sfsdtc
asked on
Access is Denied message trying to print to networked printer from Windows 7
I have networked printers associated with servers (mostly Windows Server 2012). When I setup new computers or upgrade older ones to Windows 7, I login as a domain administrator, install all printers, programs, set settings, etc. under that account. I then copy that account's profile so that the Default user has the same programs, printers, settings, etc. Then, everyone who logs into that computer has the same programs, printers, settings, etc.
This worked fine in Windows XP and I believe initially in Windows 7. Seems like ever since Windows 7 SP1 or possibly an update, when a user logs onto a Windows 7 computer and tries to print, they can't unless their account is in the local Administrators group. Does same thing regardless of 32-bit or 64-bit, Windows 7 Pro or Windows 7 Enterprise. If I'm logged in as a normal user and open Devices and Printers, there is an icon over the printers that is yellow with an exclamation point. If I try to open the printer, it says: Operation could not be completed (0x00000005). Access is Denied.
Is there a fix for this or some folder that I need to give everyone access to? We are a school district with many students sharing computers so having each student install the printers is not an option. Thanks!
This worked fine in Windows XP and I believe initially in Windows 7. Seems like ever since Windows 7 SP1 or possibly an update, when a user logs onto a Windows 7 computer and tries to print, they can't unless their account is in the local Administrators group. Does same thing regardless of 32-bit or 64-bit, Windows 7 Pro or Windows 7 Enterprise. If I'm logged in as a normal user and open Devices and Printers, there is an icon over the printers that is yellow with an exclamation point. If I try to open the printer, it says: Operation could not be completed (0x00000005). Access is Denied.
Is there a fix for this or some folder that I need to give everyone access to? We are a school district with many students sharing computers so having each student install the printers is not an option. Thanks!
Quote/Excerpt: One problem we did not predict was standard users not being able to add network printers from the print server. When a non-admin user installs a printer, the printer driver needs to be installed and this is usually the reason why the Access Denied error appears (because only admins can install drivers).
So I started looking at group policies on the Windows 7 machine and found one named Point and Print Restrictions which seemed to do the trick! This policy can be found in the following location:
Computer Configuration -> Administrative Tempates -> Printers
You can either just set this setting to Disabled or you can set it to Enabled and then specify which print servers you want users to be allowed to add printers from (personally I just set it to “any in this forest”). Now do a gpupdate from the Windows 7 computer, reboot, and you should now be able to add network printers when logged in as a regular user.
Ref. http://blog.cjwdev.co.uk/2010/03/10/windows-7-add-network-printer-access-is-denied-fix/
So I started looking at group policies on the Windows 7 machine and found one named Point and Print Restrictions which seemed to do the trick! This policy can be found in the following location:
Computer Configuration -> Administrative Tempates -> Printers
You can either just set this setting to Disabled or you can set it to Enabled and then specify which print servers you want users to be allowed to add printers from (personally I just set it to “any in this forest”). Now do a gpupdate from the Windows 7 computer, reboot, and you should now be able to add network printers when logged in as a regular user.
Ref. http://blog.cjwdev.co.uk/2010/03/10/windows-7-add-network-printer-access-is-denied-fix/
ASKER
I was able to use Group Policy Management on one of my DCs to create a Policy with the settings in the specified websites and linked that policy to my Students OU. I tested on a couple computers and seems to work. I'll test in another building to be sure. Assuming that works, I'll close this issue in the next day or two.
Thanks so much for your help on this!!!
Thanks so much for your help on this!!!
ASKER
I was wrong. This did not fix the issue. I tried using Group Policy Management to change these settings as well as gpedit on the local computer and change the settings there, did gpupdate /force and restarted a couple times. It still doesn't let a regular user access the networked printers.
Have you run RSOP or gpupdate /results on the computers tand check to see if the policy is being applied.
How many DC's you have? check to make sure replication is working also.
How many DC's you have? check to make sure replication is working also.
ASKER
When I try RSOP, it says: the RSoP snap-in was unable to generate the computer's data due to insufficient permissions. I tried gpupdate /results but didn't work as that doesn't appear to be a valid gpudate parameter. I tried both being logged in as a student (i.e., in local Users group).
Is there some way I can run the RSOP program as an administrator without actucally logging on as one? Logged on as a student, I can't right click Command Prompt since Run as Administrator doesn't show as an option.
Is there some way I can run the RSOP program as an administrator without actucally logging on as one? Logged on as a student, I can't right click Command Prompt since Run as Administrator doesn't show as an option.
ASKER
I put a student user account in the local Adminstrator's group then logged on as that student. When I logged in as that student I could run the RSOP program. However, under Computer Configuration, Administrative Templates, it only shows Network. It doesn't have the Printers item. Under Windows Settings, it only has Security Settings.
ASKER
Sorry, didn't answer the DC question. I have two DC servers at this building. I went into Group Policy Management on both of them and verified that I have a group policy that has the Point and Print option set to the linked group policy for the Students OU - this OU has all of the student login accounts.
Ooops my typo it is gpresult /r
You can run it from another computer that has rights I use psexec
you need administrator rights to the remote computer
psexec \\computer -u administrator -p xxxxxxxx gpresult /r >c:\gpresult.txt
Your computer being locked down can you logon as administror
You can run it from another computer that has rights I use psexec
you need administrator rights to the remote computer
psexec \\computer -u administrator -p xxxxxxxx gpresult /r >c:\gpresult.txt
Your computer being locked down can you logon as administror
ASKER
Plot thickens. When I logged back in as a student who is not part of the local Administrator's group, I can now access the printer. I verified they are not in the Administrator's group by trying to add them in to the group - go access denied message.
I'm guessing that by accessing the printer as a student that is in the Adminstrators group that it must set something for all non-admin users. I need to test this further.
I'm guessing that by accessing the printer as a student that is in the Adminstrators group that it must set something for all non-admin users. I need to test this further.
Yes they need administrator permissions to add printers
I found numerous articles on this subject
http://serverfault.com/questions/213560/network-printer-installation-without-administrator-permissions
https://social.technet.microsoft.com/Forums/windows/en-US/532e101e-424d-45c8-b984-1adf33d9744d/network-printer-installation-without-administrator-permissions?forum=w7itpronetworking
Bing search for
network printer installation without administrator permissions
HTH
I found numerous articles on this subject
http://serverfault.com/questions/213560/network-printer-installation-without-administrator-permissions
https://social.technet.microsoft.com/Forums/windows/en-US/532e101e-424d-45c8-b984-1adf33d9744d/network-printer-installation-without-administrator-permissions?forum=w7itpronetworking
Bing search for
network printer installation without administrator permissions
HTH
ASKER
I'm not actually adding a printer when logged in as a student. The printer and driver are already there - installed when logged on as an Administrator then copied its profile to Default profile.
When logged on as a student who is not in the local Administrators group, If I even click the printer in Devices and Printers to see its status I get the Access is Denied message.
On several computers now I've logged onto a computer as a student that has Administrator rights, clicked the printer to see the status, then logged in as a student that does not have Administrator rights and now I'm able to see the printer status and print. Not sure why, but if this works consistently I can do this on all new computers I setup.
When logged on as a student who is not in the local Administrators group, If I even click the printer in Devices and Printers to see its status I get the Access is Denied message.
On several computers now I've logged onto a computer as a student that has Administrator rights, clicked the printer to see the status, then logged in as a student that does not have Administrator rights and now I'm able to see the printer status and print. Not sure why, but if this works consistently I can do this on all new computers I setup.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've seen the same thing many times. The DRIVER must be added as an administrator (unless you change the policy using GPO - see my first comment. The PRINTER can be added by anyone IF THE DRIVER is already installed into the local OS (it's already installed on the server of course).
So you really have two different issues:
1) The printer install which you want to automate naturally enough instead of having folks run the "add printer" Wizard or browse the network/server to find a printer.
2) The driver install which requires administrator permission unless otherwise configured on the local machine security or by way of a group policy (think "power user").
You have tested and proven this by installing the printer and the driver as a administrator (domain user with local administrator permission) then installed the printer (driver already present) as another user (student) without the same permissions.
So you really have two different issues:
1) The printer install which you want to automate naturally enough instead of having folks run the "add printer" Wizard or browse the network/server to find a printer.
2) The driver install which requires administrator permission unless otherwise configured on the local machine security or by way of a group policy (think "power user").
You have tested and proven this by installing the printer and the driver as a administrator (domain user with local administrator permission) then installed the printer (driver already present) as another user (student) without the same permissions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes when you add a printer to the computer all user profiles have access to that printer you just need one account with admin permissions to setup the printer
General users will only be able to print to it no settings or managing of printer or print queue
General users will only be able to print to it no settings or managing of printer or print queue
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Having a student with adim premissions access the printer enabled all students without admin permissions to use the printers.
http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/install-network-printers-without-local-admin/b21aa72b-5a7f-485d-999e-f844e7d4a550?auth=1
Look into setting up a GPO to do all this for you