Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1408
  • Last Modified:

How do I allow a user to install a local printer but nothing else?

Hi,

we are running a 2003 AD domain here with GPO etc.

I am tasked with creating a set of laptops for staff to take home and work on, but I want them to be locked down so that they can't muck about with them and cause me a headache.

The trouble is that they will need to install a local printer at their end. I know about adding them to the Power Users group and changing the local policy to allow Load/Unload Device Drivers but being a Power User also allows the user to:

- Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.      

- Install programs that do not modify operating system files or install system services.      

- Customize system wide resources including printers, date, time, power options, and other Control Panel resources.      

- Create and manage local user accounts and groups.      

- Stop and start system services which are not started by default.

....and installing programs is what we want to stop.

Is there anyway of me locking this down so tight that it squeaks but also allow them to install a local printer?

thanks
0
Hedley Phillips
Asked:
Hedley Phillips
  • 2
  • 2
1 Solution
 
Netman66Commented:
To install a printer locally, they must have Admin or Power User rights to the workstation.
There is no setting for this in Group Policy other than Restricted Groups - which is overkill for this task.

You'll have to add them as one of the above usertypes until their printers are installed.


0
 
Hedley PhillipsAuthor Commented:
Thanks for your reply.

So there is no easy way to do this? I can't be on site for all of these laptops to change their perms if they need to add a printer. They are spread across the country.

I take it that my only option is to set them to power user and hope they don't install any extra software.

0
 
tigermattCommented:
Hi Mr-Madcowz,

You will need to either make them Power Users or get them to VPN in and use terminal services/VNC to remotely access their desktops and peform the changes remotely. They will certainly need Power User or Admin rights, as Netman has already mentioned, to install the software.

-tigermatt
0
 
Netman66Commented:
Not necessarily.

If these printers are local (i.e. Not to a print server) then they are considered local to the machine and not profile-dependant.

In this case, you can have them plug the laptop in and turn it on.  You can then RDP into the box using "mstsc /console" and install the printer for them remotely.  Since it's a local printer it will be there for them when they log in.

0
 
Hedley PhillipsAuthor Commented:
Thanks guys,

I made the user a Power User as it was the easiest option. We will have to make sure that our Staff contract states what can and can't be done on staff laptops.

Interesting point: Since we pay for the ADSL line, I mentioned to our Director that we would be liable for anything illegal sent on it!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now