With the advent of Windows Vista/7/10 and UAC, Microsoft provided a mechanism for IT administrators to enhance the security on their desktops while still having a mechanism to provided assistance when needed. It has also provided us the ability to granulize the sections of the OS that we allow end users to access. One of those areas is printer installations. Previously, if the drivers were not already on the workstation, you had to have administrative rights to install the printer. With the advent of UAC we can now allow non-administrators the proper rights to install printers without exposing the rest of the OS.
To setup group policy to allow automatic drivers install we need to perform the following procedure.
Log on to a machine with the Group Policy Management Console installed.
Create a new policy in your Domain to hold the policy. Name it something similar to “Workstation Printer Deployment Configuration”
Open up the policy for Editing
Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Find the Policy Devices: Prevent Users from Installing Drivers – Select the check box to define this policy and then set it to disabled.
Now find the policy Computer Configuration > Policies > Administrative Templates > Printers
Find the policy in there labeled Point and Print Restrictions
Enable the policy and scroll down to Security Prompts.
Change downs to say, do not show warning or elevation prompt. This will enable windows vista users to install drivers w/o a UAC prompt (necessary for install at login). After that Click OK
Now browse down to user configuration and find the policy User Configuration > Policies > Administrative Templates > Control Panel > Printers
Find the policy for Point and Print Restrictions.
Enable the policy and scroll down to Security Prompts.
Change downs to say, do not show warning or elevation prompt. This will enable windows vista users to install drivers w/o a UAC prompt (necessary for install at login). After that Click OK.
This will enable windows vista users to install drivers w/o a UAC prompt (necessary for install at login) In the same window, locate the policy, Prevent Addition of Printers.
Change that policy to disabled
Close out of the Policy Editor.
Now we need to place this policy on the domain. You need to apply it to a place that will apply both to all workstations and user objects, in my case the easiest was at the top of the domain root. Your mileage may vary on the location.
No comments:
Post a Comment