Solved

Unable to allow users to install printer drivers

Posted on 2014-02-28
7
2,354 Views
Last Modified: 2014-04-14
I've configured the following policies on the Default Domain Policy:

Computer Configuration -> Administrative Templates -> System -> Driver Installation ->
Allow non-administrators to install drivers for these device setup classes
Enabled
{4d36e979-e325-11ce-bfc1-08002be10318}
{4658ee7e-f050-11d1-b6bd-00c04fa372a7}

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Devices: Prevent users from installing printer drivers
Disabled

I've then confirmed the policy get's pushed out to a workstation by using RSOP (also ran a gpupdate /force for good measure).  However users that are not local administrators on a workstation are still unable to install printer drivers when trying to add any shared printer (from HP, Konica Minolta or Canon) from two different print servers (one Server 2003 and one Server 2012 R2).  I've tried it with multiple user accounts on multiple workstations (gpupdate /force on each).

It looks as though it's going to go through (it downloads the printer driver files from the print server), but then displays this message (attached):

Add Printer
Connect to Printer
Windows cannot connect to the printer.  Access is denied.

I've spent at least a couple hours researching this trying to figure out a fix but all I can find are articles telling me to address the above two group policies.  Can anyone offer any other advice?
printer-driver-installation-erro.bmp
0
Comment
Question by:Palaceit
7 Comments
 
LVL 14

Accepted Solution

by:
brendanmeyer earned 500 total points
ID: 39896693
These are the following settings I have

AT - Administrative Templates

Computer Policy
AT->Printers
  Disallow installation of printers using kernel-mode drivers: Disabled
  Point and Print Restrictions: Enabled
    Users can only point and print to these servers: Disabled
    Users can only point and print to machines in their forest: Disabled
    Security Prompts:
      When installing drivers for a new connection: Do not show warning or evelate prompt
      When updating drivers for an existing connection: Do not show warning or evelate prompt
AT->System->Driver Installation
  {4d36e978-e325-11ce-bfc1-08002be10318}  - Ports (COM & LPT ports)

User Policy
AT->Control Panel->Printers
  Point and Print Restrictions: Disabled


Hope this helps
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39902449
This is common on some shared printers. You may need to uninstall and reinstall the driver on the server. Normally, shared printers work without any additional policy modification.

Alternatively, you can work around it.

Add printer as a local printer
- Create new port
- Leave local port selected.
- In the port name, type the unc path to the printer
eg \\server\printer

Hope this helps
0
 
LVL 38

Expert Comment

by:Herman D'Hondt
ID: 39964673
Not enough information to confirm an answer.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39954883
I disagree
0
 

Author Closing Comment

by:Palaceit
ID: 40000587
I was able to resolve this finally by using a combination of my original configuration and brendanmeyer's suggestions.

Additionally, I was only able to get this to work right by deploying this on the default domain policy.  I was unable to get it to work on the OU level.  That particular issue was likely caused by my own ignorance of Group Policy administration.

Finally, for anyone else working on this issue be aware that there are two device classes whose IDs are nearly identical so it may be easily overlooked that you may need both:
{4d36e979-e325-11ce-bfc1-08002be10318} - Printers
{4d36e978-e325-11ce-bfc1-08002be10318} - Ports (COM & LPT ports)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now