allow printer installation

  • Thread starter Thread starter John
  • Start date Start date
J

John

I need to allow printer installation on Windows XP and 2000 Pro laptops
without giving local admin or power user rights... is this possible?
 
John502 said:
I need to allow printer installation on Windows XP and 2000
Pro laptops
without giving local admin or power user rights... is this
possible?
Click to expand...

Hi,

It depends on what you mean by "printer install". Do you mean if
they buy their own physical printer and want to install it? Or do you
mean install a Network Printer. Network Printers are easy to do. The
Physical printer may cause more problems. You can allow them to "add
device" in CompConfig-Windows Settings-Security Settings-User Rights
Assignment.

Network Printers can be installed under a system account. I do them
with a batch file on startup.

Cheers,

Lara
 
I had the same problem. If users did not have admin rights they could
not install certain types of print drivers. There is a group policy
setting to resolve this.

If you are using group policies, it's one setting that allows non
admins to add all printers. I use it myself.. Under Local Computer
Policy | User Configuration | Administrative Templates | Control Panel
| Printers there is the Point and Print Restrictions setting. If you
disable this setting, the users will be able to add printers even if
they do not have admin rights. If you have a group policy applied to
an OU or domain, you can add it in there. If you are not in a domain
environment, you can also do it locally on the PC.

Greg
 
Hi
If you disable this setting, the users will be able to add printers
even if they do not have admin rights.
Click to expand...

That is true, however, depending on your NTFS permissions on the
machine the printer files may have to be copied to the machine first.
My users have no write access to the harddrives therefore if they add
a printer (which they are allowed to do) it will hang because the
files cannot be copied to the local machine. To resolve this, I put
the printer addition in a batch file (below) and set it as a startup
script. It will copy the files to the computer and then the users can
add the printer.

rundll32 printui.dll,PrintUIEntry /in /q /n "\\Server\Printer"

Cheers,

Lara
 
Lara,
I'm very interested in how you do this. I use group policies to define
some settings but don't use any start up scripts at this time. Right
now, I'm just using plain old batch files to map drives. Do you have a
sample start up script you can post as an example? I was planning to
use one to reset the local admin password on each workstation.

What I'm really interested in, though, is how you've been able to setup
your users without permissions to their own C drives. Most of my users
have administrative rights on their local PCs because they use CAD
applications that won't work properly without Admin or Power User
rights. This, of course, leads to other problems--users downloading
programs from the Internet, spyware, etc. So I'm looking for ways to
lock down the PCs and users.
Thanks,
Greg
 
Hi,
What I’m really interested in, though, is how you’ve been
able to setup your users without permissions to their own C drives.
Most of my users have administrative rights on their local PCs because
they use CAD
applications that won’t work properly without Admin or Power
User
Click to expand...

Actually I have gotten all my programs to run under a regular
read-only user including all the Autodesk AutoCad programs. However,
it does require some tweaking. The CAD programs are the worst.
Luckily with the dawn of XP, most software companies now write for
regular users. Adobe and Macromedia write their software now so it can
run under a read-only account.

For the other programs, I use a program called INCTRL5 which is here
http://www.sd61.bc.ca/windows2000/downloads/inctrl5.zip
I run inctrl5 as an Admin and then run the program, close the program
and run inctrl5 again. It gives me ALL the files and Registry entries
that were written to. I ignore all the ones in the HKLUser and any
that I know are not related to the software. I then use Regedt32 to
give write permissions to ONLY the registry keys listed. Usually this
is in the HKLM-Software-Softwareprogram key. I then give write access
to ONLY the files listed.

I haven’t found a program yet that I can’t run under read-only and we
have hundreds of software programs in my organization. My users also
have mandatory profiles which they can’t change.

I use xcacls in a batch file to set any permissions remotely. eg. For
Pagemaker, I have to give write access to 5 files. However, I haven’t
found a batch file to reset passwords. You could probably do it with
VBScript. I use VBScript on my AD servers to reset passwords. Not sure
how to query the local accounts but I am sure it can be done.

Cheers,

Lara
 
Back
Top