Solved

AD rights to install local printers for a domain user

Posted on 2010-11-10
29
1,943 Views
Last Modified: 2012-05-10
We have bought a system that temporarily installs and de-install a pdf-writer locally. But my users are ordinary domain users, so this does not work. Is it possibly to add a GPO in the AD that allow a user or a pc that rights? In the old days it seems that this is possible if I set my users as power users and for that group add a GPO with the install local printer rights. But I don't want to do that because I of security reasons will keep them as domain users. What about the possibilities in Windows server 2008?
0
Comment
Question by:SommelierRHS
  • 10
  • 9
  • 5
  • +2
29 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
Comment Utility
For Windos XP the user must be at least Power User: http://support.microsoft.com/kb/297780/en-us
Also look here: http://forums.techarena.in/windows-xp-support/1031639.htm, they talk about Avecto Privilege Guard (http://www.avecto.com/product/) which may be a solution for your problem.
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
Hi,

Minimum the system requires power user rights to have the permission to install the Printer.

I could advice you can use the previous way to grant power user rights...!

Is it stand alone printer or network printer?

if it is a stand alone printer you can give power user rights and have that printer installed

If it is a network printer, you can add the user to the user system via login script.

Let us know if you have any question

Cheers,
Prem
0
 

Author Comment

by:SommelierRHS
Comment Utility
It is not a physical printer but a pdf software printer that is integrated in the bought system and demands the rights to install a local printer. I will say that the designer of that system has made a bad solution, but this is now what we are in.

And I really do not want to give my user power user rights. Is there not any other way to solve this? Some new AD solution with a powerful group policy?
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
In this scenario, i could suggest you to use software deployment via group policy...!

Please refer the link below for the same.

http://support.microsoft.com/kb/816102

Cheers,
Prem
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
Also refer this link below

http://support.microsoft.com/kb/302430

Cheers,
Prem
0
 

Author Comment

by:SommelierRHS
Comment Utility
Thank's Prem for your answer.

But in this case the system has an embedded solution with a part of the software that installs and the after use de-install the logical pdf-printer. So permanently install the pdf- printer will stress another legal solution with other licenses for the system that is to expensive for us.

Is it possible to open up this locally on the pc? Som GPO that only works locally?

0
 
LVL 28

Assisted Solution

by:Michael Pfister
Michael Pfister earned 125 total points
Comment Utility
As I stated in my previous post: if the software dynamically installs and removes a local PDF printer, at least Power User rights are required on Windows XP. You may want to give Avecto Privilege Guard  a try to let the restricted use run the entire software under Power User or Administrator rights.
0
 
LVL 17

Assisted Solution

by:Premkumar Yogeswaran
Premkumar Yogeswaran earned 100 total points
Comment Utility
Hi,

Check this option

This can be set in group policy either in local policy, or via domain GPO, you can locate the policy at,

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Devices: Prevent users from installing printer drivers.

Refer this link for reference..

http://www.petenetlive.com/KB/Article/0000148.htm

Cheers,
Prem
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 25 total points
Comment Utility
http://support.microsoft.com/kb/297780
You can use the GPO to assign the Load/Unload device drivers rights to a user.
But note that this is a broad right.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I'm not looking for any points here.  The two previous post (Premglitz & Arnold) should cover it.  Back when I had to do that I don't remember if I needed both GPO settings or not (install printer and load/unload drivers), but I seem to remember doing both.
But I was wondering,...is this application called Orion from VCI Solutions?  Is the PDF drive being handled called Amyuni or something like that?
0
 

Author Comment

by:SommelierRHS
Comment Utility
Thank's Prem and Arnold,

But both of you point at solutions whitch means that power user rights is nessessary. Prem your suggestion is applicable to network printers not local printers.

I am not a professional on AD and GPOs but I am thinking that perhaps you know where to find a special designed GPO that allows a user or better, a specific pc, install a logical local printer, a pdf-printer, and then de-install it?  

Pwindell: I will try to find out which embedded software it is that handles the pdf writer.
0
 
LVL 28

Expert Comment

by:Michael Pfister
Comment Utility
This is the official Microsoft statement from my first post:

"To install or to modify a local printer, either of the following conditions must be true:
* You must be logged on as an administrator or a member of the Administrators group.
* You must be logged on as a member of the Power Users group and have the Load/Unload Device Drivers user right. The Load/Unload Device Drivers user right is a Group Policy setting."

 http://support.microsoft.com/kb/297780/en-us

Believe it.


0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
If you enable "regular users" in Group Policy to install the printer and load/unload drivers,...then they can do it without being power users.   I am reasonably certain that I have had it that way here in the past when we used to run some crap Application that did the same thing the OP is experiencing.
0
 
LVL 28

Expert Comment

by:Michael Pfister
Comment Utility
No it wont work. Only Power Users and Administrators are allowed to access ie. C:\WIndows\ystem32\spool, where WIndows ants to store the printer drivers or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print, where the spooler wants to store local printer settings...
It could work if you find all places and allow regular users to write to these places...
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 29

Expert Comment

by:pwindell
Comment Utility
But if the Drivers are already there it should work?

Installing a printer and installing a driver are two separate things.  Also loading a driver is not the same as installing a driver.

When the App in question is installed the driver would be installed at that time.   If his App is like the one we had,...it is not installing the print driver over and over,..that is only installed once,...the App is "loading" the driver and installing the printer, then removing the printer and unloading the driver with every "print job".

Maybe I ended up making them power users, I can't remember,...but what is the point of having Group Policy items in AD for Installing Printers and Loading/Unloading Drivers if they don't effectively do anything.
0
 

Author Comment

by:SommelierRHS
Comment Utility
Yes, pwindell, it is an embedded solution with this logical printer Amyuni. There are no drivers in the file system but instead a part of the code integrated in the systems code.

So we don't have the "install a printer driver"-problem, just the case how allowing  installing that logical printer locally, and then uninstall it.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
Comment Utility
Then try the Group Policy items that have been suggested.   There is two "halves" of it,...one for Load/unload Drivers,...one for installing printers.  If you can't use GPOs then it can also be done locally at the users workstation with local System Policies.    If none of that works then you may have to make them power users on their workstations.

Are you a media facility (radio, tv, newspaper, etc)?   Are you using the VCI Traffic System?  That is what we and this issue with involving Amyuni.
0
 

Author Comment

by:SommelierRHS
Comment Utility
Yes it is a Traffic system. If it is VCI from the beginning I don't know yet.

OK, I will now make some tries.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Hopefully you can get away from VCI someday.  Their "Orion" Client-side App is very thick and heavy.  We dropped them and went with WideOrbit.   We still use VCI for our Automation (AutoXe), but I think we are planning to switch that later too.   Now their support people were good to work with, I liked them,...just didn't care for the design and engineering of their product.
0
 
LVL 28

Expert Comment

by:Michael Pfister
Comment Utility
For cerating a local printer, even when the drivers are there, you need write permissions to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print,
0
 

Author Comment

by:SommelierRHS
Comment Utility
To pwindell:

Three days ago you wrote "There is two "halves" of it,...one for Load/unload Drivers,...one for installing printers." Can you expain that more, I don't understand. Havr been searching around via gpedit.msc and also locally in the security settings, but only found the something about the driver not the printer itself.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Yes there are two separate Policies.

1. Load & Unload Driver
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment folder

2. Install Printers.
This one is tricky.  It is reverse logic.  You have to disable the restriction that denies them.  This one might grant permission to write the the Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print,  but I am unsure. You still may have to grant regular users write permission to that key or make them local Power Users.  Anyway, the Policy is located at: User Configuration\Administrative Templates\Control Panel\Printers  and set the value to Disabled.

Anyway, I'm not denying what Mpfister is saying,..he's right,...but I think I got around it when we ran VCI,...and I know we ran the users as normal regular users because the auto-update for the Orion Client would not run for the users when an update happend,...so on "Update Morning" I had to login to each machine as an admin and open Orion to let it update itself then log off,...and that was fine for me because I was not going to make them local Admins,...they would have trashed the machines in a couple days had I done that (been there,..done that).
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Note the exact wording of the Policies has changed from XP to Vista to Win7.
0
 

Author Comment

by:SommelierRHS
Comment Utility
It is solved.

I couldn't find any working GPO solution, because if you look att the comments in the GPO:s
User Configuration\Administrative Templates\Control Panel\Printers   there is still possible to install/uninstall through other programs. And this is what is in the case here.

So thank's to you pwindell I focused on the pdf printer Amyuni and logged in as an administrator, run the application up to the moment when it installs the Amyuni pdf-printer, then changed the security settings on the printer to only allow printing but denying handling the printer. This means that you no longer can uninstall the printer, which the application normally does in the next moment when you finish the print job.

So doing this during my normal installation on the pc:s is a piece of cake.

And thank's too mpfister, premqlitz and arnold for your contribution to my investigation of this. A have learned a lot.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
So thank's to you pwindell I focused on the pdf printer Amyuni and logged in as an administrator, run the application up to the moment when it installs the Amyuni pdf-printer, then changed the security settings on the printer to only allow printing but denying handling the printer. This means that you no longer can uninstall the printer, which the application normally does in the next moment when you finish the print job.

Wow!  That is some creative thinking,...I would have not thought of that one,...but it makes sense.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Can you explain exactly what you did in case I ever run into this again?  I am partiularly interested in who/what you granted or removed the permissions for.
0
 

Author Comment

by:SommelierRHS
Comment Utility
1. As an administrator open Printers in the Control Panel, so you can see when the Amyuni pdf printer is being installed.
2. Run the application up to that moment when you can see that the printer installs.
3. Hold the application.
4. Open the printer and then open the security folder.
5. In the security folder untick Manage Printers and Manage Documents. Then only printing is allowed.
6. Close the application and be also sure that it doesn't uninstalls the Amyuni printer before you leave the session as an administrator.
7. Now test it with another account that only have ordinary user rights. Simsalabim! The Amyuni Printer is there and will still be there through the whole application.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
So you remove those permissions for everyone? Even the Admin?  There is more that one group or user listed if I remember.  I think it lists:

Everyone = print
CREATOR OWNER = manage docs
(indivudual logged in user) = print, manage printer, manage docs
Administrators Group = print, manage printer, manage docs
0
 

Author Comment

by:SommelierRHS
Comment Utility
Yes, those permissions where on the user "All", the only user, on the Alumni pdf printer. As an administrator you of course always can change the permissions.

 
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now