none
Install printer without being administrator

    Question

  • Hi all,

    We are planning to deploy Windows 7 and allow notebook users to install their home printers. How can we manage our laptops in a secure way, i.e. not giving the users Admimistrator right and not giving them Power users rights, but still let them install a local home printer?

    Has anybody a hint for me?

    Greetings from Switzerland

    Werni
    Thursday, November 19, 2009 8:37 PM

Answers

  • Windows 7 does not ask for administrative rights as default. It will however ask for administrative rights if the user tries to add the printer by installing the software that came with it (CD or downloaded driver "setup.exe" usually require admin rights) or by adding a driver manually. The user would then need to manually choose an already existing driver without using the CD/Setup-program.

    To confirm that I tried 2 different approaches:

    1 - Went to "Devices and Printers". Right-clicked and clicked "Add a printer". Chose "Add a Local Printer". Chose an already existing port. Chose an already existing driver. Worked, no prompt.

    2 - Went to "Devices and printers". Right-clicked and clicked "Add a printer". Chose "Add a Local Printer". Chose to add a new TCP/IP port. Entered the IP-address. Chose the device type if needed. Chose an already existing driver. Worked, no prompt.

    If you need your users to be able to add their own print drivers you will have to use GPO to edit the Driver Installation policy. It is located here:

    Computer Configuration\Policies\Administrative Templates\System\Driver Installation

    The setting is called "Allow non-administrators to install drivers for these devices setup classes". You will need to add the device class GUID of printers.
    The GUIDs can be found here: http://msdn.microsoft.com/en-us/library/ff553426(v=vs.85).aspx

    EDIT:

    I've updated this with some more information as this was getting a bit old and people probably tried the same with network printers (which does not work the same way).

    A few more steps are required for domain infrastructures where you add non-local printers:

    1. Configure Group Policy settings for "Point and Print" on BOTH computer and user settings (Vista previously only had user settings). The Location of the settings can be found here in GPOs:
      Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions
      User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and Print Restrictions
    2. Point and Print settings will vary on what kind of restrictions you want, but if you want users to be able to install ANY printer, with ANY driver, from ANY server, set the Point and Print settings to "Disabled".
    3. There are also other Group Policy settings that are related to print services, but I won't list them here. They may or may not relate to your planned print infrastructure, so read through them properly and try them out in testlabs if the above steps does not work for you. 
    • Marked as answer by Sean Zhu -Moderator Friday, November 27, 2009 10:05 AM
    • Edited by rogergh Monday, March 14, 2011 9:24 AM Updated with more information
    Saturday, November 21, 2009 12:41 AM

All replies

  • HI Werni


    • firstly log on to ADMIN account set up parental controls allow the standard users to use the programs of your wish, block the programs which the standard user cannot use.
    • set a password for ADMIN account that should access by only Administrators.
    • create standard users account that users can use and they can install the home printers driver and can use in standard user accounts.

    please click here for setting up parental controls.

    hope it helps



    NIKHIL
    Friday, November 20, 2009 3:07 AM
  • Hi Nikhil,

    Well sounds pretty interesting. But I thought the new optio i Windows 7 which allows a user also to specify different default printers depending on which network he is, could be used to select a home printer as default printer.
    Your solution is ok if the user is doing some private stuff at home. But my scenario would be just a regular laptop user, who uses his cahced domain user account to log into the pc at home and who does some sort of work, and maybe he connects to the office by VPN or whatsoever.
    What I am looking for is therefor a solution which allows this user - to use his (cached) domain account, and to coneect to a private printer at home - withou putting him to local admins group or power users group - because idellay he should not be bale to install anything else than just a printer. - Is this just a dream?
    Friday, November 20, 2009 5:16 PM
  • Windows 7 does not ask for administrative rights as default. It will however ask for administrative rights if the user tries to add the printer by installing the software that came with it (CD or downloaded driver "setup.exe" usually require admin rights) or by adding a driver manually. The user would then need to manually choose an already existing driver without using the CD/Setup-program.

    To confirm that I tried 2 different approaches:

    1 - Went to "Devices and Printers". Right-clicked and clicked "Add a printer". Chose "Add a Local Printer". Chose an already existing port. Chose an already existing driver. Worked, no prompt.

    2 - Went to "Devices and printers". Right-clicked and clicked "Add a printer". Chose "Add a Local Printer". Chose to add a new TCP/IP port. Entered the IP-address. Chose the device type if needed. Chose an already existing driver. Worked, no prompt.

    If you need your users to be able to add their own print drivers you will have to use GPO to edit the Driver Installation policy. It is located here:

    Computer Configuration\Policies\Administrative Templates\System\Driver Installation

    The setting is called "Allow non-administrators to install drivers for these devices setup classes". You will need to add the device class GUID of printers.
    The GUIDs can be found here: http://msdn.microsoft.com/en-us/library/ff553426(v=vs.85).aspx

    EDIT:

    I've updated this with some more information as this was getting a bit old and people probably tried the same with network printers (which does not work the same way).

    A few more steps are required for domain infrastructures where you add non-local printers:

    1. Configure Group Policy settings for "Point and Print" on BOTH computer and user settings (Vista previously only had user settings). The Location of the settings can be found here in GPOs:
      Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions
      User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and Print Restrictions
    2. Point and Print settings will vary on what kind of restrictions you want, but if you want users to be able to install ANY printer, with ANY driver, from ANY server, set the Point and Print settings to "Disabled".
    3. There are also other Group Policy settings that are related to print services, but I won't list them here. They may or may not relate to your planned print infrastructure, so read through them properly and try them out in testlabs if the above steps does not work for you. 
    • Marked as answer by Sean Zhu -Moderator Friday, November 27, 2009 10:05 AM
    • Edited by rogergh Monday, March 14, 2011 9:24 AM Updated with more information
    Saturday, November 21, 2009 12:41 AM
  • thank you for this post! saved me a ton of time troubleshooting this symptom in my new windows 7 workstation farm.

    Thursday, February 11, 2010 9:58 PM
  • to get to the admin account.

    as long as their isn't a password on the admin account, he can just change his account to being an administrator.

    If that doesn't work, what does the in-house tech support have to say? They actually should be the first to talk to.
    Thursday, February 18, 2010 7:59 PM
  • Thank you!!!! This was so very helpful and your tip worked.....  :)
    Wednesday, July 21, 2010 3:19 AM
  • @rogergh:  The link you provided now comes up as "Content removed".  Is there a new link someone can provide?  This solution is exactly what I am looking for.
    Monday, August 23, 2010 6:14 PM
  • Updated link.

     

    http://msdn.microsoft.com/en-us/library/ff553426%28v=VS.85%29.aspx

    Tuesday, October 12, 2010 11:51 AM
  • Updated link.

     http://msdn.microsoft.com/en-us/library/ff553426%28v=VS.85%29.aspx

    @Steveclements:  Better late then never.  Thanks so much!
    Tuesday, October 12, 2010 12:15 PM
  • Very Useful - Thanks.
    Thursday, October 14, 2010 3:56 PM
  • This worked for me to get my students laptops local printers installed.  The question is what option do we need to allow them to uninstall local printers?  I am using Windows 7 on Server 2008 domain.  Once the printer is installed they can not uninstall it.  They are "users" on the machine.
    Monday, November 15, 2010 6:02 PM
  • That sounds great but you may be wrong in a couple ways.

    I have several network printers as my company is medium to large. Many of them are NOT "NOT" in the windows driver database. I don't need to install special software from a CD as the driver are provided by the server when you install it. I have many windows XP users and all of them work fine when installing these printers. The problem exists when installing them on windows 7. It gets 3/4 way thru installing the printer then asks for a admin account to finish. You said this is not by default that it will prompt. This is where I think you need might need to test more. I have a windows 2003 r2 domain controller. Nothing special was setup to not allow win 7 user to install. So it is by default asking for a user and pass for installing a printer. This is also the case when installing a mouse or keyboard. Something in windows XP that just worked is now in windows 7 asking for a admin. I have added the setting this thread speaks of to the domain controller for adding the hardware GUIDs to the allowed list. I have also set the setting up for point and print settings. At this point I am at a loss. I want the user to be able to install printers but win7 will not allow me to do this. I may have to roll back win7 and go with xp until this is resolved. A PLAIN howto needs to be setup from Microsoft explaining how to allow this to happen. I can't just go changing group policies until I finally get the one that resolves the issue. We as well do not want to install printers using a GPO. We scale the different departments all the time which changes printers. This would be a nightmare to administer the printers thru a GPO to install them.

     

    One last thing to add. When I am logged onto the machine as domain admin I can install these printers. So I know the drivers exist on the server.

     

    It worked with XP wishing it worked on win7

    Wednesday, January 12, 2011 4:18 PM
  • That sounds great but you may be wrong in a couple ways.

    I have several network printers as my company is medium to large. Many of them are NOT "NOT" in the windows driver database. I don't need to install special software from a CD as the driver are provided by the server when you install it. I have many windows XP users and all of them work fine when installing these printers. The problem exists when installing them on windows 7. It gets 3/4 way thru installing the printer then asks for a admin account to finish. You said this is not by default that it will prompt. This is where I think you need might need to test more. I have a windows 2003 r2 domain controller. Nothing special was setup to not allow win 7 user to install. So it is by default asking for a user and pass for installing a printer. This is also the case when installing a mouse or keyboard. Something in windows XP that just worked is now in windows 7 asking for a admin. I have added the setting this thread speaks of to the domain controller for adding the hardware GUIDs to the allowed list. I have also set the setting up for point and print settings. At this point I am at a loss. I want the user to be able to install printers but win7 will not allow me to do this. I may have to roll back win7 and go with xp until this is resolved. A PLAIN howto needs to be setup from Microsoft explaining how to allow this to happen. I can't just go changing group policies until I finally get the one that resolves the issue. We as well do not want to install printers using a GPO. We scale the different departments all the time which changes printers. This would be a nightmare to administer the printers thru a GPO to install them.

     

    It worked with XP wishing it worked on win7


    Completely agree we need a document that actually works.  It is very frustrating trying to change setting on GPO and test and change and test, etc.  Does anyone know of a document of there that explains this better then the standard "here is where you put device IDs in the GPO"?
    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.
    Wednesday, January 12, 2011 4:25 PM
  • Going to try this as a possible solution to this age old mobile user support question. - Thanks, Neutrino Bob.
    Friday, February 04, 2011 9:34 PM
  • Hi,

    The original answer was regarding standard users installing local printers. I have updated my original post with a few more steps that are needed to allow standard users to install network printers (from servers).

    Monday, March 14, 2011 9:33 AM
  • I made the changes described in the solution and they don't seem to be functioning.  I added the GUIDs and set the Point and Print Restrictions to disabled under both user and computer policy settings.  We are trying to allow our users to install local printers.  This is on a domain.  Not quite sure where to go from here.  When adding the GUIDs to the policy do we need to have curly brackets around the GUID or not? 
    Friday, June 10, 2011 1:35 PM
  • I made the changes described in the solution and they don't seem to be functioning.  I added the GUIDs and set the Point and Print Restrictions to disabled under both user and computer policy settings.  We are trying to allow our users to install local printers.  This is on a domain.  Not quite sure where to go from here.  When adding the GUIDs to the policy do we need to have curly brackets around the GUID or not? 


    Yes, you include the brackets.  Here is my config and it works like a champ.  Note this will not allow users to install "Printer software" like the CD-Rom, but it will allow the printer driver even if not signed.

    Computer Configuration -> Policies -> Administrative Templates -> Printers

    - Add Printer wizard - Network scan page (Managed network) = Enabled
         Number of directory printers 200
         Number of TCP/IP printers 0
         Number of Web Services Printers 0
         Number of Bluetooth printers 0
         Number of shared printers 0

    - Point and Print Restrictions = Enabled
         Users can only point and print to these servers:    Disabled
         Enter fully qualified server names separated by semicolons    <blank> 
         Users can only point and print to machines in their forest    Disabled
         Security Prompts: 
         When installing drivers for a new connection:    Do not show warning or elevation prompt
         When updating drivers for an existing connection:    Do not show warning or elevation prompt
         This setting only applies to:      Windows Vista and later

    Computer Configuration -> Policies -> Administrative Templates -> System/Driver Installation

     

    - Allow non-administrators to install drivers for these device setup classes Enabled 
         Allow Users to install device drivers for these classes:
              {4D36E979-E325-11CE-BFC1-08002BE10318}
              {8FCEE422-B109-4758-9A6E-5BAB7B37996F}

     

    HOPE THIS HELPS!

     

     


    Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.
    Friday, June 10, 2011 4:46 PM
  • >>"Note this will not allow users to install "Printer software" like the CD-Rom, but it will allow the printer driver even if not signed."

    What options do IT Administrators have for in this circumstance? (other than giving admin rights to users)

    For example when working in the field our mobile employees will plug in an HP LaserJet P1102w (or similar) yet won't be able to install without local admin rights.  This type of printer requires an HP Setup program to run in order for the printer to work.  Even as an administrator I am not able to just install manually and point to a driver.

    Tuesday, April 03, 2012 11:34 PM
  • Anyone solve this problem?

    I do everything what was described, bu unfortunatelly I'm unable install printer driver with extended dirver (from disk) :(

    Thursday, November 21, 2013 6:21 PM