This is a common requirement where IT administrators face the ultimate challenge. How do you lock down a workstation but open up certain functions to make them practical? For instance, the most common requirement is to give users the right to install Local Printers for a mobile workforce (roaming or "road warriors") without opening up the whole domain PC/laptop to full administrative access for that user.
Let's face it: If it were up to us, we wouldn't even let our users power the darn things on! But, since we all have jobs to do, including our users, this guide will enable you to deploy a group policy to an organisation unit that will enable the (selected) domain users within that unit to install local printers. (Say, they have a beautiful HP inkjet at home they wish to use, or that laserjet in their remote office they travel to.)
This guide is also suitable for enabling programs that require the creation of a Printer Driver during operation, such as Adobe Acrobat Standard/Professional and Pegasus Opera II Enterprise client (for example). In fact, this guide was written specifically to solve the problem for the latter!
- Create a Domain Security Group of the desired Domain Users who will be given rights to install the printers e.g. “Printer Users”; add all desired members to this group.
- Optionally, create a Domain Security Group "Printer Computers" with desired machines/computers as members on which you want to allow printers to be installed. By default, when you assign a Group Policy to an Organisation Unit, all machines in that unit are affected. This security group will allow further filtering by only affecting the desired machines within that unit. This is a much more effective way to ensure that the users don't have full printer rights across the whole organisation.
Never modify the default domain policy. Always create organisational units and never include domain admins or server computers in these units. For these instructions we have created an Organisation Unit (OU) called “test”.
So, you should have:
- Create an Organisational Unit in Active Directory for all of the machines (computers/laptops) on which desired users can install the printers, e.g. “Test OU”. You can use an existing OU but see the note below; Guru Guy recommends creating a test OU for small deployment, specifically where the modification of user rights is concerned.
- Place a test PC or two into this OU so that only a couple of computers are affected (once complete and tested, move the rest into this or apply the policy to your existing OU - again, see note below).
- Install the Group Policy Management Tool (GPMT) to allow advanced modification and creation of domain Group Policies.
- Printer Users (of all desired domain users e.g. Polly Edwards, Diane Lane etc.)
- Printer Computers (of all desired machines as members to which your users can install printers)
- Test Organisational Unit to deploy the Group Policy into the desired computer group, with a test workstation computer moved into the OU in Active Directory
- Group Policy Management Tool installed
Assuming you’ve followed the pre-requisites above, continue as follows for deployment:
- Open up the Group Policy Management Tool
- Navigate to your TEST OU that should be located underneath the domain policy.
- Create and Link a new Group Policy Object (GPO) to the Organisation Unit and call it “Power Users”. This GPO will increase the users to a level that can install printers even if they are standard (restricted) domain users of that workstation/laptop and are NOT a member of the local machine Adminstrators group. This policy will inherently allow user general “Power User” privileges such as modifying system time and date. This GPO will apply to all users of the PCs/Laptops in that Organisation Unit and any members logging onto those PCs listed in the “Printer Users” group. For full information about the Power User group privileges, consult the Windows XP documentation.
- In the New GPO, navigate to: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
- Under “Load and Unload Device Drivers” edit the properties.
- Tick “Define these policy settings” and add the Printer Users Group via Domain\Group format e.g. “GURUGUY\Printer Users”. Also, be sure to add "Administrator" and "Administrators" to the list. This will allow local admins to each PC having full access. Without adding these two groups, you essentially remove privileges of the Administrators! Once done, click OK to close the policy.
- Navigate to: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
- Under the policy “Devices: Prevent Users from installing printer drivers” define the policy to be “Disabled”.
- Navigate to Computer Configuration\Windows Settings\Security Settings\Restricted Policies
This section enables modification of the laptop/computer local user groups. What we need to do here is allow the desired "printer users" to be a member of the “Power Users” group on that local PC. Warning: Modification of the "Restricted Policies" is very powerful and complex. NEVER modify this policy if it affects domain Admins, Servers, Domain Controllers etc. This policy should only apply to a handful of desired workstation machines. For more information consult the Microsoft Knowledgebase on Restricted Policies.
Right-Click “Restricted Groups” and click “Add Group” and name it “Power Users”. Make sure it is a group name that does NOT exist in the domain active directory so the policy is not misinterpreted.
- In “Members of this Group” section, add DOMAIN\GROUP e.g. "GURUGUY\Printer Users”
- In the “this group is a member of” section, add and type: “Power Users”. OK out of that window and you should have something like the below:
- Navigate to Computer Configuration\Administrative Templates\Printers and modify the policy “Disallow installation of printers using Kernel-mode drivers” to Disabled
- Navigate to User Configuration\Administrative Templates\Control Panel/Printers and modify the policy “Point and Print Restrictions” to disabled.
- Close the GPO and view the “scope” tab of the policy in the Group Policy Management Pane. Under Security Filtering add “Printer Users” and “Printer Computers”.
- Once users have been assigned to both security groups and a machine is moved from Active Directory “Computers” into your new Organisation Unit, log into a machine to test the policy.
- Type in the Start->Run “gpupdate /force” on a test workstation. This will refresh the group policy.
- Reboot the computer, login, and to see the Group Policy has taken affect, go to Control Panel -> Printers -> Add Printer. After the Wizard introduction the option to select "Local Printer" should NOT be greyed out. (Normally it is and only Install Network Printer" is available.) If not, update Group Policy again after making sure the PC is in the Organisational Unit you recreated, the machine you are on is a member of the "Printer PCs" group and the User you are logged in as is a member of the DOMAIN\Printer Users Group.
- Congratulations, you've now enabled your desired users to install printers on your desired PCs!