mvdriel
asked on
Domain user cannot add printer
Hello everybody,
I've got the following problem which I am unable to solve:
I have attached a brother HL-1430 printer to my domain controller (win 2003 enterprise) and shared it accross the network (also published it in the active directory).
When on a client machine (using windows xp), I am (as an administrator) able to connect to this printer and use it.
When I log in to the client machine as a normal domain user and try to add the printer it says (translated, since I use a localized version of XP, so the original english text may differ):
You have insufficient access to your computer to make a connection with the selected printer.
I tried changing all kinds of group policy settings (clickandpoint to disabled, printdriver installation is allowed).
Any ideas?
Michel
I've got the following problem which I am unable to solve:
I have attached a brother HL-1430 printer to my domain controller (win 2003 enterprise) and shared it accross the network (also published it in the active directory).
When on a client machine (using windows xp), I am (as an administrator) able to connect to this printer and use it.
When I log in to the client machine as a normal domain user and try to add the printer it says (translated, since I use a localized version of XP, so the original english text may differ):
You have insufficient access to your computer to make a connection with the selected printer.
I tried changing all kinds of group policy settings (clickandpoint to disabled, printdriver installation is allowed).
Any ideas?
Michel
ASKER
I've tried most of the things mentioned above before but the settings are:
- Prevent Users from installing printers - disabled (was not configured)
- Print Browsing - enabled (was not configured)
- Disallow installation of printers using kernel-mode drivers - disabled (allready set)
- Prevent addition / deletion of printers - both disabled (allready set)
This didn't work
After this, I added the user to the local power users group.
Again, this didn't work.
- Prevent Users from installing printers - disabled (was not configured)
- Print Browsing - enabled (was not configured)
- Disallow installation of printers using kernel-mode drivers - disabled (allready set)
- Prevent addition / deletion of printers - both disabled (allready set)
This didn't work
After this, I added the user to the local power users group.
Again, this didn't work.
Ok, the local power users group has more than sufficient perms. Check the share permissions on the printer.
ASKER
I even added the user in question and gave it full rights to be sure that wasn't the problem...
Then it's a policy setting, either a confliciting policy between the local and domain, or a flat denial.
ASKER
ok... when i run gpresult, it says under usersettings (again translated):
The group policy is being run from: n/a...
but further on it says:
Applied group policies:
"GP Alle gebruikers" (which is the correct policy)
"Default domain policy"
Logged in as admin:
The group policy is being run from: server.domain
blabla
The group policy is being run from: n/a...
but further on it says:
Applied group policies:
"GP Alle gebruikers" (which is the correct policy)
"Default domain policy"
Logged in as admin:
The group policy is being run from: server.domain
blabla
Is it only this machine, or any other client machine?
Freakin policy issues are a nightmare.
Ummm, let's also ask, have you changed the basic defaults, like the everyone group, or anything else funny like that?
Freakin policy issues are a nightmare.
Ummm, let's also ask, have you changed the basic defaults, like the everyone group, or anything else funny like that?
ASKER
I'm going to try installing the printer on another computer, but no, I have not changed anything else in policies...
Let you know in a few minutes if there is a problem on the other pc as well.
Let you know in a few minutes if there is a problem on the other pc as well.
ASKER
It's a no-go
Same error on the other machine
It seems to be a policy problem
Same error on the other machine
It seems to be a policy problem
Well maybe. Look in the default printers adm template, but mine listed not configured.
Have you like removed the everyone from shares? It might be GPO, but I think it might be somewhere in your permission structure, if you have changed any of the defaults, or are using the special restricted groups.
Can you browse any shares on these boxes?
Also, try this; just for giggles, enable netbios over tcp.
Hmmm, have you checked your event logs for failure messages? This is seems to be a restriction on the share, or on the server sharing it.
Have you tightened any of the SMB aigning, or adjusted the NTLM handling?
Both of these have to do with general communication at the lower levels, and if these were adjusted, you might be able to browse shares, but not printers.
Can your user browse to the share and add it that way?
Hmmm... Shotgun technique. Point and *Click* simple.
Have you like removed the everyone from shares? It might be GPO, but I think it might be somewhere in your permission structure, if you have changed any of the defaults, or are using the special restricted groups.
Can you browse any shares on these boxes?
Also, try this; just for giggles, enable netbios over tcp.
Hmmm, have you checked your event logs for failure messages? This is seems to be a restriction on the share, or on the server sharing it.
Have you tightened any of the SMB aigning, or adjusted the NTLM handling?
Both of these have to do with general communication at the lower levels, and if these were adjusted, you might be able to browse shares, but not printers.
Can your user browse to the share and add it that way?
Hmmm... Shotgun technique. Point and *Click* simple.
ASKER
Well... my default template doesn't have anything configured inside it. I checked it to be sure...
I've now set the permissions to the printer so everybody has full access.
I can browse the server from my client and access all shares (which the user has access to), but I'm unable to point and click...
netbios over tcp was allready enabled
eventlog (and now it gets interesting):
on the server: no log regaring the printer
on the client: there is a logentry... stating that the drivers were succesfully installed... every time I tried to install the printer... It came as a warning in the "system log", ID 20.
I have not thightened SMB of adjusted NTLM
I've disabled my network wide firewall (but since I am able to add the printer as an administrator and the firewall doesn't "see" what kind of user I am this doesn't seem to be the problem)
I added the user to the local power users group on the second pc (i forgot this the first time)
So still... not able to add the printer.
I've now set the permissions to the printer so everybody has full access.
I can browse the server from my client and access all shares (which the user has access to), but I'm unable to point and click...
netbios over tcp was allready enabled
eventlog (and now it gets interesting):
on the server: no log regaring the printer
on the client: there is a logentry... stating that the drivers were succesfully installed... every time I tried to install the printer... It came as a warning in the "system log", ID 20.
I have not thightened SMB of adjusted NTLM
I've disabled my network wide firewall (but since I am able to add the printer as an administrator and the firewall doesn't "see" what kind of user I am this doesn't seem to be the problem)
I added the user to the local power users group on the second pc (i forgot this the first time)
So still... not able to add the printer.
ASKER
I tried the following:
denied the user any rights on the printer.
That way, when I am trying to install it on a client computer, it asks for a username and password that has rights to add the printer. I entered my admin account username and password.
The same error showed up.
I believe it is a policy problem, but is there any way to find out what policy is active and how a setting is defined? This way I can check if all settings are applied correctly to the client.
denied the user any rights on the printer.
That way, when I am trying to install it on a client computer, it asks for a username and password that has rights to add the printer. I entered my admin account username and password.
The same error showed up.
I believe it is a policy problem, but is there any way to find out what policy is active and how a setting is defined? This way I can check if all settings are applied correctly to the client.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When reviewing the RSOP output I noticed that not all settings from the GP were transferred to the client.
I changed the default domain policy to reflect the OU-group policy at those settings.
After rebooting the client I was able to add the printer as a power user.
I've got to try if I'm able to add the printer as a normal domain user, but at least I've solved my initial problem.
Thanks Casca1! Points for you...
I changed the default domain policy to reflect the OU-group policy at those settings.
After rebooting the client I was able to add the printer as a power user.
I've got to try if I'm able to add the printer as a normal domain user, but at least I've solved my initial problem.
Thanks Casca1! Points for you...
Cool! Glad I helped.
Computer Configuration\Windows Settings\Local Policies\Security Options
Prevent Users from Installing Printers
Computer Configuration\Windows Settings\Administrative Templates\Printers
Printer Browsing
Disallow installation of printers using kernel-mode drivers
Computer Configuration\User Configuration\Administrati
Prevent Addition of Printers
Prevent Deletion of Printers
If none of that applies, then try adding a user to the Local Power Users group and see if you still get the same errors.