XP pcs cannot add printer as user

[David Wood]

We are rolling out XP pcs (Compaq/HP 530) and get the message 'cannot add
printerdue to policy restriction'
This can be fixed by logging on as Admin and adding the printer first.

Any advice why this should happen? W2K workstaions don't have this problem!

NT Network Domain
Print server is W2k

 

[Alan Morris\(MSFT\)]

If you deploy with XP RTM with all security updates you will not hit this
issue

With NT4 domains, the problem will be fixed once XP SP2 is released.

Give the Power Users Load Driver Privilege in order to allow them to add the
connection

more info from previous posts.
-------
This policy is in affect on XP SP1 clients (and Server 2003 ). . The
policy
impacts installing a printer driver.

If you have an NT4 based domain, this policy will not work properly until
clients are XP with SP2.

If the driver is preinstalled on the client, then the user can connect. If
the driver exists in the client's driver.cab then the spooler will install
this driver rather than copy the driver from the server.

You can add the users to the Power Users group, and add the Load and unload
driver privilege to this group rather than give the users admin rights.
----------
There is a policy on XP SP1 that prevents true connections to "untrusted"
(not in the same domain forest) servers. Since the HP driver is in
the driver.cab file on the client, the driver is added from the local
client rather than copying the driver from the server.

http://support.microsoft.com/default.aspx?scid=kb;en-us;319939
Description of the Point and Print Restrictions Policy Setting in Windows
Server 2003 and Windows XP


a.. By default, this policy setting is not configured. If you do not
configure this policy setting, users cannot download Point and Print drivers
from computers that are not in their Active Directory forest. The result of
not configuring the setting is the same as enabling the policy and setting
it to Users can only Point and Print to machines in their Forest.


The issue you are experiencing is fixed on XP SP2

The issue is that LookupAccountName does not work for machine accounts on
NT4 hosted Domains
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[David Wood]

Thanks for info-
Anyone know when XP SP2 will be released? Last I heard it was April.

If you deploy with XP RTM with all security updates you will not hit this
issue

With NT4 domains, the problem will be fixed once XP SP2 is released.

Give the Power Users Load Driver Privilege in order to allow them to add the
connection

more info from previous posts.
-------
This policy is in affect on XP SP1 clients (and Server 2003 ). . The
policy
impacts installing a printer driver.

If you have an NT4 based domain, this policy will not work properly until
clients are XP with SP2.

If the driver is preinstalled on the client, then the user can connect. If
the driver exists in the client's driver.cab then the spooler will install
this driver rather than copy the driver from the server.

You can add the users to the Power Users group, and add the Load and unload
driver privilege to this group rather than give the users admin rights.
----------
There is a policy on XP SP1 that prevents true connections to "untrusted"
(not in the same domain forest) servers. Since the HP driver is in
the driver.cab file on the client, the driver is added from the local
client rather than copying the driver from the server.

http://support.microsoft.com/default.aspx?scid=kb;en-us;319939
Description of the Point and Print Restrictions Policy Setting in Windows
Server 2003 and Windows XP


a.. By default, this policy setting is not configured. If you do not
configure this policy setting, users cannot download Point and Print drivers
from computers that are not in their Active Directory forest. The result of
not configuring the setting is the same as enabling the policy and setting
it to Users can only Point and Print to machines in their Forest.


The issue you are experiencing is fixed on XP SP2

The issue is that LookupAccountName does not work for machine accounts on
NT4 hosted Domains
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

We are rolling out XP pcs (Compaq/HP 530) and get the message 'cannot add
printerdue to policy restriction'
This can be fixed by logging on as Admin and adding the printer first.

Any advice why this should happen? W2K workstaions don't have this problem!

NT Network Domain
Print server is W2k

 

[Alan Morris\(MSFT\)]

I asked Bill so he wrote up a summary of all the work we do here. Here's the
quote from he mail yesterday.

Windows XP Service Pack 2: We are working on a number of isolation and
resiliency advances that address four specific modes of attack in our
flagship client operating system. These will be available in late
spring/early summer.
full mail
http://www.microsoft.com/mscorp/execmail/
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for info-
Anyone know when XP SP2 will be released? Last I heard it was April.

If you deploy with XP RTM with all security updates you will not hit this
issue

With NT4 domains, the problem will be fixed once XP SP2 is released.

Give the Power Users Load Driver Privilege in order to allow them to add the
connection

more info from previous posts.
-------
This policy is in affect on XP SP1 clients (and Server 2003 ). . The
policy
impacts installing a printer driver.

If you have an NT4 based domain, this policy will not work properly until
clients are XP with SP2.

If the driver is preinstalled on the client, then the user can connect. If
the driver exists in the client's driver.cab then the spooler will install
this driver rather than copy the driver from the server.

You can add the users to the Power Users group, and add the Load and unload
driver privilege to this group rather than give the users admin rights.
----------
There is a policy on XP SP1 that prevents true connections to "untrusted"
(not in the same domain forest) servers. Since the HP driver is in
the driver.cab file on the client, the driver is added from the local
client rather than copying the driver from the server.

http://support.microsoft.com/default.aspx?scid=kb;en-us;319939
Description of the Point and Print Restrictions Policy Setting in Windows
Server 2003 and Windows XP


a.. By default, this policy setting is not configured. If you do not
configure this policy setting, users cannot download Point and Print drivers
from computers that are not in their Active Directory forest. The result of
not configuring the setting is the same as enabling the policy and setting
it to Users can only Point and Print to machines in their Forest.


The issue you are experiencing is fixed on XP SP2

The issue is that LookupAccountName does not work for machine accounts on
NT4 hosted Domains
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

We are rolling out XP pcs (Compaq/HP 530) and get the message 'cannot add
printerdue to policy restriction'
This can be fixed by logging on as Admin and adding the printer first.

Any advice why this should happen? W2K workstaions don't have this problem!

NT Network Domain
Print server is W2k