We help IT Professionals succeed at work.

power users need printer drivers

teknowil
teknowil asked
on
3,091 Views
Last Modified: 2007-12-19
I am running win2k computers  I need powerusers or domain user to install local  printers. I have set options in security template in user rights management to enable Power users to load/unload drivers and set  security rights to allow users to install print drivers. I have made sure power users have rights to the c drive. They still do not have access, local printers option is available but it says I need to be administrator or it will get to the end and say "access denied" when I click finish. My starfish seem to find a new printer everyday and I spend 50% of my time LOADING FREAKING PRINTER DRIVERS! any assistance would be appreciated
Comment
Watch Question

Kyle SchroederEndpoint Engineer
CERTIFIED EXPERT

Commented:
Do the users have rights to write to c:\winnt\system32\spool\drivers\* ?

-dog*
I assume you double checked that your policies work (the effective settings within the Local Group Policy).

If you have a security issue here on either the file system or within the registry I suggest working with the two sysinternals tools file monitor and registry monitor.
(visit www.sysinternals.com and download these great tools).

Run one tool after the other (uses a lot resources!), try to install your printer, stop the monitoring process and search the results for access denied messages.
I know it records a huge amount of data but the inquiry is worth it.

Let me know your results ...

Commented:
Power users do not exist as a domain security group. If you wanted to achieve something like this you woud need to create a domain group, and pace them in the local power users group on every computer, then simply add people to that group and they can install printers. Power users can install programs and printers but ony on local computers.

does anyone have a script for adding domain groups to local groups to help him achieve this?

add domain users to the power users group on individual workstations.

Author

Commented:
ok I will clarify a little more. My local power users cannot load printer drivers. I even have that disabled in my security template along with allow users to load unload drivers.
I've run into the same issue on XP. According to KB article 326473, power users can only install printers (with the rights you described) through the add printer wizard. No plug and play. Also, they cannot install any other devices even if they have load driver rights. It has to do with the workstation ACL: only administrators can make permanent changes. I haven't found the solution yet, and I'm not sure if it's applicable to 2000.
the bottom line in xp and 2000 is that local admins can only install software.... MS leaves it up to domain level restrictions for you to restrict your users.... I give all my users local admin rights and then set up GPOs at the domain level to set up security,,, that way i set security in one place,, the DC,,, not by going to each of my 1000 workstations.

Author

Commented:
Ok, maybe I am not clear, for get I said anything about domains, yes I knew about adding domain users to power users locally....if they cant install them as power users to begin with How in the hell is adding domain users to the power users group going to fix it. Like I said before right now the computers are not hooked to a domain. I figure the registry was messed with and there probably is an option that doesnt show up in security templates, becuase I did a fresh install and applied my template and powersusers could install printers. I will award points to the one who knows where in the registry printer restrictions maybe that dont show up on security templates.
if you read my post,, i didnt say add them to power users,,, i said you have to add them to local admin group.... you HAVE to be in local admin group to install some software
I believe you can do this from your desk with rundll32 printui.dll,PrintUIEntry /o /n\\machine\printer

http://techsupt.winbatch.com/TS/T000001031F17.html
Maybe you mentioned it somewhere and I read over it .... where is the printer physically located? Do your users have permissions to connect to that printer/computer? Maybe you ought to authenticate first ...

Author

Commented:
ok I want everyone to forget I said anything about domains. LOCAL PRINTER, LOCAL USER,  I suspect its a reg key that isnt edited in security templates. I did remedy the problem with a fresh install using my usual security templates and power users can install local printers....but on the affected ones i can put any template i want and they still cant install printers.
did you check with ww.sysinternal.com's tool regmon? You should be able to  isolate the registry keys with that one.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
when you say affected ones what do you mean?? what is different on these machines from the other ones.

Author

Commented:
chicagoan got it spot on. the moral of the story is .....dont let someone else help you image your computers. They really didnt do us a favor at all.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.