Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I allow a user to install a local printer but nothing else?

Posted on 2007-11-21
5
Medium Priority
?
1,406 Views
Last Modified: 2012-08-13
Hi,

we are running a 2003 AD domain here with GPO etc.

I am tasked with creating a set of laptops for staff to take home and work on, but I want them to be locked down so that they can't muck about with them and cause me a headache.

The trouble is that they will need to install a local printer at their end. I know about adding them to the Power Users group and changing the local policy to allow Load/Unload Device Drivers but being a Power User also allows the user to:

- Run legacy applications, in addition to Windows 2000 or Windows XP Professional certified applications.      

- Install programs that do not modify operating system files or install system services.      

- Customize system wide resources including printers, date, time, power options, and other Control Panel resources.      

- Create and manage local user accounts and groups.      

- Stop and start system services which are not started by default.

....and installing programs is what we want to stop.

Is there anyway of me locking this down so tight that it squeaks but also allow them to install a local printer?

thanks
0
Comment
Question by:Hedley Phillips
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 51

Accepted Solution

by:
Netman66 earned 1000 total points
ID: 20329261
To install a printer locally, they must have Admin or Power User rights to the workstation.
There is no setting for this in Group Policy other than Restricted Groups - which is overkill for this task.

You'll have to add them as one of the above usertypes until their printers are installed.


0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20334924
Thanks for your reply.

So there is no easy way to do this? I can't be on site for all of these laptops to change their perms if they need to add a printer. They are spread across the country.

I take it that my only option is to set them to power user and hope they don't install any extra software.

0
 
LVL 58

Expert Comment

by:tigermatt
ID: 20334973
Hi Mr-Madcowz,

You will need to either make them Power Users or get them to VPN in and use terminal services/VNC to remotely access their desktops and peform the changes remotely. They will certainly need Power User or Admin rights, as Netman has already mentioned, to install the software.

-tigermatt
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20334991
Not necessarily.

If these printers are local (i.e. Not to a print server) then they are considered local to the machine and not profile-dependant.

In this case, you can have them plug the laptop in and turn it on.  You can then RDP into the box using "mstsc /console" and install the printer for them remotely.  Since it's a local printer it will be there for them when they log in.

0
 
LVL 14

Author Comment

by:Hedley Phillips
ID: 20394636
Thanks guys,

I made the user a Power User as it was the easiest option. We will have to make sure that our Staff contract states what can and can't be done on staff laptops.

Interesting point: Since we pay for the ADSL line, I mentioned to our Director that we would be liable for anything illegal sent on it!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question