Access is Denied message trying to print to networked printer from Windows 7

I have networked printers associated with servers (mostly Windows Server 2012).  When I setup new computers or upgrade older ones to Windows 7, I login as a domain administrator, install all printers, programs, set settings, etc. under that account.  I then copy that account's profile so that the Default user has the same programs, printers, settings, etc.  Then, everyone who logs into that computer has the same programs, printers, settings, etc.

This worked fine in Windows XP and I believe initially in Windows 7.  Seems like ever since Windows 7 SP1 or possibly an update, when a user logs onto a Windows 7 computer and tries to print, they can't unless their account is in the local Administrators group.  Does same thing regardless of 32-bit or 64-bit, Windows 7 Pro or Windows 7 Enterprise.   If I'm logged in as a normal user and open Devices and Printers, there is an icon over the printers that is yellow with an exclamation point.  If I try to open the printer, it says: Operation could not be completed (0x00000005).  Access is Denied.

Is there a fix for this or some folder that I need to give everyone access to?  We are a school district with many students sharing computers so having each student install the printers is not an option.  Thanks!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas GrassiSystems AdministratorCommented:
Aland CoonsSystems EngineerCommented:
Quote/Excerpt: One problem we did not predict was standard users not being able to add network printers from the print server. When a non-admin user installs a printer, the printer driver needs to be installed and this is usually the reason why the Access Denied error appears (because only admins can install drivers).

So I started looking at group policies on the Windows 7 machine and found one named Point and Print Restrictions which seemed to do the trick! This policy can be found in the following location:

Computer Configuration ->  Administrative Tempates -> Printers

You can either just set this setting to Disabled or you can set it to Enabled and then specify which print servers you want users to be allowed to add printers from (personally I just set it to “any in this forest”). Now do a gpupdate from the Windows 7 computer, reboot, and you should now be able to add network printers when logged in as a regular user.

sfsdtcAuthor Commented:
I was able to use Group Policy Management on one of my DCs to create a Policy with the settings in the specified websites and linked that policy to my Students OU.  I tested on a couple computers and seems to work.  I'll test in another building to be sure.  Assuming that works, I'll close this issue in the next day or two.

Thanks so much for your help on this!!!
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

sfsdtcAuthor Commented:
I was wrong.  This did not fix the issue.  I tried using Group Policy Management to change these settings as well as gpedit on the local computer and change the settings there, did gpupdate /force and restarted a couple times.  It still doesn't let a regular user access the networked printers.
Thomas GrassiSystems AdministratorCommented:
Have you run RSOP or gpupdate /results on the computers tand check to see if the policy is being applied.

How many DC's you have? check to make sure replication is working  also.
sfsdtcAuthor Commented:
When I try RSOP, it says: the RSoP snap-in was unable to generate the computer's data due to insufficient permissions.  I tried gpupdate /results but didn't work as that doesn't appear to be a valid gpudate parameter.  I tried both being logged in as a student (i.e., in local Users group).

Is there some way I can run the RSOP program as an administrator without actucally logging on as one?  Logged on as a student, I can't right click Command Prompt since Run as Administrator doesn't show as an option.
sfsdtcAuthor Commented:
I put a student user account in the local Adminstrator's group then logged on as that student.  When I logged in as that student I could run the RSOP program.  However, under Computer Configuration, Administrative Templates, it only shows Network.  It doesn't have the Printers item.  Under Windows Settings, it only has Security Settings.
sfsdtcAuthor Commented:
Sorry, didn't answer the DC question.  I have two DC servers at this building.  I went into Group Policy Management on both of them and verified that I have a group policy that has the Point and Print option set to the linked group policy for the Students OU - this OU has all of the student login accounts.
Thomas GrassiSystems AdministratorCommented:
Ooops  my typo it is gpresult /r  

You can run it from another computer that has rights I use psexec

you need administrator rights to the remote computer

psexec  \\computer  -u administrator -p xxxxxxxx gpresult /r >c:\gpresult.txt

Your computer being locked down can you logon as administror
sfsdtcAuthor Commented:
Plot thickens.  When I logged back in as a student who is not part of the local Administrator's group, I can now access the printer.  I verified they are not in the Administrator's group by trying to add them in to the group - go access denied message.  

I'm guessing that by accessing the printer as a student that is in the Adminstrators group that it must set something for all non-admin users.  I need to test this further.
Thomas GrassiSystems AdministratorCommented:
sfsdtcAuthor Commented:
I'm not actually adding a printer when logged in as a student.  The printer and driver are already there - installed when logged on as an Administrator then copied its profile to Default profile.  

When logged on as a student who is not in the local Administrators group, If I even click the printer in Devices and Printers to see its status I get the Access is Denied message.

On several computers now I've logged onto a computer as a student that has Administrator rights, clicked the printer to see the status, then logged in as a student that does not have Administrator rights and now I'm able to see the printer status and print.  Not sure why, but if this works consistently I can do this on all new computers I setup.
Thomas GrassiSystems AdministratorCommented:
Yes that process will work

The GPO method would work also if setup correctly

But to get the computers working that is a good method

The reason is that you require administrator permissions to define add etc printers to a user profile.

You can try adding them to Print Managers

see this

Aland CoonsSystems EngineerCommented:
I've seen the same thing many times.  The DRIVER must be added as an administrator (unless you change the policy using GPO - see my first comment.  The PRINTER can be added by anyone IF THE DRIVER is already installed into the local OS (it's already installed on the server of course).

So you really have two different issues:

1) The printer install which you want to automate naturally enough instead of having folks run the "add printer" Wizard or browse the network/server to find a printer.
2) The driver install which requires administrator permission unless otherwise configured on the local machine security or by way of a group policy (think "power user").

You have tested and proven this by installing the printer and the driver as a administrator (domain user with local administrator permission) then installed the printer (driver already present) as another user (student) without the same permissions.
sfsdtcAuthor Commented:
When logged in as an administrator and then installing the printers and their drivers, then copying that user's profile to the Default profile, wouldn't that then also have the printers and drivers available to anyone (even non-admins) on that computer, as long as they have proper permissions to that printer?

When I login as a student in the administrator group, I can click the printer and see the status.  It doesn't appear to install anything.  Likewise when I then login as a student not in the adminstrator group, I can click the printers to see their status, doesn't appear to install anything.

It appears that by logging in as a student in the administrator group and then clicking the printers, it must set something to then allow non-admins to use the printers as well without actually installing anything.

Since setting the Point and Print group policy and the printer driver installation group policy at the domain level and/or the local computer level don't seem to work and I have a work around, I'll leave this item open for a day or two then close it.

I might try the adding students as Print Managers to test that but prefer to not do this permanently as I'm guessing they could change settings on the printers that I don't want them to be able to.

Thanks everyone for your help on this!!!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas GrassiSystems AdministratorCommented:
Yes when you add a printer to the computer all user profiles have access to that printer you just need one account with admin permissions to setup the printer

General users will only be able to print to it no settings or managing of printer or print queue
Aland CoonsSystems EngineerCommented:
If you use the network (AD/GPO) settings you should be able to get a working configuration like to you need without resorting to workstation level "hacks".

By copying the local profile you may have created a local file permissions problem that extends into the printer. A user should have 100% control over all the files in their own profile. My suggestions would relate to "normal" configurations.
sfsdtcAuthor Commented:
Having a student with adim premissions access the printer enabled all students without admin permissions to use the printers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.