Solved

How do I allow a user to install a local printer but nothing else?

Posted on 2007-11-21
5
1,401 Views
Last Modified: 2012-08-13
Hi,

we are running a 2003 AD domain here with GPO etc.

I am tasked with creating a set of laptops for staff to take home and work on, but I want them to be locked down so that they can't muck about with them and cause me a headache.

The trouble is that they will need to install a local printer at their end. I know about adding them to the Power Users group and changing the local policy to allow Load/Unload Device Drivers but being a Power User also allows the user to:

- Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.      

- Install programs that do not modify operating system files or install system services.      

- Customize system wide resources including printers, date, time, power options, and other Control Panel resources.      

- Create and manage local user accounts and groups.      

- Stop and start system services which are not started by default.

....and installing programs is what we want to stop.

Is there anyway of me locking this down so tight that it squeaks but also allow them to install a local printer?

thanks
0
Comment
Question by:Hedley Phillips
  • 2
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 20329261
To install a printer locally, they must have Admin or Power User rights to the workstation.
There is no setting for this in Group Policy other than Restricted Groups - which is overkill for this task.

You'll have to add them as one of the above usertypes until their printers are installed.


0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20334924
Thanks for your reply.

So there is no easy way to do this? I can't be on site for all of these laptops to change their perms if they need to add a printer. They are spread across the country.

I take it that my only option is to set them to power user and hope they don't install any extra software.

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 20334973
Hi Mr-Madcowz,

You will need to either make them Power Users or get them to VPN in and use terminal services/VNC to remotely access their desktops and peform the changes remotely. They will certainly need Power User or Admin rights, as Netman has already mentioned, to install the software.

-tigermatt
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20334991
Not necessarily.

If these printers are local (i.e. Not to a print server) then they are considered local to the machine and not profile-dependant.

In this case, you can have them plug the laptop in and turn it on.  You can then RDP into the box using "mstsc /console" and install the printer for them remotely.  Since it's a local printer it will be there for them when they log in.

0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20394636
Thanks guys,

I made the user a Power User as it was the easiest option. We will have to make sure that our Staff contract states what can and can't be done on staff laptops.

Interesting point: Since we pay for the ADSL line, I mentioned to our Director that we would be liable for anything illegal sent on it!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question