[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Printing Permissions Issue

Posted on 2006-05-25
24
Medium Priority
?
228 Views
Last Modified: 2012-06-21
Folks,

Here's the scenario: My users have Win2KPro on our domain. Users have non-admin privilege to their machines. Is there a way I can add the users to some sort of local group or something on their PC that will give them rights to add and remove printers without having Power User Admin rights? I believe under WinXP their's a local print operators group, but I don't see any way to do this on Win2K. Any suggestions?
0
Comment
Question by:Avi-Solomon
  • 9
  • 4
  • 3
  • +3
20 Comments
 
LVL 3

Expert Comment

by:JJT2750
ID: 16761391
Create a domain\group to be able to print, add users to the roll and see if that works.
0
 

Author Comment

by:Avi-Solomon
ID: 16761422
Sorry, I'm not understanding your response. My users can print. The question is how do I grant them privilege to ADD and REMOVE printers ? For example, a user on my network has networked printers. All is well. User goes home and buys a new printer. Can't install the drivers because they don't have Admin Rights.

I want my users to be able to control their printing by themselves. I don't care if they ADD and REMOVE printers all day long.
0
 
LVL 4

Accepted Solution

by:
dmccurdy51 earned 1000 total points
ID: 16761665
I believe you want.
Local Security Policy     secpol.msc
   Local Policies/user Rights Assignments
      Load and unload device drivers
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Avi-Solomon
ID: 16761672
Will that give them more rights to load drivers and the such for NON-printers? Will this give them too much permission?
0
 

Author Comment

by:Avi-Solomon
ID: 16761738
Let me rephrase the question....

The reason I lockdown the PCs is to limit spyware, application installation, etc. What potential issues will I have if I enable loading and unloading of device drivers? What kind of damage could i expect from hitting a bad website? what if people try to install apps and the such? Will it have any effect?

I don't mind if their keychain hard drives are now being allowed to be installed or printers can be installed. That's all good. What bad things can I expect?
0
 
LVL 4

Expert Comment

by:dmccurdy51
ID: 16761742
It gives them permission to install any Plug-in-Play device driver. That would include none printers, but this is what you want.
0
 
LVL 4

Expert Comment

by:dmccurdy51
ID: 16761811
Well worst case is a user could install a device driver which makes the machine non functional.  Since this setting is for installing Plug-in-Play devices the chances of worst case are remote, because XP will use the best driver.   Generally kernal mode drivers cause this worst case scenario(meaning the driver has direct access to the OS kernal)

As far as spyware, I suppose it would be possible to include a virus in a device driver, but not likely.  Microsoft only gives Admins this right by default so also take that into consideration.  
0
 

Author Comment

by:Avi-Solomon
ID: 16762325
So if I only allow my laptop users to have this right, do you see this as a minor risk or major risk - assuming I want to protect them from the hazzards of the internet and installing apps they shouldn't be?
0
 
LVL 4

Expert Comment

by:SunshineVK
ID: 16767157
Configure the domain group policy
Allow users to add/remove printers
0
 
LVL 4

Expert Comment

by:dmccurdy51
ID: 16769519
I would say low risk to the hazzards listed above.
0
 

Author Comment

by:Avi-Solomon
ID: 16769621
dmccurdy51 - Do you know what SunshineVK is talking about? Is there a policy to allow add/remove of printers? I wasn't aware of one. Also, if such a thing does exist, will it work if the laptop user is NOT hooked up to the domain - i.e. the user is at home for the day and needs to add a printer?
0
 
LVL 4

Expert Comment

by:SunshineVK
ID: 16777140
Yes there is User Configuration ==> Administartive Templates ==> Control Panel ==> Printers ==> Prevent addition of printers/Prevent deletion of printers
Yes & once teh polciies are applied on the laptops it will allow laptop users to add/delete printes also.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16780757
so what you are saying that the users are logging into a domain. But are not able to install the printer.

What error message they get when they try and install the shared printer.

I mean when they do
\\servername\printername in run.

Have you shared the printer from any server?

0
 

Author Comment

by:Avi-Solomon
ID: 16790672
prashsax

It's not a network printer, it's a local pritner that's the problem. Network printers add fine because they are stored in HKCU. Local printers are stored in HKLM and that's where my permissions issue comes from.

I have made the GPO change recommended by SunshineVK and will test to see if this resolves the issue. Thanks.
0
 

Author Comment

by:Avi-Solomon
ID: 16862254
SunshineVK's solution did not work. The issue was that while there is a GPO to allow adding and remving of printers, this assumes the user has permission on the machine. The GPO simply allows the ability to add or remove printers via normal methods of windows. In the help it states "...However, this policy does not prevent users from using the Add Hardware wizard to add a printer. Nor does it prevent users from running other programs to add printers...."

This tells me that it has nothing to do with permissions, but rather the availability of the "Add Printer" icon and drag-and-drop adding.

Since the users CAN'T use the Add Hardware Wizard NOR can they add printers by using other programs because they don't have permission, SunshineVK's answer would only make the icon available to the user but when they go to add the printer, they are told that they do not have permission to do this. SunshineVK's response is a good one if the issue was related to adding network printers, which are stored in HKCU, but since local printer information is stored in HKLM, we have double security issue - the GPO AND Local Security/Admin Privilege.

I will try dmccurdy51's idea of device drivers and see if that makes a difference and will update accordingly.
0
 

Author Comment

by:Avi-Solomon
ID: 17029685
Please don't abondon this question just yet. I would like to test dmccurdy's idea of device driver permissions (two posts up, final sentence). I had attempted to test the idea without success and have not had an opportunity to figure out if the problem was with how I attempted to perform the operation or if it just inherently won't work that way. If I am able to solve the issue as per dmccurdy's recommendation, it would be a big help to anyone dealing with printing permissions in this fashion.
0
 
LVL 88

Expert Comment

by:rindi
ID: 17153042
any news?
0
 

Author Comment

by:Avi-Solomon
ID: 17154619
No, not yet. I need to test out a few scenarios. Haven't had a chance. Are you having a similar issue?
0
 
LVL 88

Expert Comment

by:rindi
ID: 17154844
No, I'm only checking now and then when a Q has been open for some time without any user input...
0
 
LVL 88

Expert Comment

by:rindi
ID: 17350257
avi? hello? Still there?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question