gabrielaz
asked on
Add printer locally greyed out
Hi experts,
We are planning to upgrade from windows 2000 pro to xp pro. I have created a test image and i have imaged a user using it. after i imaged a machine i went to readd the printers and local printer option is greyed out. i can add the network printer but not the local ones so i cant add the IP printers either. i was able to do logged in as administrator but couldnt using as the user. In windows 2k we allow users to do this and we havent changed any polocies. anyone have any ideas(:0>?
We are planning to upgrade from windows 2000 pro to xp pro. I have created a test image and i have imaged a user using it. after i imaged a machine i went to readd the printers and local printer option is greyed out. i can add the network printer but not the local ones so i cant add the IP printers either. i was able to do logged in as administrator but couldnt using as the user. In windows 2k we allow users to do this and we havent changed any polocies. anyone have any ideas(:0>?
mikeleebrla
you have to be a member of the local administrator group in order to add/remove printers. regular users can't do this. while logged in as a local administrator go to control panel>users>advanced tab>advanced to open the MMC snap in. Then go to groups, administrators and add your users to this group. If they aren't administrators, they can't "administer" the computer,,, its that simple.
It's local administrative permissions.
Q: Why is the option to add a Local Printer grayed out on Windows XP?
A: If you're trying to add a Local printer and the radio button is grayed out, chances are you are logged in to Windows XP via a Limited User account.
By default a Limited User account cannot add a local printer in Windows XP. Only an Administrator can add a local printer. It is recommended that you switch you an Administrator account, if possible, to install the local printer or contact your system administrator or the Computing Help Desk for assistance.
Taken as a backup from: http://itinfo.mit.edu/answer?id=1137
I think there may be a way to edit the registry as the administrator and put in permission to allow the user to add a printer.
If you add and set up a Plug-and-Play printer (for example, USB, IEEE 1394, LPT, or Infrared), you do not need to have administrative privileges. However, to add and set up a non Plug-and-Play printer connected directly to your computer, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
You must be logged on as an administrator or as a member of the Administrators group in order to install a device using the Add/Remove Hardware wizard in Control Panel. If your computer is connected to a network, network policy settings may also prevent you from installing hardware. If an administrator has already loaded the drivers for a device, you can install the device without administrator privileges.
You may require administrative privileges to add and set up a Plug-and-Play device. You need administrative privileges if installing the device requires a user interface or if you experience errors during the installation process. To add and set up a non Plug-and-Play device connected directly to your computer, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure. If an administrator has already loaded the drivers for the device, you can install the device without administrator privileges
These are probably local permissions but can be overridden by domain GPO's
The two settings you may want to check are:
Local Policies -> Security Options -> Prevent users from installing printer drivers
Local Policies -> User Rights Assignment -> Load and unload device drivers
Q: Why is the option to add a Local Printer grayed out on Windows XP?
A: If you're trying to add a Local printer and the radio button is grayed out, chances are you are logged in to Windows XP via a Limited User account.
By default a Limited User account cannot add a local printer in Windows XP. Only an Administrator can add a local printer. It is recommended that you switch you an Administrator account, if possible, to install the local printer or contact your system administrator or the Computing Help Desk for assistance.
Taken as a backup from: http://itinfo.mit.edu/answer?id=1137
I think there may be a way to edit the registry as the administrator and put in permission to allow the user to add a printer.
If you add and set up a Plug-and-Play printer (for example, USB, IEEE 1394, LPT, or Infrared), you do not need to have administrative privileges. However, to add and set up a non Plug-and-Play printer connected directly to your computer, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
You must be logged on as an administrator or as a member of the Administrators group in order to install a device using the Add/Remove Hardware wizard in Control Panel. If your computer is connected to a network, network policy settings may also prevent you from installing hardware. If an administrator has already loaded the drivers for a device, you can install the device without administrator privileges.
You may require administrative privileges to add and set up a Plug-and-Play device. You need administrative privileges if installing the device requires a user interface or if you experience errors during the installation process. To add and set up a non Plug-and-Play device connected directly to your computer, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure. If an administrator has already loaded the drivers for the device, you can install the device without administrator privileges
These are probably local permissions but can be overridden by domain GPO's
The two settings you may want to check are:
Local Policies -> Security Options -> Prevent users from installing printer drivers
Local Policies -> User Rights Assignment -> Load and unload device drivers
ASKER
is this an xp thing. users where able to do this in windwos 2k as power users and on xp they are power user. Also they are able to add the network printers....
The Prevent Users from Installing Printer Drivers I believe is disabled at first unless there is a noted domain policy overriding this.
Your main issue may come from User Rights Assignments -> Load and Unload Device Drivers. You would have to add the Usernames account or Domain users into this group.
Other than that there seems to be no other logical and/or security safe way of making this happen other than adding them to the local administrators or powerusers groups.
Your main issue may come from User Rights Assignments -> Load and Unload Device Drivers. You would have to add the Usernames account or Domain users into this group.
Other than that there seems to be no other logical and/or security safe way of making this happen other than adding them to the local administrators or powerusers groups.
ASKER
The users are part of the power users group
adding network printers and adding local printers are two totally different things
when you "add" a networked printer you are just CONNECTING to a shared printer that already exists, you aren't actually installing/creating anything new in your AD. In fact it will only show up for the local users profile,, not all profiles on that PC.
when you "add" a local printer you are installing drivers on the local machine and adding a new AD object, which is why only administrators can do this since this is an administrative task. Local printers will show up for all profiles/users of that PC. Anything that effects more than one user is an administrative task.
when you "add" a networked printer you are just CONNECTING to a shared printer that already exists, you aren't actually installing/creating anything new in your AD. In fact it will only show up for the local users profile,, not all profiles on that PC.
when you "add" a local printer you are installing drivers on the local machine and adding a new AD object, which is why only administrators can do this since this is an administrative task. Local printers will show up for all profiles/users of that PC. Anything that effects more than one user is an administrative task.
Then check the Local Security Policy as that may be preventing you. The only thing by default under User Rights Assignments -> Load and Unload Device Drivers is the administrator account. My feeling is that's what's hosing you if they are already power users.
ASKER
So i would have to log the user on and off to add an ip printer. we also map to our printers \\server\printer and then create a local port and point it to the port so that all users who log in will have access to the shared printer. there has to be a fix around this because our user are part of the local power user group.
ASKER
Hi gerdawg ,
thats an idea.. on the local machine? whrer exactly is the chagne?
thats an idea.. on the local machine? whrer exactly is the chagne?
It's not just Local Power Users Group. It's the GPO or LOCAL POLICY rights to to LOAD AND UNLOAD DEVICE DRIVERS.
Networked or none, you may have to add device drivers for thouse printers.
This is probably what's preventing you from getting this to work.
Add in the Domain Users or USER account to that Local Policy.
Go to start, Run, type gpupdate.
Reboot, see if you can install it now.
Networked or none, you may have to add device drivers for thouse printers.
This is probably what's preventing you from getting this to work.
Add in the Domain Users or USER account to that Local Policy.
Go to start, Run, type gpupdate.
Reboot, see if you can install it now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Again do the GPUPDATE command, reboot and see if your ready to go.
ASKER
Hey Gerdawg
What else does this open up by adding power users to load an unload device drivers. through group policies we dont let them install software or hardware besides printes will i still be okay?
What else does this open up by adding power users to load an unload device drivers. through group policies we dont let them install software or hardware besides printes will i still be okay?
In regards to this statement
we also map to our printers \\server\printer and then create a local port and point it to the port so that all users who log in will have access to the shared printer. there has to be a fix around this because our user are part of the local power user group.
______________
Any easier way to accomplish this is NOT to make a local printer on the client.
Browse over to \\server\
Find the printer your looking for Right click it and hit Connect.
If the correct drivers are installed on the server for a WINDOWS XP client, you should be able to print from now on to that printer.
This is a better way of accomplishing that task for "networked" printer because if you change a setting and/or a printer driver you won't have to run around to each client workstation and update the driver. All you will have to do it update the driver at the printer and it will update the client automatically the next time they try to print from that "networked" printer.
we also map to our printers \\server\printer and then create a local port and point it to the port so that all users who log in will have access to the shared printer. there has to be a fix around this because our user are part of the local power user group.
______________
Any easier way to accomplish this is NOT to make a local printer on the client.
Browse over to \\server\
Find the printer your looking for Right click it and hit Connect.
If the correct drivers are installed on the server for a WINDOWS XP client, you should be able to print from now on to that printer.
This is a better way of accomplishing that task for "networked" printer because if you change a setting and/or a printer driver you won't have to run around to each client workstation and update the driver. All you will have to do it update the driver at the printer and it will update the client automatically the next time they try to print from that "networked" printer.
You won't be ok. It will allow them to install ANY device driver. There is no way around this other than to login as an ADMIN and add the printer locally. Again read the above comments I have concerns that what your trying to do is in effect not the "best" way off accomplishing your goals.
The best way to accomplish your goals is to use the server as a print server by using the servers connection to the printer to install a User profiled printer on the client.
The best way to accomplish your goals is to use the server as a print server by using the servers connection to the printer to install a User profiled printer on the client.
P.S. using the ADD Devices will not allow software to be installed, but it will allow drivers to be installed. I felt I needed to clarify that statement to be more specific in my response.
ASKER
Hey thats a cool way of adding printers will it work for every profile on the machine for instance if i do it and if i log off wil another user see that printer?
NO the user will not.
You may want to try add this to a batch file for all users logging in:
net use lpt1: \\servername\printershare
that will run the batch file for each user loggin in and give them access. I'm not sure if this uses a DEVICE permission or not. It's worth a try I do believe it may just work as this is for a per "USER" profile and not a global addition.
As well it's DOS compatible so you can "NETWORK PRINT" your DOS applications if your still using any.
You may want to try add this to a batch file for all users logging in:
net use lpt1: \\servername\printershare
that will run the batch file for each user loggin in and give them access. I'm not sure if this uses a DEVICE permission or not. It's worth a try I do believe it may just work as this is for a per "USER" profile and not a global addition.
As well it's DOS compatible so you can "NETWORK PRINT" your DOS applications if your still using any.
ASKER
i guess what im trying to say is if a user get s a scanner and plug it in with usb it will detect it but it will not let them install the software right? but if it was allready installed and they wanted to update the driver they could?
you can do that on a domain through AD USERS and COMPUTER and modify an existing batch file.
OR you can do this via a local batch file saved to C:\ and have it called up in registry with a DWORD key under the
\HKEY_LOCAL_MACHINE\SOFTWA
OR you can do this via a local batch file saved to C:\ and have it called up in registry with a DWORD key under the
\HKEY_LOCAL_MACHINE\SOFTWA
i guess what im trying to say is if a user get s a scanner and plug it in with usb it will detect it but it will not let them install the software right? but if it was allready installed and they wanted to update the driver they could?
Yes by modifying device drivers under the local security policy it would ALLOW them to do that in this instance.
Yes by modifying device drivers under the local security policy it would ALLOW them to do that in this instance.
If you give the local users group “users” modify and write rights to the following folders: c:\windows\drivers and c:\windows\system32\spool and the full access to the following registry locations: HKCU\printers and HKLM\System\Current Control Set\Control\Print it works like a charm and users can add local or ipp printers from the web page again, yet it still prevents them from installing other software.
Frustrated... was hoping Tycho's suggestion would do it. For WinXP & 2K, this did not work (also, there is no c:\windows\drivers folder, it is c:\windows\system32\driver
The Add Local Printer option in the Add Printer Wizard was still grayed out. The MS documentation appears correct - that the user must BOTH be a member of Power Users AND have the right to Load and Unload Device drivers, in order to be able to add local printers?
Seems strange that we need to grant such a high level of access to our users just to add a local printer (I understand it is creating an AD object, but there must be a better way!).
Our issue is users go home w/ laptop and want to connect to their own printer. Aside from granting them Power User membership, the only solution we came up with is have them call the Helpdesk and we'll add the printer at that time (as an Admin). Very cumbersome.
An alternative we're considering is to create a script that is a desktop shortcut for the user that will launch the Add Printer wizard under alternate credentials (using CPAU.exe for example). Any thoughts on that?
The Add Local Printer option in the Add Printer Wizard was still grayed out. The MS documentation appears correct - that the user must BOTH be a member of Power Users AND have the right to Load and Unload Device drivers, in order to be able to add local printers?
Seems strange that we need to grant such a high level of access to our users just to add a local printer (I understand it is creating an AD object, but there must be a better way!).
Our issue is users go home w/ laptop and want to connect to their own printer. Aside from granting them Power User membership, the only solution we came up with is have them call the Helpdesk and we'll add the printer at that time (as an Admin). Very cumbersome.
An alternative we're considering is to create a script that is a desktop shortcut for the user that will launch the Add Printer wizard under alternate credentials (using CPAU.exe for example). Any thoughts on that?
Try the following in a batch file:
subinacl /service spooler /grant=users=F
subinacl /service spooler /grant="Power Users"=F
subinacl /service lexbces /grant=users=F
subinacl /service lexbces /grant="Power Users"=F
subinacl /subkeyreg \HKEY_CURRENT_USER\Printer
subinacl /subkeyreg \HKEY_CURRENT_USER\Printer
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_CURRENT_USER\Softwar
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\SOFTWA
subinacl /file c:\windows\system32\svchos
cacls c:\windows\system32\spool /e /g users:F
cacls c:\windows\system32\driver
cacls c:\windows\drivers /e /g users:F
cacls c:\windows\twain_32 /e /g users:F
cacls c:\temp /e /g users:F
cacls "c:\documents and settings\default user\application data\microsoft" /e /g users:F
cacls "c:\documents and settings\default user\templates" /e /g users:F
cacls "c:\documents and settings\all users\templates" /e /g users:F
subinacl /service spooler /grant=users=F
subinacl /service spooler /grant="Power Users"=F
subinacl /service lexbces /grant=users=F
subinacl /service lexbces /grant="Power Users"=F
subinacl /subkeyreg \HKEY_CURRENT_USER\Printer
subinacl /subkeyreg \HKEY_CURRENT_USER\Printer
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\System
subinacl /subkeyreg \HKEY_CURRENT_USER\Softwar
subinacl /subkeyreg \HKEY_LOCAL_MACHINE\SOFTWA
subinacl /file c:\windows\system32\svchos
cacls c:\windows\system32\spool /e /g users:F
cacls c:\windows\system32\driver
cacls c:\windows\drivers /e /g users:F
cacls c:\windows\twain_32 /e /g users:F
cacls c:\temp /e /g users:F
cacls "c:\documents and settings\default user\application data\microsoft" /e /g users:F
cacls "c:\documents and settings\default user\templates" /e /g users:F
cacls "c:\documents and settings\all users\templates" /e /g users:F