Link to home
Create AccountLog in
Avatar of SommelierRHS
SommelierRHSFlag for Sweden

asked on

AD rights to install local printers for a domain user

We have bought a system that temporarily installs and de-install a pdf-writer locally. But my users are ordinary domain users, so this does not work. Is it possibly to add a GPO in the AD that allow a user or a pc that rights? In the old days it seems that this is possible if I set my users as power users and for that group add a GPO with the install local printer rights. But I don't want to do that because I of security reasons will keep them as domain users. What about the possibilities in Windows server 2008?
Avatar of Michael Pfister
Michael Pfister
Flag of Germany image

For Windos XP the user must be at least Power User: http://support.microsoft.com/kb/297780/en-us
Also look here: http://forums.techarena.in/windows-xp-support/1031639.htm, they talk about Avecto Privilege Guard (http://www.avecto.com/product/) which may be a solution for your problem.
Hi,

Minimum the system requires power user rights to have the permission to install the Printer.

I could advice you can use the previous way to grant power user rights...!

Is it stand alone printer or network printer?

if it is a stand alone printer you can give power user rights and have that printer installed

If it is a network printer, you can add the user to the user system via login script.

Let us know if you have any question

Cheers,
Prem
Avatar of SommelierRHS

ASKER

It is not a physical printer but a pdf software printer that is integrated in the bought system and demands the rights to install a local printer. I will say that the designer of that system has made a bad solution, but this is now what we are in.

And I really do not want to give my user power user rights. Is there not any other way to solve this? Some new AD solution with a powerful group policy?
In this scenario, i could suggest you to use software deployment via group policy...!

Please refer the link below for the same.

http://support.microsoft.com/kb/816102

Cheers,
Prem
Also refer this link below

http://support.microsoft.com/kb/302430

Cheers,
Prem
Thank's Prem for your answer.

But in this case the system has an embedded solution with a part of the software that installs and the after use de-install the logical pdf-printer. So permanently install the pdf- printer will stress another legal solution with other licenses for the system that is to expensive for us.

Is it possible to open up this locally on the pc? Som GPO that only works locally?

SOLUTION
Avatar of Michael Pfister
Michael Pfister
Flag of Germany image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I'm not looking for any points here.  The two previous post (Premglitz & Arnold) should cover it.  Back when I had to do that I don't remember if I needed both GPO settings or not (install printer and load/unload drivers), but I seem to remember doing both.
But I was wondering,...is this application called Orion from VCI Solutions?  Is the PDF drive being handled called Amyuni or something like that?
Thank's Prem and Arnold,

But both of you point at solutions whitch means that power user rights is nessessary. Prem your suggestion is applicable to network printers not local printers.

I am not a professional on AD and GPOs but I am thinking that perhaps you know where to find a special designed GPO that allows a user or better, a specific pc, install a logical local printer, a pdf-printer, and then de-install it?  

Pwindell: I will try to find out which embedded software it is that handles the pdf writer.
This is the official Microsoft statement from my first post:

"To install or to modify a local printer, either of the following conditions must be true:
* You must be logged on as an administrator or a member of the Administrators group.
* You must be logged on as a member of the Power Users group and have the Load/Unload Device Drivers user right. The Load/Unload Device Drivers user right is a Group Policy setting."

 http://support.microsoft.com/kb/297780/en-us

Believe it.


If you enable "regular users" in Group Policy to install the printer and load/unload drivers,...then they can do it without being power users.   I am reasonably certain that I have had it that way here in the past when we used to run some crap Application that did the same thing the OP is experiencing.
No it wont work. Only Power Users and Administrators are allowed to access ie. C:\WIndows\ystem32\spool, where WIndows ants to store the printer drivers or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print, where the spooler wants to store local printer settings...
It could work if you find all places and allow regular users to write to these places...
But if the Drivers are already there it should work?

Installing a printer and installing a driver are two separate things.  Also loading a driver is not the same as installing a driver.

When the App in question is installed the driver would be installed at that time.   If his App is like the one we had,...it is not installing the print driver over and over,..that is only installed once,...the App is "loading" the driver and installing the printer, then removing the printer and unloading the driver with every "print job".

Maybe I ended up making them power users, I can't remember,...but what is the point of having Group Policy items in AD for Installing Printers and Loading/Unloading Drivers if they don't effectively do anything.
Yes, pwindell, it is an embedded solution with this logical printer Amyuni. There are no drivers in the file system but instead a part of the code integrated in the systems code.

So we don't have the "install a printer driver"-problem, just the case how allowing  installing that logical printer locally, and then uninstall it.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Yes it is a Traffic system. If it is VCI from the beginning I don't know yet.

OK, I will now make some tries.
Hopefully you can get away from VCI someday.  Their "Orion" Client-side App is very thick and heavy.  We dropped them and went with WideOrbit.   We still use VCI for our Automation (AutoXe), but I think we are planning to switch that later too.   Now their support people were good to work with, I liked them,...just didn't care for the design and engineering of their product.
For cerating a local printer, even when the drivers are there, you need write permissions to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print,
To pwindell:

Three days ago you wrote "There is two "halves" of it,...one for Load/unload Drivers,...one for installing printers." Can you expain that more, I don't understand. Havr been searching around via gpedit.msc and also locally in the security settings, but only found the something about the driver not the printer itself.
Yes there are two separate Policies.

1. Load & Unload Driver
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment folder

2. Install Printers.
This one is tricky.  It is reverse logic.  You have to disable the restriction that denies them.  This one might grant permission to write the the Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print,  but I am unsure. You still may have to grant regular users write permission to that key or make them local Power Users.  Anyway, the Policy is located at: User Configuration\Administrative Templates\Control Panel\Printers  and set the value to Disabled.

Anyway, I'm not denying what Mpfister is saying,..he's right,...but I think I got around it when we ran VCI,...and I know we ran the users as normal regular users because the auto-update for the Orion Client would not run for the users when an update happend,...so on "Update Morning" I had to login to each machine as an admin and open Orion to let it update itself then log off,...and that was fine for me because I was not going to make them local Admins,...they would have trashed the machines in a couple days had I done that (been there,..done that).
Note the exact wording of the Policies has changed from XP to Vista to Win7.
It is solved.

I couldn't find any working GPO solution, because if you look att the comments in the GPO:s
User Configuration\Administrative Templates\Control Panel\Printers   there is still possible to install/uninstall through other programs. And this is what is in the case here.

So thank's to you pwindell I focused on the pdf printer Amyuni and logged in as an administrator, run the application up to the moment when it installs the Amyuni pdf-printer, then changed the security settings on the printer to only allow printing but denying handling the printer. This means that you no longer can uninstall the printer, which the application normally does in the next moment when you finish the print job.

So doing this during my normal installation on the pc:s is a piece of cake.

And thank's too mpfister, premqlitz and arnold for your contribution to my investigation of this. A have learned a lot.
So thank's to you pwindell I focused on the pdf printer Amyuni and logged in as an administrator, run the application up to the moment when it installs the Amyuni pdf-printer, then changed the security settings on the printer to only allow printing but denying handling the printer. This means that you no longer can uninstall the printer, which the application normally does in the next moment when you finish the print job.

Wow!  That is some creative thinking,...I would have not thought of that one,...but it makes sense.
Can you explain exactly what you did in case I ever run into this again?  I am partiularly interested in who/what you granted or removed the permissions for.
1. As an administrator open Printers in the Control Panel, so you can see when the Amyuni pdf printer is being installed.
2. Run the application up to that moment when you can see that the printer installs.
3. Hold the application.
4. Open the printer and then open the security folder.
5. In the security folder untick Manage Printers and Manage Documents. Then only printing is allowed.
6. Close the application and be also sure that it doesn't uninstalls the Amyuni printer before you leave the session as an administrator.
7. Now test it with another account that only have ordinary user rights. Simsalabim! The Amyuni Printer is there and will still be there through the whole application.
So you remove those permissions for everyone? Even the Admin?  There is more that one group or user listed if I remember.  I think it lists:

Everyone = print
CREATOR OWNER = manage docs
(indivudual logged in user) = print, manage printer, manage docs
Administrators Group = print, manage printer, manage docs
Yes, those permissions where on the user "All", the only user, on the Alumni pdf printer. As an administrator you of course always can change the permissions.