Search This Blog

Tuesday, November 22, 2011

Administrative Template Point and Print Restrictions

This worked for me... found this after I posted the above. hope it helps some of you having the same issue. I did this on my local pc not the Domain GPO so it would work in either place.



There are TWO "Point and Print Restrictions" settings

* Computer Configuration/Policies/Administrative Templates/Printers/Point and Print Restrictions
* User Configuration/Policies/Administrative Templates/Control Panel/Printers/Point and Print Restrictions


Of these two, the one under Computer Configuration seems to be the important one. But guess what? The original Server 2008 doesn't include this setting in the list -- you need Server 2008R2 for this setting to show up. If you download the administrative templates from Server 2008 R2, extract, and copy the PolicyDefinitions folder to C:\Windows\sysvol\domain\Policies\PolicyDefinitions, this missing policy will show up magically in Group Policy Management Editor. Of course, the ADMX files from Server 2008 R2 causes Group Policy Management Editor from Server 2008 tocomplain about parse errors, but it works just fine to click "OK".


Once you've installed the proper ADMX files, for this to work in Windows 7, configure both of these "Point and Print Restrictions" settings to:

* Enabled
* Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt
* Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt


Also, don't forget to make sure the users have permission to install printer drivers, since you're not even going to try to use Admin privileges any more:

* Computer Configuration\Policies\Administrative Templates\System\Driver Installation
* The setting is called "Allow non-administrators to install drivers for these devices setup classes".
* You will need to add thedevice class GUID of printers: {4d36e979-e325-11ce-bfc1-08002be10318}


Don't forget to update the computer policy on the workstation by running "gpupdate /force". Then log on as a non-admin user, and test! It worked for me with an annoying Konica Minolta bizhub C550 fax driver that was prompting my Win7 non-admin users for privileges when the logon script tried to install the driver for them. YMMV.


Good luck!

3 comments:

Scott Carter said...

Thanks for the post! I was able to get this working just by doing the last part:

* Computer Configuration\Policies\Administrative Templates\System\Driver Installation
* The setting is called "Allow non-administrators to install drivers for these devices setup classes".
* You will need to add thedevice class GUID of printers: {4d36e979-e325-11ce-bfc1-08002be10318}

Scott Carter said...

I lied. I ended up having to apply the Point and Print setting as well, but I simply disabled it. Here is where you can download the Server 2009 R2 Admin template files:

http://www.microsoft.com/en-us/download/details.aspx?id=6243

Kevin McGillicuddy said...

will this work with a domain functional level of 2003? I created the policy through my 2008R2 domain controller but PC's would not take the printer until I made the policy local to that machine (gpedit.msc). I am thinking the issue may be with the 2003 functional level