Printing Permissions Issue

Folks,

Here's the scenario: My users have Win2KPro on our domain. Users have non-admin privilege to their machines. Is there a way I can add the users to some sort of local group or something on their PC that will give them rights to add and remove printers without having Power User Admin rights? I believe under WinXP their's a local print operators group, but I don't see any way to do this on Win2K. Any suggestions?
Avi-SolomonAsked:
Who is Participating?
 
dmccurdy51Connect With a Mentor Commented:
I believe you want.
Local Security Policy     secpol.msc
   Local Policies/user Rights Assignments
      Load and unload device drivers
0
 
JJT2750Commented:
Create a domain\group to be able to print, add users to the roll and see if that works.
0
 
Avi-SolomonAuthor Commented:
Sorry, I'm not understanding your response. My users can print. The question is how do I grant them privilege to ADD and REMOVE printers ? For example, a user on my network has networked printers. All is well. User goes home and buys a new printer. Can't install the drivers because they don't have Admin Rights.

I want my users to be able to control their printing by themselves. I don't care if they ADD and REMOVE printers all day long.
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
Avi-SolomonAuthor Commented:
Will that give them more rights to load drivers and the such for NON-printers? Will this give them too much permission?
0
 
Avi-SolomonAuthor Commented:
Let me rephrase the question....

The reason I lockdown the PCs is to limit spyware, application installation, etc. What potential issues will I have if I enable loading and unloading of device drivers? What kind of damage could i expect from hitting a bad website? what if people try to install apps and the such? Will it have any effect?

I don't mind if their keychain hard drives are now being allowed to be installed or printers can be installed. That's all good. What bad things can I expect?
0
 
dmccurdy51Commented:
It gives them permission to install any Plug-in-Play device driver. That would include none printers, but this is what you want.
0
 
dmccurdy51Commented:
Well worst case is a user could install a device driver which makes the machine non functional.  Since this setting is for installing Plug-in-Play devices the chances of worst case are remote, because XP will use the best driver.   Generally kernal mode drivers cause this worst case scenario(meaning the driver has direct access to the OS kernal)

As far as spyware, I suppose it would be possible to include a virus in a device driver, but not likely.  Microsoft only gives Admins this right by default so also take that into consideration.  
0
 
Avi-SolomonAuthor Commented:
So if I only allow my laptop users to have this right, do you see this as a minor risk or major risk - assuming I want to protect them from the hazzards of the internet and installing apps they shouldn't be?
0
 
SunshineVKCommented:
Configure the domain group policy
Allow users to add/remove printers
0
 
dmccurdy51Commented:
I would say low risk to the hazzards listed above.
0
 
Avi-SolomonAuthor Commented:
dmccurdy51 - Do you know what SunshineVK is talking about? Is there a policy to allow add/remove of printers? I wasn't aware of one. Also, if such a thing does exist, will it work if the laptop user is NOT hooked up to the domain - i.e. the user is at home for the day and needs to add a printer?
0
 
SunshineVKCommented:
Yes there is User Configuration ==> Administartive Templates ==> Control Panel ==> Printers ==> Prevent addition of printers/Prevent deletion of printers
Yes & once teh polciies are applied on the laptops it will allow laptop users to add/delete printes also.
0
 
prashsaxCommented:
so what you are saying that the users are logging into a domain. But are not able to install the printer.

What error message they get when they try and install the shared printer.

I mean when they do
\\servername\printername in run.

Have you shared the printer from any server?

0
 
Avi-SolomonAuthor Commented:
prashsax

It's not a network printer, it's a local pritner that's the problem. Network printers add fine because they are stored in HKCU. Local printers are stored in HKLM and that's where my permissions issue comes from.

I have made the GPO change recommended by SunshineVK and will test to see if this resolves the issue. Thanks.
0
 
Avi-SolomonAuthor Commented:
SunshineVK's solution did not work. The issue was that while there is a GPO to allow adding and remving of printers, this assumes the user has permission on the machine. The GPO simply allows the ability to add or remove printers via normal methods of windows. In the help it states "...However, this policy does not prevent users from using the Add Hardware wizard to add a printer. Nor does it prevent users from running other programs to add printers...."

This tells me that it has nothing to do with permissions, but rather the availability of the "Add Printer" icon and drag-and-drop adding.

Since the users CAN'T use the Add Hardware Wizard NOR can they add printers by using other programs because they don't have permission, SunshineVK's answer would only make the icon available to the user but when they go to add the printer, they are told that they do not have permission to do this. SunshineVK's response is a good one if the issue was related to adding network printers, which are stored in HKCU, but since local printer information is stored in HKLM, we have double security issue - the GPO AND Local Security/Admin Privilege.

I will try dmccurdy51's idea of device drivers and see if that makes a difference and will update accordingly.
0
 
Avi-SolomonAuthor Commented:
Please don't abondon this question just yet. I would like to test dmccurdy's idea of device driver permissions (two posts up, final sentence). I had attempted to test the idea without success and have not had an opportunity to figure out if the problem was with how I attempted to perform the operation or if it just inherently won't work that way. If I am able to solve the issue as per dmccurdy's recommendation, it would be a big help to anyone dealing with printing permissions in this fashion.
0
 
rindiCommented:
any news?
0
 
Avi-SolomonAuthor Commented:
No, not yet. I need to test out a few scenarios. Haven't had a chance. Are you having a similar issue?
0
 
rindiCommented:
No, I'm only checking now and then when a Q has been open for some time without any user input...
0
 
rindiCommented:
avi? hello? Still there?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.