• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10468
  • Last Modified:

Printer (driver) install fails due to Access Denied

I've been using the excellent PDFCreator for more than 2 years. Today it failed with an empty message box (just an OK button). I removed the software and attempted to install the latest version. It appears to install fine until it gets to the point of adding the printer to the OS - here it fails with an "Access Denied" error message.

I then downloaded Primo32 and that did the same - almost all the install completed and then "Access Denied" at the 'add printer to XP' stage.

Finally, I tried adding any old printer using the Add Printer Wizard. I made out that it was connected to LPT1 and added the first printer in the list. "Unable to Add Printer. Access Denied".

This is a single user machine and I am in the Administrators Group.

I'm guessing this is a permissions issue. I have carried out some bizarre command line security reset procedure (secedit?) but to no avail. I have downloaded an HP Access Denied fix, but that didn't work.

I don't have much more hair to lose, but I'm pulling it out fast while I try to avoid a whole OS reinstall!

Open in new window

  • 9
  • 4
  • 3
  • +1
3 Solutions
You are most likely right in the permissions issue. At this point of time i did not find any templates that can restore your machine to non hardened state. So we might want to try our luck with the following.

Go to 'Control Panel' -> 'Administrative tools' -> Local Security Policy. This will open up a window. Make sure your settings has the following.
Under local policies -> User rights assignment
- Add administrators to 'Load and unload device drivers'
- Take ownership of files or other objects
Under local policies -> Security Options
- Set disabled to 'Devices: Prevent users fro installing printer drivers'
- Set 'silently succeed' to 'Devices: Unsigned driver installation behaviour"

Hope it helps.
yet_another_jashAuthor Commented:

Thanks for your prompt response. I checked the settings you suggested and they were set as you described them. On the way in to these individual policies though I was met with a message box "The Group Policy security setting that apply to this machine could not be determined. The error returned when trying to retrieve these settings from the local security database (%windir%\security\database\secedit.sdb) was: The parameter in incorrect.

So with that, I'm not sure if the settings you refer to are even relevant in this context - because the the local policies may be overridden by domain-level policies it suggests.

This machine is networked but is not in a domain.

(There are two spelling mistakes in the message box too!)
Try logging onto the machine as the Local Administrator and installing the printer.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

yet_another_jashAuthor Commented:

Tried that and it failed in the same way!
Try running a windows repair.  Then log in as local administrator
yet_another_jashAuthor Commented:
Unfortunately, the restore CD I have does not support the RAID array and complains about not being able to see the CDROM drive. I can't take the risk of breaking it through trying to fix it...So, Windows Repair is not an option for me right now....

Try the following to reset your security policies.
yet_another_jashAuthor Commented:
Nope, that didn't work either....
Have you actually tried to create a new, additional Administrative user and see if you get the same problem?  Maybe something is wrong with your profile?
yet_another_jashAuthor Commented:
I like that idea, but when I did just as you suggest, the process of adding a printer failed in exactly the same way.  It *has* to be something along the lines of policies/permissions though, doesn't it?

I also noticed today that when I delete something, the recycle bin is reported as being corrupt. I'm off to google that one now and hope it's related somehow.
ok.  Can you use your CD rom logged on as you.  If so, run a Windows consistency check?

At Start / Run  type SFC /SCANNOW.  IT will probably ask you to insert your windows CD.
yet_another_jashAuthor Commented:
I ran a Windows consistency check - it didn't ask for my CD, neither did it throw up any problems.

I'm still stumped.

Any more suggestions?
You said you tried "some bizarre command line security reset procedure (secedit?)". Can you place here exactly what you tried? It may or may not have been something like what I suggest below.

The following could help if your security database has not been shutdown properly:

- open a cmd prompt
- change to the windows\security folder
- run "esentutl /r edb" (no quotes)
- run "esentutl /mh"

If this doesn't fix the problem, try a repair:

- open a cmd prompt
- run "esentutl /p %windir%\security\database\secedit.sdb" (no quotes) - to repair
- run "esentutl /d %windir%\security\database\secedit.sdb" (no quotes) - to defrag

If that still doesn't work, you coud reset securities back to defaults (http://support.microsoft.com/default.aspx?scid=kb;en-us;313222) but you lose a lot of custom information (file/folder and registry permissions, policy settings, group membership, etc).

Please report any errors shown in event viewer.

yet_another_jashAuthor Commented:

Thanks for taking the time to post your suggestions. I have attached the output of them as a code snippet. The first two commands you gave me appeared to be without the necessary arguments ( I have piped the output of them and put it at the top of the code snippet). The next two completed without issue.

After each stage, I checked and can confirm that I still cannot add a printer - it fails with the same error message.

I then performed the security reset procedure that you directed me to in the knowledge base. That completed with errors, so I have included the log file from that operation in the code snippet too.

I really am coming round to the view that there is little I can do to avoid a damn reinstall here....

Thanks again.
- open a cmd prompt
- change to the windows\security folder
- run "esentutl /r edb" (no quotes)
- run "esentutl /mh"
Microsoft(R) Windows(TM) Database Utilities
Version 5.1
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode...
    Logfile base name: edb
            Log files: <current directory>
         System files: <current directory>
Performing soft recovery...
Operation terminated with error -528 (JET_errMissingLogFile, Current log file missing) after 0.16 seconds.
Microsoft(R) Windows(TM) Database Utilities
Version 5.1
Copyright (C) Microsoft Corporation. All Rights Reserved.
Usage Error: Missing database/filename specification.
Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API parameter) after 0.0 seconds.
If that still doesn't work, you coud reset securities back to defaults...
Saturday, December 29, 2007 9:03:53 AM
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure User Rights...
	Configure S-1-5-21-4082297255-3916078401-944108286-1002.
		remove SeBatchLogonRight.
		remove SeDenyNetworkLogonRight.
		remove SeDenyInteractiveLogonRight.
	Configure S-1-5-21-4082297255-3916078401-944108286-1003.
		remove SeNetworkLogonRight.
		remove SeBatchLogonRight.
		remove SeServiceLogonRight.
		remove SeDenyInteractiveLogonRight.
		remove SeDenyRemoteInteractiveLogonRight.
		remove SeImpersonatePrivilege.
	Configure S-1-5-21-4082297255-3916078401-944108286-1005.
		remove SeBatchLogonRight.
	Configure S-1-5-21-4082297255-3916078401-944108286-501.
		remove SeInteractiveLogonRight.
		remove SeDenyInteractiveLogonRight.
	Configure S-1-5-20.
		remove SeServiceLogonRight.
	Configure S-1-5-19.
	Configure S-1-5-32-551.
	Configure S-1-5-32-544.
	Configure S-1-1-0.
	Configure S-1-5-32-545.
	Configure S-1-5-32-547.
	Configure S-1-5-6.
	Configure S-1-5-4.
	Configure S-1-5-21-861567501-1078081533-725345543-501.
		add SeInteractiveLogonRight.
		add SeDenyNetworkLogonRight.
		add SeDenyInteractiveLogonRight.
	Configure S-1-5-32-555.
	User Rights configuration was completed successfully.
----Configure Group Membership...
	Configure Users.
	Group Membership configuration was completed successfully.
----Configure Registry Keys...
	Configure users\.default.
	Configure users\.default\software\microsoft\netdde.
	Configure machine\software.
	Configure machine\software\classes.
	Configure machine\software\classes\.hlp.
	Configure machine\software\classes\helpfile.
	Configure machine\software\microsoft\ads\providers\ldap\extensions.
	Configure machine\software\microsoft\ads\providers\nds.
	Configure machine\software\microsoft\ads\providers\nwcompat.
	Configure machine\software\microsoft\ads\providers\winnt.
	Configure machine\software\microsoft\bidinterface.
	Configure machine\software\microsoft\command processor.
	Configure machine\software\microsoft\cryptography.
	Configure machine\software\microsoft\cryptography\calais.
	Configure machine\software\microsoft\devicemanager.
	Configure machine\software\microsoft\driver signing.
	Configure machine\software\microsoft\enterprisecertificates.
	Configure machine\software\microsoft\netdde.
	Configure machine\software\microsoft\non-driver signing.
	Configure machine\software\microsoft\ole.
	Configure machine\software\microsoft\rpc.
	Configure machine\software\microsoft\secure.
	Configure machine\software\microsoft\systemcertificates.
	Configure machine\software\microsoft\upnp device host.
	Configure machine\software\microsoft\windows\currentversion\explorer\user shell folders.
	Configure machine\software\microsoft\windows\currentversion\reliability.
	Configure machine\software\microsoft\windows\currentversion\runonce.
	Configure machine\software\microsoft\windows\currentversion\runonceex.
	Configure machine\software\microsoft\windows\currentversion\telephony.
	Configure machine\software\microsoft\windows nt\currentversion\accessibility.
	Configure machine\software\microsoft\windows nt\currentversion\aedebug.
	Configure machine\software\microsoft\windows nt\currentversion\asr\commands.
	Configure machine\software\microsoft\windows nt\currentversion\classes.
	Configure machine\software\microsoft\windows nt\currentversion\drivers32.
	Configure machine\software\microsoft\windows nt\currentversion\efs.
	Configure machine\software\microsoft\windows nt\currentversion\font drivers.
	Configure machine\software\microsoft\windows nt\currentversion\fontmapper.
	Configure machine\software\microsoft\windows nt\currentversion\image file execution options.
	Configure machine\software\microsoft\windows nt\currentversion\inifilemapping.
	Configure machine\software\microsoft\windows nt\currentversion\perflib.
	Configure machine\software\microsoft\windows nt\currentversion\profilelist.
	Configure machine\software\microsoft\windows nt\currentversion\secedit.
	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole.
	Configure machine\software\microsoft\windows nt\currentversion\svchost.
	Configure machine\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\run.
	Configure machine\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\runonce.
	Configure machine\software\microsoft\windows nt\currentversion\time zones.
	Configure machine\software\microsoft\windows nt\currentversion\windows.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon.
	Configure machine\software\policies.
	Configure machine\system.
	Configure machine\system\currentcontrolset\control\class.
	Configure machine\system\currentcontrolset\control\keyboard layout.
	Configure machine\system\currentcontrolset\control\keyboard layouts.
	Configure machine\system\currentcontrolset\control\lsa\data.
	Configure machine\system\currentcontrolset\control\lsa\gbg.
	Configure machine\system\currentcontrolset\control\lsa\jd.
	Configure machine\system\currentcontrolset\control\lsa\skew1.
	Configure machine\system\currentcontrolset\control\securepipeservers\winreg.
	Configure machine\system\currentcontrolset\control\session manager\executive.
	Configure machine\system\currentcontrolset\control\timezoneinformation.
	Configure machine\system\currentcontrolset\control\wmi\security.
	Configure machine\system\currentcontrolset\services\appmgmt\security.
	Configure machine\system\currentcontrolset\services\clipsrv\security.
	Configure machine\system\currentcontrolset\services\cryptsvc\security.
	Configure machine\system\currentcontrolset\services\dnscache.
	Configure machine\system\currentcontrolset\services\ersvc\security.
	Configure machine\system\currentcontrolset\services\eventlog\security.
	Configure machine\system\currentcontrolset\services\irenum\security.
	Configure machine\system\currentcontrolset\services\netbt.
	Configure machine\system\currentcontrolset\services\netdde\security.
	Configure machine\system\currentcontrolset\services\netddedsdm\security.
	Configure machine\system\currentcontrolset\services\remoteaccess.
	Configure machine\system\currentcontrolset\services\rpcss\security.
	Configure machine\system\currentcontrolset\services\samss\security.
Warning 2: The system cannot find the file specified.
 	Error enumerating info for machine\system\currentcontrolset\services\scarddrv.
	Configure machine\system\currentcontrolset\services\scardsvr\security.
	Configure machine\system\currentcontrolset\services\stisvc\security.
	Configure machine\system\currentcontrolset\services\sysmonlog\log queries.
	Configure machine\system\currentcontrolset\services\tapisrv\security.
	Configure machine\system\currentcontrolset\services\tcpip.
	Configure machine\system\currentcontrolset\services\tcpip\linkage.
	Configure machine\system\currentcontrolset\services\w32time\security.
	Configure machine\system\currentcontrolset\services\wmi\security.
	Configuration of Registry Keys was completed successfully.
----Configure File Security...
	Configure c:\.
	File Security configuration was completed with one or more errors.
----Configure General Service Settings...
	Configure w32time.
	Configure upnphost.
	Configure TrkWks.
	Configure SSDPSRV.
	Configure Spooler.
	Configure SENS.
	Configure seclogon.
	Configure secdrv.
Warning 2: The system cannot find the file specified.
 	Error configuring secdrv.
	General Service configuration was completed with one or more errors.
----Configure available attachment engines...
	Configuration of attachment engines was completed successfully.
----Configure Security Policy...
	Configure password information.
	LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS).
	Configure LSA anonymous lookup setting.
	Guest account is disabled.
	System Access configuration was completed successfully.
	Configure log settings.
	Audit/Log configuration was completed successfully.
	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel.
	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption.
	Configure machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
	Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption.
	Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext.
	Configure machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon.
	Configure machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon.
	Configure machine\system\currentcontrolset\control\lsa\auditbaseobjects.
	Configure machine\system\currentcontrolset\control\lsa\crashonauditfail.
	Configure machine\system\currentcontrolset\control\lsa\disabledomaincreds.
	Configure machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous.
	Configure machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy.
	Configure machine\system\currentcontrolset\control\lsa\forceguest.
	Configure machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
	Configure machine\system\currentcontrolset\control\lsa\limitblankpassworduse.
	Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
	Configure machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec.
	Configure machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec.
	Configure machine\system\currentcontrolset\control\lsa\nodefaultadminowner.
	Configure machine\system\currentcontrolset\control\lsa\nolmhash.
	Configure machine\system\currentcontrolset\control\lsa\restrictanonymous.
	Configure machine\system\currentcontrolset\control\lsa\restrictanonymoussam.
	Configure machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers.
	Configure machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive.
	Configure machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown.
	Configure machine\system\currentcontrolset\control\session manager\protectionmode.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword.
	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.
	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature.
	Configure machine\system\currentcontrolset\services\ldap\ldapclientintegrity.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel.
	Configuration of Registry Values was completed successfully.
----Configure available attachment engines...
	Configuration of attachment engines was completed successfully.
----Un-initialize configuration engine...

Open in new window

I have no more suggestions. The errors in your detailed submission are not great but are sufficient to encourage me toward a reinstall. The cause of this situation remains a mystery to me but I'm not sure it's worth the hours to avoid the reinstall.
yet_another_jashAuthor Commented:

Thanks for your patience and suggestions. OK, so let me round this off with a last related query. Is there no easy way of reinstalling (with all apps too) than starting from scratch? I've done it enough times to know it's nauseous and time consuming, but often wondered if there is anyway of making it easier...just wondered. All my data is backed up and so safe...

I use an imaging product when I first install a machine. This captures the operating system and all drivers in a working (and pristine) condition. I then add applications and capture another image. I tend to blat the machine with this second image regularly (say, monthly). This keeps things fresh. If anything drastic happens I use the original image and then reload programs manually. Of course, this means automatic updates need to be reloaded after each reimage so it pays to update the image every so often. A reimage takes about 20 minutes. I know this doesn't really address your current predicament but may help develop new strategies for the future.

As for now, it probably isn't worth setting up an unattended install but it is possible to script all the answers to the install wizard, have the correct drivers load, and then install applications automatically. See http://support.microsoft.com/kb/314459 (for the short version) or http://technet2.microsoft.com/windowsserver/en/library/0930ddbf-3636-4b77-81ff-c1a073f38cbb1033.mspx?mfr=true (for the full detailed discussion). There are plenty of other helpful sites available (see Google).

In short, I think the quickest option for you at this stage is a manual (and tiem consuming) install. Sorry.
yet_another_jashAuthor Commented:
Thanks for your help guys. While I wasn't able to sort this out, you did give me more than one thing to try and in doing so have added to my education! I appreciate your input.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 9
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now