drivers that are not pre-packaged into Windows 7. Every time a non-admin tries to install a driver they are prompted for the username and password of an admin user. With 95% of campus set as non-admins this is really a problem (and one that doesn't exist in XP of course). Any help or other ideas would be appreciated.

    Friday, April 02, 2010 7:59 PM

Answers

  • First, I made a mistake.  Jpellet2 can you un-propose the answer on McNutty's post.  I clicked it by mistake.

    Second, I think I fixed my issue.  Here is what the Microsoft rep said.

    Locate to Computer Configuration-> Administrative Templates-> Printers.

    In right pane, double-click  the "Point and Print Restrictions".

     

    3. In the popup window, select "Enabled", then in "Options" select "When installing drivers for a new connection:" to "Do not show warning or elevation prompt " and the "When updating drivers for existing connection:" also to " Do not show warning or elevation prompt ":

     

    This worked for me.

    Here is my complete setup.

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers - Disabled
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation - Disabled
    Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled
    Allowed device setup class GUIDs:
    {4d36e979-e325-11ce-bfc1-08002be10318}
    {4658ee7e-f050-11d1-b6bd-00c04fa372a7}
    Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions - Enable
    Set options "When installing drivers for a new connection:" to "Do not show warning or elevation prompt" and the "When updating drivers for existing connection:" also to " Do not show warning or elevation prompt ":


    Edited 4-16-2010 Changed to disabled due to issues with Windows XP clients
    User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and print restrictions - Disabled

    User Configuration\Policies\Administrative Templates\Control Panel\Printers\Prevent addition of printers - Disabled
    User Configuration\Policies\Administrative Templates\System\Driver Installation\Code signing for device drivers - Enabled - Setting: ignore

     

    • Edited by Chad_Anderson Friday, April 16, 2010 3:53 PM Point and print restriction for user config caused issues with XP.
    • Marked as answer by Dale QiaoModerator Friday, May 07, 2010 9:04 AM
    Thursday, April 15, 2010 7:51 PM

All replies

  • They are unable to install the drivers because they are standard users in Windows. For a system wide solution, create a group called workstation-admin and add all your rugalar full time employees to that group. When you create a new PC, add that group to the local administrators group on your pc. Make all temporary employees local administrator on the workstation they are assigned to.

    • Proposed as answer by zecto Saturday, April 03, 2010 12:17 AM
    • Unproposed as answer by jpellet2 Monday, April 12, 2010 8:01 PM
    Saturday, April 03, 2010 12:04 AM
  • Although it would work, it is certainly not acceptable. There is no way that we would want to make our users admins of their machines but thanks for the input.
    Monday, April 05, 2010 3:01 PM
  • Any luck finding a solution to this yet?  We are having the same issue and I don't want to spend money to have Microsoft tell me that I have to add users as admins.
    Monday, April 12, 2010 3:27 PM
  • Still nothing. The only thing we're testing now is if we can allow the users access to the drivers store only to see if that works at all but other than that, no luck.
    Monday, April 12, 2010 8:01 PM
  • Hello JPellet2

     

    I am sure lots of people facing same issue. Before trying your settings I was getting error "unable to install driver-permission issue". After I changed settings as you have I started getting prompt for credentials.

    Then I deleted all GPOs/settings, recreated user, reimaged PC but still getting that credentials prompt. And i checked with one of my friend who also experienced same.

    I am not willing to accept MS pushed some patch in the background which started this change. Also at the same time it doesn't make sense once I use totally new envt. and still prompting for credentials.

    Please share your experience if you got the same or if any luck. Thanks.

    Wednesday, April 14, 2010 7:54 PM
  • I opened a ticket with Microsoft.  They are currently trying to duplicate the issue.  I will update the thread once I get any info on it.
    Wednesday, April 14, 2010 9:38 PM
  • We currently have about 100 of our users migrated to Windows 7 with about 15 different printers (10 drivers) deployed. It's not quite on the scale of yours, but we have it working with only one of the above settings enabled. The only difference is our policy is under Computer Configuration instead of User Configuration.

    Computer Configuration-Policies-Administrative Templates-Printers-Point and Print Restrictions: Disabled

    I do know that Windows 7 has issues when you attempt to suppress UAC elevation, so maybe try disabling this one?

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation - Disabled

    Also, have you tried using Group Policy Preferences to deploy any printers? I know it isn't the solution you are looking for, but it may be a stopgap measure that you can use in the meantime.

    Thursday, April 15, 2010 12:03 AM
  • First, I made a mistake.  Jpellet2 can you un-propose the answer on McNutty's post.  I clicked it by mistake.

    Second, I think I fixed my issue.  Here is what the Microsoft rep said.

    Locate to Computer Configuration-> Administrative Templates-> Printers.

    In right pane, double-click  the "Point and Print Restrictions".

     

    3. In the popup window, select "Enabled", then in "Options" select "When installing drivers for a new connection:" to "Do not show warning or elevation prompt " and the "When updating drivers for existing connection:" also to " Do not show warning or elevation prompt ":

     

    This worked for me.

    Here is my complete setup.

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers - Disabled
    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation - Disabled
    Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled
    Allowed device setup class GUIDs:
    {4d36e979-e325-11ce-bfc1-08002be10318}
    {4658ee7e-f050-11d1-b6bd-00c04fa372a7}
    Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions - Enable
    Set options "When installing drivers for a new connection:" to "Do not show warning or elevation prompt" and the "When updating drivers for existing connection:" also to " Do not show warning or elevation prompt ":


    Edited 4-16-2010 Changed to disabled due to issues with Windows XP clients
    User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and print restrictions - Disabled

    User Configuration\Policies\Administrative Templates\Control Panel\Printers\Prevent addition of printers - Disabled
    User Configuration\Policies\Administrative Templates\System\Driver Installation\Code signing for device drivers - Enabled - Setting: ignore

     

    • Edited by Chad_Anderson Friday, April 16, 2010 3:53 PM Point and print restriction for user config caused issues with XP.
    • Marked as answer by Dale QiaoModerator Friday, May 07, 2010 9:04 AM
    Thursday, April 15, 2010 7:51 PM
  • Hi there, i'm having the same issue. Currently running 2008 R2 servers on a 2003 domain functional level.

    I can't seem to find these options:

    Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these device setup classes - Enabled
    Allowed device setup class GUIDs:

    User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and print restrictions - Disabled (The policy is there, but no options when setting it)

    User Configuration\Policies\Administrative Templates\System\Driver Installation\Code signing for device drivers - Enabled - Setting: ignore

    Are these missing because of the domain functional level? Or is it any way i can add them?

     

    Friday, April 16, 2010 10:06 PM
  • Are you using a Windows 7 computer or the 2008 R2 server to look up the GPO?  My domain is at the 2003 domain functional level and I can see it using my Windows 7 computer.
    Monday, April 19, 2010 1:13 PM
  • I have tried with both. Today we raised the domain functional level to 2008 R2, but the policies are still missing. If we install the admx files for 2008 manually, it still doesn't help. Seems like the DCs can't read the .admx files. The .admx files are in the PolicyDefinitions folder when we browse to them, but when we want to import them through a GPO, they don't show.

    In our root domain everything is in place, with all the new policies in place. But it is in our subdomain, where alle the users and computers are, that they are missing.
    • Proposed as answer by schrewst Thursday, April 22, 2010 3:56 PM
    Thursday, April 22, 2010 2:54 PM
  • I am an idiot. Everything is ok now!

    I didn't notice that no central store was configured :p After copied the files over, everything came together!

    Thursday, April 22, 2010 3:58 PM
  • Hi Jpellet2,

    It looks like you've got it set up right. Have your tried the same setup in a non-production environment?

    Monday, April 26, 2010 8:28 PM
  • Will these changes open the door for users to be able to install local printers as well as network printers? In our organization we want our users to be able to install network printers but deny them the ability to install local printers in order to avoid situation where the go out an purchase a printer on their own and try to install it.
    Tuesday, May 25, 2010 4:09 PM
  • Locate to Computer Configuration-> Administrative Templates-> Printers.

    In right pane, double-click  the "Point and Print Restrictions".

    I have just upgraded our primary Windows 2003 Server DC to Server 2008 and am unable to find this setting.  I did create the central store and put the Server 2008 admx files in that location but this setting doesn't appear.  I also installed RSAT on a Windows 7 Professional machine and tried from there, same result, no "Point and Print Restrictions" in the Computer Configuration area.

    Any help would be appreciated.

    Thanks,

    -Sean

    Friday, June 04, 2010 4:37 PM
  • I ended up figuring it out.  The admx files needed to be copied from the Win7 client to the central store, not just the 2008 admx files.
    Thursday, June 10, 2010 5:12 PM
  • Yes, it will.
    Thursday, June 17, 2010 5:44 AM
  • It works.

    My Windows 7 client is now able to connect to a PDF Creator print-as-a-service device shared on a Windows Server 2008 server. No user action is required.

    Tuesday, July 13, 2010 9:12 AM
  • You have to set the GPO for Point and Print restrictions and Deploy the printers to the users using Group Policy .  This will get rid of that admin prompt for non-admins when installing printers on Windows 7.

     

    http://technet.microsoft.com/en-us/library/cc731292.aspx

     

    To deploy printers to users or computers by using Group Policy
    1.    Open Print Management.
    2.    In the left pane, click Print Servers, click the applicable print server, and click Printers.
    3.    In the center pane, right-click the applicable printer, and then click Deploy with Group Policy.
    4.    In the Deploy with Group Policy dialog box, click Browse, and then choose or create a new GPO for storing the printer connections.
    5.    Click OK.
    6.    Specify whether to deploy the printer connections to users, or to computers:
    To deploy to groups of computers so that all users of the computers can access the printers, select the The computers that this GPO applies to (per machine) check box.

    To deploy to groups of users so that the users can access the printers from any computer they log onto, select the The users that this GPO applies to (per user) check box.

    7.    Click Add.
    8.    Repeat steps 3 through 6 to add the printer connection setting to another GPO, if necessary.
    9.    Click OK.

    Tuesday, July 27, 2010 8:37 PM