Solved

How do I allow a user to install a local printer but nothing else?

Posted on 2007-11-21
5
1,399 Views
Last Modified: 2012-08-13
Hi,

we are running a 2003 AD domain here with GPO etc.

I am tasked with creating a set of laptops for staff to take home and work on, but I want them to be locked down so that they can't muck about with them and cause me a headache.

The trouble is that they will need to install a local printer at their end. I know about adding them to the Power Users group and changing the local policy to allow Load/Unload Device Drivers but being a Power User also allows the user to:

- Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.      

- Install programs that do not modify operating system files or install system services.      

- Customize system wide resources including printers, date, time, power options, and other Control Panel resources.      

- Create and manage local user accounts and groups.      

- Stop and start system services which are not started by default.

....and installing programs is what we want to stop.

Is there anyway of me locking this down so tight that it squeaks but also allow them to install a local printer?

thanks
0
Comment
Question by:Hedley Phillips
  • 2
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 20329261
To install a printer locally, they must have Admin or Power User rights to the workstation.
There is no setting for this in Group Policy other than Restricted Groups - which is overkill for this task.

You'll have to add them as one of the above usertypes until their printers are installed.


0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20334924
Thanks for your reply.

So there is no easy way to do this? I can't be on site for all of these laptops to change their perms if they need to add a printer. They are spread across the country.

I take it that my only option is to set them to power user and hope they don't install any extra software.

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 20334973
Hi Mr-Madcowz,

You will need to either make them Power Users or get them to VPN in and use terminal services/VNC to remotely access their desktops and peform the changes remotely. They will certainly need Power User or Admin rights, as Netman has already mentioned, to install the software.

-tigermatt
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20334991
Not necessarily.

If these printers are local (i.e. Not to a print server) then they are considered local to the machine and not profile-dependant.

In this case, you can have them plug the laptop in and turn it on.  You can then RDP into the box using "mstsc /console" and install the printer for them remotely.  Since it's a local printer it will be there for them when they log in.

0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20394636
Thanks guys,

I made the user a Power User as it was the easiest option. We will have to make sure that our Staff contract states what can and can't be done on staff laptops.

Interesting point: Since we pay for the ADSL line, I mentioned to our Director that we would be liable for anything illegal sent on it!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now