I've configured the following policies on the Default Domain Policy:
Computer Configuration -> Administrative Templates -> System -> Driver Installation ->
Allow non-administrators to install drivers for these device setup classes
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Devices: Prevent users from installing printer drivers
I've then confirmed the policy get's pushed out to a workstation by using RSOP (also ran a gpupdate /force for good measure). However users that are not local administrators on a workstation are still unable to install printer drivers when trying to add any shared printer (from HP, Konica Minolta or Canon) from two different print servers (one Server 2003 and one Server 2012 R2). I've tried it with multiple user accounts on multiple workstations (gpupdate /force on each).
It looks as though it's going to go through (it downloads the printer driver files from the print server), but then displays this message (attached):
Connect to Printer
Windows cannot connect to the printer. Access is denied.
I've spent at least a couple hours researching this trying to figure out a fix but all I can find are articles telling me to address the above two group policies. Can anyone offer any other advice?