Domain user cannot add printer

Hello everybody,
I've got the following problem which I am unable to solve:
I have attached a brother HL-1430 printer to my domain controller (win 2003 enterprise) and shared it accross the network (also published it in the active directory).
When on a client machine (using windows xp), I am (as an administrator) able to connect to this printer and use it.
When I log in to the client machine as a normal domain user and try to add the printer it says (translated, since I use a localized version of XP, so the original english text may differ):
You have insufficient access to your computer to make a connection with the selected printer.
I tried changing all kinds of group policy settings (clickandpoint to disabled, printdriver installation is allowed).

Any ideas?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In Active Directorys GPO for your Users OU check the following:

Computer Configuration\Windows Settings\Local Policies\Security Options

Prevent Users from Installing Printers

Computer Configuration\Windows Settings\Administrative Templates\Printers

Printer Browsing
Disallow installation of printers using kernel-mode drivers

Computer Configuration\User Configuration\Administrative templates\Control Panel\Printers

Prevent Addition of Printers
Prevent Deletion of Printers

If none of that applies, then try adding a user to the Local Power Users group and see if you still get the same errors.
mvdrielAuthor Commented:
I've tried most of the things mentioned above before but the settings are:
- Prevent Users from installing printers - disabled (was not configured)
- Print Browsing - enabled (was not configured)
- Disallow installation of printers using kernel-mode drivers - disabled (allready set)
- Prevent addition / deletion of printers - both disabled (allready set)

This didn't work

After this, I added the user to the local power users group.

Again, this didn't work.
Ok, the local power users group has more than sufficient perms. Check the share permissions on the printer.
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

mvdrielAuthor Commented:
I even added the user in question and gave it full rights to be sure that wasn't the problem...
Then it's a policy setting, either a confliciting policy between the local and domain, or a flat denial.
mvdrielAuthor Commented:
ok... when i run gpresult, it says under usersettings (again translated):
The group policy is being run from: n/a...
but further on it says:
Applied group policies:
"GP Alle gebruikers" (which is the correct policy)
"Default domain policy"

Logged in as admin:
The group policy is being run from: server.domain

Is it only this machine, or any other client machine?
Freakin policy issues are a nightmare.
Ummm, let's also ask, have you changed the basic defaults, like the everyone group, or anything else funny like that?
mvdrielAuthor Commented:
I'm going to try installing the printer on another computer, but no, I have not changed anything else in policies...
Let you know in a few minutes if there is a problem on the other pc as well.
mvdrielAuthor Commented:
It's a no-go
Same error on the other machine
It seems to be a policy problem
Well maybe. Look in the default printers adm template, but mine listed not configured.
Have you like removed the everyone from shares? It might be GPO, but I think it might be somewhere in your permission structure, if you have changed any of the defaults, or are using the special restricted groups.
Can you browse any shares on these boxes?
Also, try this; just for giggles, enable netbios over tcp.
Hmmm, have you checked your event logs for failure messages? This is seems to be a restriction on the share, or on the server sharing it.
Have you tightened any of the SMB aigning, or adjusted the NTLM handling?
Both of these have to do with general communication at the lower levels, and if these were adjusted, you might be able to browse shares, but not printers.
Can your user browse to the share and add it that way?
Hmmm... Shotgun technique. Point and *Click* simple.
mvdrielAuthor Commented:
Well... my default template doesn't have anything configured inside it. I checked it to be sure...
I've now set the permissions to the printer so everybody has full access.
I can browse the server from my client and access all shares (which the user has access to), but I'm unable to point and click...
netbios over tcp was allready enabled
eventlog (and now it gets interesting):
on the server: no log regaring the printer
on the client: there is a logentry... stating that the drivers were succesfully installed... every time I tried to install the printer... It came as a warning in the "system log", ID 20.
I have not thightened SMB of adjusted NTLM
I've disabled my network wide firewall (but since I am able to add the printer as an administrator and the firewall doesn't "see" what kind of user I am this doesn't seem to be the problem)
I added the user to the local power users group on the second pc (i forgot this the first time)

So still... not able to add the printer.
mvdrielAuthor Commented:
I tried the following:
denied the user any rights on the printer.
That way, when I am trying to install it on a client computer, it asks for a username and password that has rights to add the printer. I entered my admin account username and password.
The same error showed up.
I believe it is a policy problem, but is there any way to find out what policy is active and how a setting is defined? This way I can check if all settings are applied correctly to the client.
Yeah, RSOP, or resultant set of policies.
Here's one toold for 2000:
Here's another describing RSOP:
And here's the MS guide to it:;en-us;323276
Hope this get's ya where you need to be!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mvdrielAuthor Commented:
When reviewing the RSOP output I noticed that not all settings from the GP were transferred to the client.
I changed the default domain policy to reflect the OU-group policy at those settings.
After rebooting the client I was able to add the printer as a power user.
I've got to try if I'm able to add the printer as a normal domain user, but at least I've solved my initial problem.
Thanks Casca1! Points for you...
Cool! Glad I helped.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.