Printing Permissions Issue

Create a domain\group to be able to print, add users to the roll and see if that works.

Sorry, I'm not understanding your response. My users can print. The question is how do I grant them privilege to ADD and REMOVE printers ? For example, a user on my network has networked printers. All is well. User goes home and buys a new printer. Can't install the drivers because they don't have Admin Rights.

I want my users to be able to control their printing by themselves. I don't care if they ADD and REMOVE printers all day long.

Will that give them more rights to load drivers and the such for NON-printers? Will this give them too much permission?

Let me rephrase the question....

The reason I lockdown the PCs is to limit spyware, application installation, etc. What potential issues will I have if I enable loading and unloading of device drivers? What kind of damage could i expect from hitting a bad website? what if people try to install apps and the such? Will it have any effect?

I don't mind if their keychain hard drives are now being allowed to be installed or printers can be installed. That's all good. What bad things can I expect?

It gives them permission to install any Plug-in-Play device driver. That would include none printers, but this is what you want.

Well worst case is a user could install a device driver which makes the machine non functional.  Since this setting is for installing Plug-in-Play devices the chances of worst case are remote, because XP will use the best driver.   Generally kernal mode drivers cause this worst case scenario(meaning the driver has direct access to the OS kernal)

As far as spyware, I suppose it would be possible to include a virus in a device driver, but not likely.  Microsoft only gives Admins this right by default so also take that into consideration.  

So if I only allow my laptop users to have this right, do you see this as a minor risk or major risk - assuming I want to protect them from the hazzards of the internet and installing apps they shouldn't be?

Configure the domain group policy
Allow users to add/remove printers

I would say low risk to the hazzards listed above.

dmccurdy51 - Do you know what SunshineVK is talking about? Is there a policy to allow add/remove of printers? I wasn't aware of one. Also, if such a thing does exist, will it work if the laptop user is NOT hooked up to the domain - i.e. the user is at home for the day and needs to add a printer?

Yes there is User Configuration ==> Administartive Templates ==> Control Panel ==> Printers ==> Prevent addition of printers/Prevent deletion of printers
Yes & once teh polciies are applied on the laptops it will allow laptop users to add/delete printes also.

so what you are saying that the users are logging into a domain. But are not able to install the printer.

What error message they get when they try and install the shared printer.

I mean when they do
\\servername\printername in run.

Have you shared the printer from any server?

prashsax

It's not a network printer, it's a local pritner that's the problem. Network printers add fine because they are stored in HKCU. Local printers are stored in HKLM and that's where my permissions issue comes from.

I have made the GPO change recommended by SunshineVK and will test to see if this resolves the issue. Thanks.

SunshineVK's solution did not work. The issue was that while there is a GPO to allow adding and remving of printers, this assumes the user has permission on the machine. The GPO simply allows the ability to add or remove printers via normal methods of windows. In the help it states "...However, this policy does not prevent users from using the Add Hardware wizard to add a printer. Nor does it prevent users from running other programs to add printers...."

This tells me that it has nothing to do with permissions, but rather the availability of the "Add Printer" icon and drag-and-drop adding.

Since the users CAN'T use the Add Hardware Wizard NOR can they add printers by using other programs because they don't have permission, SunshineVK's answer would only make the icon available to the user but when they go to add the printer, they are told that they do not have permission to do this. SunshineVK's response is a good one if the issue was related to adding network printers, which are stored in HKCU, but since local printer information is stored in HKLM, we have double security issue - the GPO AND Local Security/Admin Privilege.

I will try dmccurdy51's idea of device drivers and see if that makes a difference and will update accordingly.

Please don't abondon this question just yet. I would like to test dmccurdy's idea of device driver permissions (two posts up, final sentence). I had attempted to test the idea without success and have not had an opportunity to figure out if the problem was with how I attempted to perform the operation or if it just inherently won't work that way. If I am able to solve the issue as per dmccurdy's recommendation, it would be a big help to anyone dealing with printing permissions in this fashion.

any news?

No, not yet. I need to test out a few scenarios. Haven't had a chance. Are you having a similar issue?

No, I'm only checking now and then when a Q has been open for some time without any user input...

avi? hello? Still there?