Solved

How do I allow a user to install a local printer but nothing else?

Posted on 2007-11-21
5
1,403 Views
Last Modified: 2012-08-13
Hi,

we are running a 2003 AD domain here with GPO etc.

I am tasked with creating a set of laptops for staff to take home and work on, but I want them to be locked down so that they can't muck about with them and cause me a headache.

The trouble is that they will need to install a local printer at their end. I know about adding them to the Power Users group and changing the local policy to allow Load/Unload Device Drivers but being a Power User also allows the user to:

- Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.      

- Install programs that do not modify operating system files or install system services.      

- Customize system wide resources including printers, date, time, power options, and other Control Panel resources.      

- Create and manage local user accounts and groups.      

- Stop and start system services which are not started by default.

....and installing programs is what we want to stop.

Is there anyway of me locking this down so tight that it squeaks but also allow them to install a local printer?

thanks
0
Comment
Question by:Hedley Phillips
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 20329261
To install a printer locally, they must have Admin or Power User rights to the workstation.
There is no setting for this in Group Policy other than Restricted Groups - which is overkill for this task.

You'll have to add them as one of the above usertypes until their printers are installed.


0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20334924
Thanks for your reply.

So there is no easy way to do this? I can't be on site for all of these laptops to change their perms if they need to add a printer. They are spread across the country.

I take it that my only option is to set them to power user and hope they don't install any extra software.

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 20334973
Hi Mr-Madcowz,

You will need to either make them Power Users or get them to VPN in and use terminal services/VNC to remotely access their desktops and peform the changes remotely. They will certainly need Power User or Admin rights, as Netman has already mentioned, to install the software.

-tigermatt
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20334991
Not necessarily.

If these printers are local (i.e. Not to a print server) then they are considered local to the machine and not profile-dependant.

In this case, you can have them plug the laptop in and turn it on.  You can then RDP into the box using "mstsc /console" and install the printer for them remotely.  Since it's a local printer it will be there for them when they log in.

0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20394636
Thanks guys,

I made the user a Power User as it was the easiest option. We will have to make sure that our Staff contract states what can and can't be done on staff laptops.

Interesting point: Since we pay for the ADSL line, I mentioned to our Director that we would be liable for anything illegal sent on it!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question