• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1329
  • Last Modified:

Add local printer disabled for some users

Hi folks,

last 24 hours struggling around a stupid problem wit adding local printers on W2K Pro ws.

There is AD on W2K Server and users who log on W2K Pro workstations. Users are just standart DOMAIN USERS.

I need them to be able to add a LOCAL printer apart from network printer as there are some appz which can only print on LPT1: etc.

However all new users I add to AD can not add local printer by running Add a New Printer Wizard or even by using "rundll32 printui.dll,PrintUIEntry /if /b "AMD" /f "%windir%\inf\ntprint.inf" /r "lpt1:" /m "HP Laserjet 4000 Series PCL" /q".

The worst thing is that there are some computers where some older useres can add local printers and those users are also just DOMAIN USERS. :o(

I NEED TO KNOW WHY does it happen and WHERE CAN I ENABLE THE FEATURE to be allowed to add a local printer either on AD {by policy?} or on local machine. I am not allowed to give them administrator rights on either workstation or server and there is no way to add those users to local administrators by creating local profile either.

PLEASE HELP!

Petr
0
Pedro Keson
Asked:
Pedro Keson
  • 5
  • 4
  • 3
  • +3
1 Solution
 
VahikCommented:
right click the printer click properties / security permissions  then give appropriate permissions.


 then easiest way to install a printer that i know of is
double click my network places /click on the server then printer then it would ask if before u can use the printer
 it must be set up on ur computer    U click yes and the would automaticly download the driver especially win2000 workstations.

  Good Luck
0
 
Pedro KesonIT specialistAuthor Commented:
Dear Vahik,

I am afraid, you didnt get my point well. I have difficulties with adding LOCAL printers, not NETWORK Printers.

You can see that it is disabled, when you click on add a new printer and you get the screen with LOCAL/NETWOK selection, while the LOCAL is greyed out.

I believe it must be related to user rights, but there must also be some way how to do it as I said I have users, who CAN add those local printers on some workstations and on some not.

Any idea?

Petr
0
 
jvuzCommented:
The local administrator can add local printers to your computer. Make an local administrator account.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
VahikCommented:
then in that case ivuz is right sorry  I Misunderstood the question.
0
 
VahikCommented:
but in order to install u have to log on to the local workstation not the domain then install the printer
0
 
Pedro KesonIT specialistAuthor Commented:
Dear friends,

thanks for all your nice tries. The problem is further away. I know that when I log on as an admin, I can do all those things, but I NEED THEM to be executed everytime users logs on, and it happens accross the whole country every day many times on hunderts of computers.

The only thing I am asking for is to find out, how can I enable the bloddy radio button - ADD A LOCAL PRINTER. Either through policy, login script, command or whatever WITHOUT GOING PHYSICALLY TO EACH COMPUTER and changing there something or running some local scripts as admin.

Also adding all those users to a admin group is not a way I can go as I wrote, I AM NOT ALLOWED to do s (not by system but by company policy).

TA

Petr
0
 
VahikCommented:
listen before u run ur foul mouth u dont understand what u asking  u want to set up a local printer not a domain printer. there is no magic button to install this the only way u could install a local printer is log on localy then add it.       I hope u find ur script.
0
 
Pedro KesonIT specialistAuthor Commented:
Dear Vahik,
I guess it is you who is starting loosing nerves here. If you look carefully on my question, you will se, that what I am asking you is this:

HOW TO ENABLE DOMAIN USER TO ADD A LOCAL PRINTER.

Is that not clear enough? If you thing that I am idiot, you do not have to answer.

What I experienced is this. SOME USERS CAN DO THAT (yes, domain users logged to the domain) and some not. Even those who can do it on one computer can not do it on another.  Also, when I am Domain admin user, I can do that on my computer as well, so IT HAS SOMETHING TO DO WITH RIGHTS.

I believe, that if it can be done ONCE, it must be possible to do it ANYTIME and that is all I am trying to figure out.

Please do not respond with invectives, just on topic answers.

Thanks
0
 
trywaredkCommented:
I Don't know, but try this LOCAL policy:

1. Download regmon from http://www.sysinternals.com/ntw2k/source/regmon.shtml

2. Start / Run / GPEDIT.MSC
3. Choose Computer Configuration
4. Choose Windows Settings
5. Choose Local Policies
6. Choose User Rights Assignment
7. Choose Load an unload device drivers

8. Start Regmon

9. Add Domain Users to Load an unload device drivers

10. Stop Regmon

11. In Regmon find out what's added to registry
12. Start / Run / Regedit
13. Goto found key (number 11)
14. Choose Registry / Export file PRINTERRIGHTS.REG

Add the following to your logonscript:
--------------------------------------------
%systemroot%\system32\regedit.exe -s PRINTERRIGHTS.REG
--------------------------------------------



BTW - "I AM NOT ALLOWED to do s (not by system but by company policy)."

KEEP THAT DECISION - PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open


0
 
james_buddellCommented:
Hi,

Doesn't add too much in the way of a solution, but may help explain...

http://support.microsoft.com/default.aspx?scid=kb;en-us;297780

Cheers,
James
0
 
cempashaCommented:
This question is still open and getting old. If any of the comment(s) above helped you please accept it as an answer or split the points who ever helped you in this question. Your attention in finalising this question is very much appreciated. Thanks in advance,

****** PLEASE DO NOT ACCEPT THIS AS AN ANSWER ********

- If you would like to close this question and have your points refunded, please post a question in community support area on http://www.experts-exchange.com/Community_Support/ giving the address of this question. Thank you      

Pasha

Cleanup Volunteer


0
 
jvuzCommented:
keson, is your problem solved?
0
 
Pedro KesonIT specialistAuthor Commented:
Guys,

although I was not planning to give anyone points as there actually is NO sollution, I decided to give them to trywaredk  as he wes actually trying to help ulike some who just scream.

Thanks for your patience, I lost my account details and this thread link untill jvuz wrote me :o)

Thanks again!
0
 
trywaredkCommented:
0
 
Pedro KesonIT specialistAuthor Commented:
Trywaredk,

not possible. There is 4500 users in the network and they are not "allowed" to be anything else except power users.

The only think which worries me much is a fact, that "some" users have those rights and some not (5:95) without an obvious reason. I am creating most users by copying the other ones and even then it is not a rule that someone has the right ands someone not. Computers are almost identical - clonned :o(

Anyway I do it other way, I created some fixed local printers with different fixed drivers and I do map netwok resources to those local printers (connected on LPTs). Not 100% nice, buit works.

Thanks
0
 
trywaredkCommented:
:o) Thank you for the points
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now