Network Printer Installation without administrator permissions
I am trialling Win 7 on a corporate network and I cannot find a way to allow users to install their network printers without having to know the admin password! We don't allow end users admin permissions to their desktops and laptops.
January 17th, 2010 2:09pm

Hi,Are the network printers in a domain? If so, you need have a domain profile and the profile is added in "Print Group" which is allowed to add the printer. The local admin password on the machine has not enough permission to add the network printer. Regarding the issue, I suggest you contact the corporate network administrator.Thanks,Novak
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 11:16am

Hi thank you for the reply. Yes the printers are part of a domain and the user does have a domain profile. I am one of the IT team on my network.Are you saying that under Win 7 all users who want to add a network printer, must be added to the "Print Operator group" one of the built in security groups? I have checked our AD groups and this is the only one that exists.RegardsJT
January 19th, 2010 12:19pm

Actually, if you would like to install any domain resource, such as network printer, you must log on to the machine via domain profile which has enough permission. Please assure the current domain profile has enough permission to install program and use the network printer. If there is any error message when installing the printer, please upload it. Thanks, Novak
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2010 6:04am

Hi there, The only message that appears is one asking for a username and password when adding the printer to the users profile. The only one that worked was the domain administrator password.We do not allow regular users to install programmes or locally attached printers, only install domain wide network printers. We have 20 offices/sites across the business and many more printers, so I don't want a larger admin task every time a users wants to use a printer! Under NT and XP Pro the users had enough permissions to do this simple task, only now with Win 7 is adding a domian printer becoming difficult.Kind RegardsJT
January 20th, 2010 10:47am

Hi, Please add the domain profile to the administrators group on the local Windows 7 machine, and then try to add the network printer again. If the error message persists, please post it here. Thanks, Novak
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2010 9:41am

Hi NovakOk here is the situation now:Domain user profile added to print server (print operators Group)- no affect to installation of network printerDomain user profile added to local "power users" group on PC - installation fails at adding/installing printer drivers .Domain user profile added to local "admin group" on PC and the printer installation works fine.Problem!! We do not grant local admin to any of our corporate users, and adding them temporarily to setup a network printer is totally un-acceptable!regardsJT
January 25th, 2010 4:15pm

Johnty, I tried to send you a PM but I could not find where to do it so I am posting here. I see you that you indicate that you have this setup currently implemented on your network now. Users are able to add printers without admin permissions. If you would not mind, could you post in my thread how you do this? http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/c164e14a-7aea-42b9-b7a0-ca5b787bd157 Thank you! -Ryan
Free Windows Admin Tool Kit Click here and download it now
January 27th, 2010 11:40pm

hi Ryan,Sorry but I am in the same boat as you are, I cannot get past the intsallation without admin permission phase either!Seems like total screw up and if not fixed, a major headache for network admin people!Kind RegardsJT
January 28th, 2010 11:34am

Is any one going to provide and answer to this issue??JT
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2010 11:24am

Hi. Are you running 2003 AD or 2008? If like me you are still running a 2003 AD Domain I had to modify each Windows 7 client (not a big problem as I did this as they came through the door).I still script printer installs (vbs). In a 2003 domain from the client machine (Windows 7) run gpedit.msc. Under 'Administrative Templates' choose 'Printers'. Various options available. The one relevant for me was 'Point and Print Restrictions'. Enabled, tick 'Users can only point and print to machines in their forest'. For security prompts choose 'Do not show warning or elevation prompt'. Also under system there is an option for 'Driver Installation'. 'Allow non-administrators to install drivers for these device setup classes'.http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/1033e175-f133-400c-851f-0f4d98946188/[Quote]Locate to "Computer configuration"->"Driver installation"->"Allow non-administrators to install drivers for these device setup" classes, double-click it. Select Enable, click Show…, then click Add…, enter the class ID {4D36E979-E325-11CE-BFC1-08002BE10318}. (brackets included.).[/Quote]Now this will not help deploying across all users as it has to be configured on a per machine basis. From what I gather you can globally control print settings via Group Policy in 2008 domain but I have not had chance to look?Hope it helps.Phil.
February 1st, 2010 2:16pm

PhilThanks for this, Yes I am running 2003 AD and skipped the Vista bit which would have thrown this up earlier.That has answered my problem, still a pain modifying each PC but I can live with that..Many Thanks again.JT
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 6:01pm

This is BS! We have been running vista for 3 years, and have never seen this. We are running AD2003 domain. I can not figure out how to get printers to install correctly on our Win7 Machines. Same issue. We have extended our schema with the vista/7 GPOs (admx files) setup the point and print. added the classID to the GPOs. NOTHING works... Anybody? -Dan
March 23rd, 2010 10:48pm

Same issue, anybody had a luck with this??
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2010 4:22pm

If you need your users to be able to add their own print drivers you will have to use Group Policy. Create a new GPO and apply it to the container for the workstation's account in Active Directory, or modify an existing GPO that already applies to the workstation's account. In the GPO you need to set the Driver Installation policy. It is located here: Computer Configuration\Policies\Administrative Templates\System\Driver Installation The setting is called "Allow non-administrators to install drivers for these devices setup classes". You will need to add the device class GUID of printers. A list of GUIDs can be found here: http://xpdrivers.com/troubleshooting/device-class-guids-for-popular-types-of-hardware/
May 7th, 2010 5:56pm

Hello, i am sorry but the workaround doesn t work. we have he same issue. And even creating a local or domain gpo with both the point and clik restriction and the allow non administrator to install printers doesn t work. when you double clik on a printer you get the driver downloaded right. then i get a nice : acces is denied. if i log with a domain admin user, no problem it works or if i log under a user of the domain that has been put local admin : it works ! any help will be appreciated !
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2010 11:24pm

This may help you out, I found that my users did not have permission to add networked printers. So I made the following change to allow them to add printers from my print server. Good luck There is a setting under Computer Configuration/Administrative Templates/Printers called “Point and Print Restrictions” 1. Set it to “Enabled” 2. Put a check box in “Users can only point and print to these servers:” 3. Enter your print server name in the box “servername.domainname.com” 4. Security Prompts – set both to “Do not show” Now your users should be able to add printers from your print server
June 17th, 2010 9:07pm

I am sorry but this doesn't work. I went straight to the top and have modified the Default domain policy added all the GUIDS as recommended and so far only 1 older HP laserjet 4100 mfp can be installed without the user being asked for the credentials of a user with admin permissions! This is a major blunder by Microsoft who thought this was a good idea to mess with permissions that affects many many mobile workers who move from office to office adding printer as they go? So much for the Microsoft extended network idea!! Total BS
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2010 11:20am

Total BS First of all, take a deep breath. We're discussing printer driver installation policies. Not the Iraq war, or global terrorism, or genocide. Printer drivers. Second, I think I've got the answer (at least it fixed the problem for me today). Keep in mind that I don't work for Microsoft, I'm just a guy who had the same problem as you. There are TWO "Point and Print Restrictions" settings Computer Configuration/Policies/Administrative Templates/Printers/Point and Print Restrictions User Configuration/Policies/Administrative Templates/Control Panel/Printers/Point and Print Restrictions Of these two, the one under Computer Configuration seems to be the important one. But guess what? The original Server 2008 doesn't include this setting in the list -- you need Server 2008 R2 for this setting to show up. If you download the administrative templates from Server 2008 R2, extract, and copy the PolicyDefinitions folder to C:\Windows\sysvol\domain\Policies\PolicyDefinitions, this missing policy will show up magically in Group Policy Management Editor. Of course, the ADMX files from Server 2008 R2 causes Group Policy Management Editor from Server 2008 to complain about parse errors, but it works just fine to click "OK". Once you've installed the proper ADMX files, for this to work in Windows 7, configure both of these "Point and Print Restrictions" settings to: Enabled Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt Also, don't forget to make sure the users have permission to install printer drivers, since you're not even going to try to use Admin privileges any more: Computer Configuration\Policies\Administrative Templates\System\Driver Installation The setting is called "Allow non-administrators to install drivers for these devices setup classes". You will need to add the device class GUID of printers: {4d36e979-e325-11ce-bfc1-08002be10318} Don't forget to update the computer policy on the workstation by running "gpupdate /force". Then log on as a non-admin user, and test! It worked for me with an annoying Konica Minolta bizhub C550 fax driver that was prompting my Win7 non-admin users for privileges when the logon script tried to install the driver for them. YMMV. Good luck!
July 21st, 2010 6:26pm

Are you getting an admin prompt with details like these below? I was and solved it with the following. The printer install halted at this point and prompted for administrator credentials: "C:\Windows\system32\NtPrint.exe" PSetupElevatedInstallDownloadedLegacyDriverW {8FCEE422-B109-4758-9A6E-5BAB7B37996F} You will also have to set the GPO for Point and Print restrictions first and then Deploy the printers to the users using Group Policy . This will get rid of that admin prompt for non-admins when installing printers on Windows 7. http://technet.microsoft.com/en-us/library/cc731292.aspx To deploy printers to users or computers by using Group Policy 1. Open Print Management. 2. In the left pane, click Print Servers, click the applicable print server, and click Printers. 3. In the center pane, right-click the applicable printer, and then click Deploy with Group Policy. 4. In the Deploy with Group Policy dialog box, click Browse, and then choose or create a new GPO for storing the printer connections. 5. Click OK. 6. Specify whether to deploy the printer connections to users, or to computers: To deploy to groups of computers so that all users of the computers can access the printers, select the The computers that this GPO applies to (per machine) check box. To deploy to groups of users so that the users can access the printers from any computer they log onto, select the The users that this GPO applies to (per user) check box. 7. Click Add. 8. Repeat steps 3 through 6 to add the printer connection setting to another GPO, if necessary. 9. Click OK.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 5:43am

Are you getting an admin prompt with details like these below? I was and solved it with the following. The printer install halted at this point and prompted for administrator credentials: "C:\Windows\system32\NtPrint.exe" PSetupElevatedInstallDownloadedLegacyDriverW {8FCEE422-B109-4758-9A6E-5BAB7B37996F} You will also have to set the GPO for Point and Print restrictions first and then Deploy the printers to the users using Group Policy . This will get rid of that admin prompt for non-admins when installing printers on Windows 7. http://technet.microsoft.com/en-us/library/cc731292.aspx To deploy printers to users or computers by using Group Policy 1. Open Print Management. 2. In the left pane, click Print Servers, click the applicable print server, and click Printers. 3. In the center pane, right-click the applicable printer, and then click Deploy with Group Policy. 4. In the Deploy with Group Policy dialog box, click Browse, and then choose or create a new GPO for storing the printer connections. 5. Click OK. 6. Specify whether to deploy the printer connections to users, or to computers: To deploy to groups of computers so that all users of the computers can access the printers, select the The computers that this GPO applies to (per machine) check box. To deploy to groups of users so that the users can access the printers from any computer they log onto, select the The users that this GPO applies to (per user) check box. 7. Click Add. 8. Repeat steps 3 through 6 to add the printer connection setting to another GPO, if necessary. 9. Click OK. Hi Orayshineo, i found that by adding the GUID quoted : {8FCEE422-B109-4758-9A6E-5BAB7B37996F} to the GPO called "Allow non-administrators to install drivers for these devices setup classes" under Computer Configuration\Policies\Administrative Templates\System\Driver Installation did the trick for me. "A list of GUIDs can be found here: http://xpdrivers.com/troubleshooting/device-class-guids-for-popular-types-of-hardware/" guess this list is out of date! i Still get prompted for me to install the printer, but that was my aim, i want to be prompted to install the printer, but wanted my Users to be able to install them! :) also the Deploy via GPO option wouldnt work for me in theory as i deploy my printers via login script, based on security group membership not GPO. so to recap: Create GPO, at the suitable level for your enviroment change: Computer Configuration/Policies/Administrative Templates/Printers/Point and Print Restrictions User Configuration/Policies/Administrative Templates/Control Panel/Printers/Point and Print Restrictions to reflect this: Enabled Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt then change this: Computer Configuration\Policies\Administrative Templates\System\Driver Installation\"Allow non-administrators to install drivers for these devices setup classes". add the device class GUID of printers: {4d36e979-e325-11ce-bfc1-08002be10318} and {8FCEE422-B109-4758-9A6E-5BAB7B37996F} (this may be different to yours as my printers are HP's, and may be different for manufacturer) to the list on local machine do gpupdate /force then test! Cheers
August 16th, 2010 7:17pm

Ok I agree with UK_Johnty this is BS. We have a MS moderator who is suggesting we make regular users admins as a solution. (how did he get that job?!) and people thinking we should just push out shared printers over GPO.... But organizations have people that move and need to use different printers. Too many to push out all of them all the time... MS should just release a patch to reenable people to install network printers without having to be added to groups or become admins. I lock down the printers from the server. I don't need this tweaking crap just to allow users to be able to print.I'm not smarter than anyone else, I've just broken more things. =)
Free Windows Admin Tool Kit Click here and download it now
January 24th, 2011 10:45am

Is there a solution like this one for those, like us, who are still using Windows 2003 Std. Server? In GPO Editor under Windows 2003 Std. Server there are not those policies you mentioned. Thank you!
January 28th, 2011 2:04pm

Hi Justin, Thanks for the solution... I was facing this problem since last six months but its now resolved just because of you .. Great Help!!! Thanks Again :-)
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2011 10:57am

Glad to be of help! Thanks for letting me know it was helpful... it encourages me to post more often on forums like this, knowing there are real people being helped!
January 31st, 2011 11:20am

Justin, get over yourself. This is BS and obviously you don't manage a large network. No one has come up with a solution for those who are still running 2003 Print Servers on a 2003 AD Domain Structure. We need detailed steps for an easy solution to accomplish this. Pushing printers out via GPO is NOT an option. Users need to be able to select printers and install them. Someone out there has to have the solution.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2011 12:01pm

Wow. Just when I thought that this was becoming a civil place to discuss real issues. For the record, my post didn't address the problem you describe. But I wish you the best in finding a solution for your problem. :)
January 31st, 2011 12:15pm

To allow the regular domain users to install the printers in Windows 7 without having admin privileges on a 2k3 domain you will need to add a couple of keys in the registry on the users workstations. We do this on a 300+ machine domain using Group Policy > Computer Configuration >Windows Settings >Scripts>Startup We have a batch file that picks up various machine level fixes and patches that we want to push out. Here is the important pieces for the Windows 7 printer issue i am giving two examples one .Reg file and the other a .VBS file Start of Reg file Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions] "AllowUserDeviceClasses"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses] "1"="{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}" "2"="{48721B56-6795-11D2-B1A8-0080C72E74A2}" "3"="{49CE6AC8-6F86-11D2-B1E5-0080C72E74A2}" "4"="{4658EE7E-F050-11D1-B6BD-00C04FA372A7}" "5"="{4D36E971-E325-11CE-BFC1-08002BE10318}" "6"="{4D36E979-E325-11CE-BFC1-08002BE10318}" End of Reg file 1 is Imaging devices Device Class GUID 2 is IEEE 1284.4 devices Device Class GUID 3 is IEEE 1284.4 compatible printer Device Class GUID 4 is IEEE 1394 and SCSI printers Device Class GUID 5 is Multifunction adapters Device Class GUID 6 is Printers Device Class GUID If you search the registry for the GUID's above you will see that they correspond with what I have listed. Here is the same thing under VBS Script. Start VBS file Option Explicit Dim Shell, WshShell Set WshShell = CreateObject( "WScript.Shell" ) WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses", "00000001","REG_DWORD" WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\1", "{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}","REG_SZ" WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\2", "{48721B56-6795-11D2-B1A8-0080C72E74A2}","REG_SZ" WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\3", "{49CE6AC8-6F86-11D2-B1E5-0080C72E74A2}","REG_SZ" WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\4", "{4658EE7E-F050-11D1-B6BD-00C04FA372A7}","REG_SZ" WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\5", "{4D36E971-E325-11CE-BFC1-08002BE10318}","REG_SZ" WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\6", "{4D36E979-E325-11CE-BFC1-08002BE10318}","REG_SZ" End VBS File Hope this helps.
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 11:22pm

To allow the regular domain users to install the printers in Windows 7 without having admin privileges on a 2k3 domain you will need to add a couple of keys in the registry on the users workstations. We do this on a 300+ machine domain using Group Policy > Computer Configuration >Windows Settings >Scripts>Startup We have a batch file that picks up various machine level fixes and patches that we want to push out. Here is the important pieces for the Windows 7 printer issue i am giving two examples one .Reg file and the other a .VBS file >code< Hope this helps. Thanks for the tip. Where did you get this information from? Thanks
February 21st, 2011 8:02pm

We have the same issue, have worked through every proposed solution on this page without success. Has anyone found an answer to this?
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2011 12:01pm

We have the same issue, have worked through every proposed solution on this page without success. Has anyone found an answer to this? For me, I just had this problem. For me, everything worked, when I tried to install a printer with a SIGNED driver.... one of our Lexmark's using the Lexmark Universal print driver. However, when we tried to add our MFC which is a Toshiba, it asked "if you trust the driver". I resoved this by adding the driver signing change through GPO to ALLOW unsigned drivers rather than WARN. This fixed the problem for me, although, it did kind of weaken security a bit.
March 30th, 2011 9:23pm

This may help you out, I found that my users did not have permission to add networked printers. So I made the following change to allow them to add printers from my print server. Good luck There is a setting under Computer Configuration/Administrative Templates/Printers called “Point and Print Restrictions” 1. Set it to “Enabled” 2. Put a check box in “Users can only point and print to these servers:” 3. Enter your print server name in the box “servername.domainname.com” 4. Security Prompts – set both to “Do not show” Now your users should be able to add printers from your print server This worked for me thanks, keep in mind if you tried any other solutions listed here you will need to undo them and then try only this be sure to put in PRINTSERVERNAME.YOURDOMAIN.COM
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2011 6:45pm

My solution - 1. Set a GPO with the COMPUTER CONFIGURATION / POLICIES / ADMINISTRATIVE TEMPLATES / PRINTERS / Policy Setting Comment Point and Print Restrictions Enabled Users can only point and print to these servers: Disabled Enter fully qualified server names separated by semicolons Users can only point and print to machines in their forest Disabled Security Prompts: When installing drivers for a new connection: Do not show warning or elevation prompt When updating drivers for an existing connection: Do not show warning or elevation prompt 2. Additionally, do the same under USER CONFIGURATION / POLICIES / ADMINISTRATIVE TEMPLATES / CONTROL PANEL / PRINTERS / Works with our Win7 & W2k3 infrastucture.
April 27th, 2011 7:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics