Point and Print Restrictions policy

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

We have an issue with the Point and Print Restrictions policy. We are
getting the following message when trying to connect to a printer:

"A policy is in effect on your computer which prevents you from connecting
to this print queue. Please contact your system administrator."

We have found the following document that refers to this error message...
http://support.microsoft.com/?kbid=319939

Our configuration is as follows:

A Windows XP SP2 user in Domain B is attempting to add a new printer from a
Windows 2003 print cluster in Domain A. Both domains are in the same forest.

Domain A is our Windows 2000 AD Forest root. Domain B is another domain in
the forest.

This is a new print cluster that has worked for months in testing with admin
level users. However we didn't do much testing for normal (non local admin)
users and now realize we have this issue.

We've found that if an admin logs in and maps the drive first then the
printer will then map and print correctly for the normal user. This implies
that the issue is the normal (non-admin) user copying the printer drivers for
the first time.

We have verified the setting is disabled in reference to
http://support.microsoft.com/?kbid=319939 at the domain level for Domain A,
at the domain level of Domain B and locally for each Windows 2003 print
cluster node.

We have also verified there isn't any group policy print driver loading
restrictions in either domain.

In searching for other people experiencing this issue via google it appears
others have solved their issue via the article's suggestions. We however
have not and the way we read the article is that it applies to cross forest
printing - which is not our case.

Any suggestions on what else to look for in our situation is greatly
appreciated.

Brandon
 
The cluster may not have a machine account on the domain thus the policy
cannot verify the machine is "trusted". What are the cluster name
parameters?

This policy blocks the installation of the driver unless the driver is inbox
on the XP client. Can you make a connection to a printer that is in the
list of XP print drivers?

When disabling the policy there is nothing to do on the server. The policy
must be disabled on all clients. You can also add the clustername and the
node names to the trusted server list on each client.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thank you for taking the time to suggest your response Alan.

I'm not sure I know how to have a cluster's name show up as a computer
account. I did a search of the computers in this domain (domain A in my
example) and it did not show up. The computer names of the nodes show up of
course.

Our cluster is as follows.

entserv01 (node1 computer name)
entserv02 (node2 computer name)
entserv (cluster name)
entserver (printer virtual server name)

Yes we can print to printers on this cluster (across domains) successfully
if the driver is already present with a normal user.

Thanks for your suggestion on making changes at the client level however, we
are trying not to have to do this since we have many clients to touch.

Can you elaborate on your suggestion given this new information?

Please let me know if I can give you any more information that might be of
help.

Brandon

Alan Morris said:
The cluster may not have a machine account on the domain thus the policy
cannot verify the machine is "trusted". What are the cluster name
parameters?

This policy blocks the installation of the driver unless the driver is inbox
on the XP client. Can you make a connection to a printer that is in the
list of XP print drivers?

When disabling the policy there is nothing to do on the server. The policy
must be disabled on all clients. You can also add the clustername and the
node names to the trusted server list on each client.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

JB said:
Hello,

We have an issue with the Point and Print Restrictions policy. We are
getting the following message when trying to connect to a printer:

"A policy is in effect on your computer which prevents you from connecting
to this print queue. Please contact your system administrator."

We have found the following document that refers to this error message...
http://support.microsoft.com/?kbid=319939

Our configuration is as follows:

A Windows XP SP2 user in Domain B is attempting to add a new printer from
a
Windows 2003 print cluster in Domain A. Both domains are in the same
forest.

Domain A is our Windows 2000 AD Forest root. Domain B is another domain
in
the forest.

This is a new print cluster that has worked for months in testing with
admin
level users. However we didn't do much testing for normal (non local
admin)
users and now realize we have this issue.

We've found that if an admin logs in and maps the drive first then the
printer will then map and print correctly for the normal user. This
implies
that the issue is the normal (non-admin) user copying the printer drivers
for
the first time.

We have verified the setting is disabled in reference to
http://support.microsoft.com/?kbid=319939 at the domain level for Domain
A,
at the domain level of Domain B and locally for each Windows 2003 print
cluster node.

We have also verified there isn't any group policy print driver loading
restrictions in either domain.

In searching for other people experiencing this issue via google it
appears
others have solved their issue via the article's suggestions. We however
have not and the way we read the article is that it applies to cross
forest
printing - which is not our case.

Any suggestions on what else to look for in our situation is greatly
appreciated.

Brandon
Click to expand...
Click to expand...
 
Server side
You will need to enable DNS registration in order for the cluster name to
get a machine account. You might have to enable Kerberos but I think just
configuring DNS registration should do it. cluadmin.exe Group / Cluster
name / Properties / Parameters.

You will know you are successful when the cluster name shows up as a machine
account in the AD


Client side
Disable the policy in a domain GPO that applies to all users (the policy is
enabled since it's not configured by default) or add the server names to the
trusted list in a policy that applies to all users.
gpedit.msc.
User Configuration / Administrative templates / Control Panel / Printers /
Point and Print Restrictions
This policy setting restricts the servers that a client can connect to for
point and print. The policy setting applies only to non Print Administrators
clients, and only to machines that are members of a domain.

When the policy setting is enabled, the client can be restricted to only
point and print to a server within its own forest, and/or to a list of
explicitly trusted servers.

When the policy setting is not-configured, it defaults to allowing point and
print only within the client's forest.

When the policy setting is disabled, client machines can point and print to
any server.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

JB said:
Thank you for taking the time to suggest your response Alan.

I'm not sure I know how to have a cluster's name show up as a computer
account. I did a search of the computers in this domain (domain A in my
example) and it did not show up. The computer names of the nodes show up
of
course.

Our cluster is as follows.

entserv01 (node1 computer name)
entserv02 (node2 computer name)
entserv (cluster name)
entserver (printer virtual server name)

Yes we can print to printers on this cluster (across domains) successfully
if the driver is already present with a normal user.

Thanks for your suggestion on making changes at the client level however,
we
are trying not to have to do this since we have many clients to touch.

Can you elaborate on your suggestion given this new information?

Please let me know if I can give you any more information that might be of
help.

Brandon

Alan Morris said:
The cluster may not have a machine account on the domain thus the policy
cannot verify the machine is "trusted". What are the cluster name
parameters?

This policy blocks the installation of the driver unless the driver is
inbox
on the XP client. Can you make a connection to a printer that is in the
list of XP print drivers?

When disabling the policy there is nothing to do on the server. The
policy
must be disabled on all clients. You can also add the clustername and
the
node names to the trusted server list on each client.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

JB said:
Hello,

We have an issue with the Point and Print Restrictions policy. We are
getting the following message when trying to connect to a printer:

"A policy is in effect on your computer which prevents you from
connecting
to this print queue. Please contact your system administrator."

We have found the following document that refers to this error
message...
http://support.microsoft.com/?kbid=319939

Our configuration is as follows:

A Windows XP SP2 user in Domain B is attempting to add a new printer
from
a
Windows 2003 print cluster in Domain A. Both domains are in the same
forest.

Domain A is our Windows 2000 AD Forest root. Domain B is another
domain
in
the forest.

This is a new print cluster that has worked for months in testing with
admin
level users. However we didn't do much testing for normal (non local
admin)
users and now realize we have this issue.

We've found that if an admin logs in and maps the drive first then the
printer will then map and print correctly for the normal user. This
implies
that the issue is the normal (non-admin) user copying the printer
drivers
for
the first time.

We have verified the setting is disabled in reference to
http://support.microsoft.com/?kbid=319939 at the domain level for
Domain
A,
at the domain level of Domain B and locally for each Windows 2003 print
cluster node.

We have also verified there isn't any group policy print driver loading
restrictions in either domain.

In searching for other people experiencing this issue via google it
appears
others have solved their issue via the article's suggestions. We
however
have not and the way we read the article is that it applies to cross
forest
printing - which is not our case.

Any suggestions on what else to look for in our situation is greatly
appreciated.

Brandon
Click to expand...
Click to expand...
Click to expand...
 
Hello Brandon and Allan
My scenario is almost identical. The difference is that print cluster and client machines are in the same domain. A regular user is not able to download drivers from the cluster. I am able to view the cluster name in Active Directory. I followed the suggestions in this thread and had to enable DNS and Kerberos in the cluadmin.exe Group / Cluster name / Properties / Parameters. DNS only did not do it.
The point and print restrictions (group and local) policy settings were initially "not configured". According to MS this setting should allow user to point and print to the forest. Nonetheless, users (non local admin) still get a message indicating that a policy is in effect that prevents the printer installation. If it is a driver already included in Windows XP users are able to point and print without a problem.
I would appreciate any suggestions.
 
Back
Top