Allowing Standard Users to Install Network Printers on Windows 7 without Prompting for Administrative Credentials
Have you ever wondered if there is a way to allow a Standard Domain User to install network printers on their Windows 7 client computer without being prompted for administrative credentials? The following Blog Post which I have created provides you with the necessary information to guide you through the process and steps to enable this ability.
• This document Applies to Windows 7 Professional, Enterprise, and Ultimate x86 and x64
• This document contains information with regards to Point and Print Environments
• The User Account which is going to make the following changes needs to be a member of the Domain Administrators group.
If you have any questions or concerns with the following document please contact Microsoft Support.
1. Informational Overview:
Consider the following scenario:
• You have a computer running Windows 7 which is connected to a Windows Server 2003 Domain.
• You log onto the computer with a domain user account as a Standard user.
• You connect to a Print Server to install a printer either by Point and Print or UNC path (i.e. \\Servername\ShareName).
• The printer can be using an in-box or a vendor specific printer driver.
After the initial download of the driver you will be prompted with a User Account Control (UAC) dialog requesting administrative credentials as seen in the below image.
In this scenario, the user will not be able to install the printer unless the administrative credentials has been entered.
The same issue will occur if you assign a domain policy on the Windows 2003 Domain Controller and disable the Point and Print Restrictions to the User.
This is the default behavior for Windows 7 Point and Print Restrictions and is the expected behavior to display the User Account Control (UAC) dialog prompting for administrative credentials. This is NOT isolated to a specific printer or vendor, and will occur even if the printer is using in-box printer drivers.
We will walk through some of the group policy information related to Point and print Restrictions. We will review the default Point and Print Restrictions on a Windows Server 2003 Domain Controller as well as walk through the process to allow a Standard Domain user to install a network printer on a Windows 7 client without being prompted for credentials.
2. Windows Server 2003 Group Policy:
To begin, we need log onto the Windows Server 2003 Domain Controller and open Active Directory Users and Computers from Control Panel > Administrative Tools. We then right-clicked on the domain (as in our example the domain is KDSCN.COM) and choose New Organizational Unit (OU) and called it “Windows 7 Point and Print”.
To create a Point and Print Restrictions policy on the Windows Server 2003 Domain Controller, we need to right-clicked on the OU and choose Properties and selected the Group Policy Tab. From there we click the “New” button which creates a default policy. We called this policy “Windows 2003 and XP” as you can see in the below image.
Selecting the policy and clicking Edit we can then expand both the Computer Configuration and User Configuration. You will note that there is NO “Point and Print Restrictions” listed under Computer Configuration.
“Computer Configuration\Administrative Templates\Printers”
Under User Configuration you will see the “Point and Print Restrictions” policy which is by default set to “Not configured”
“User Configuration\Administrative Templates\Control Panel\Printers”
Opening the Properties for the “Point and Print Restrictions” will allow us to choose either Not Configured (which is the default), Enabled, or Disabled
Below is an explanation of Windows Server 2003 and XP “Point and Print Restrictions” Policy
This policy setting restricts the servers that a client can connect to for point and print. The policy setting applies only to non-Print Administrators clients, and only to machines that are members of a domain.
When the policy setting is enabled, the client can be restricted to only point and print to a server within its own forest, and/or to a list of explicitly trusted servers.
When the policy setting is not-configured, it defaults to allowing point and print only within the client’s forest.
When the policy setting is disabled, client machines can point and print to any server.
Even though you modify the policy and set it to Disabled. And then assign the policy to a domain User. The user will still be prompted from administrative credentials when installing a network printer on a computer running Windows 7.
3. Network Printer Install Standard User with Default Domain Policy:
In the below example we had logged onto the Windows 7 client with a standard user account. We then connected to the print server using a UNC path \\PS to view the available shares from which we have two printers listed.
To install the printer we can just double-click on the printer which will then start to search for the printer driver from the Windows 2003 Print Server. For testing purpose we are using the Xerox Global Post Script Printer Driver.
Once we have established a connection to the Print Server for the specific printer, we will receive a security dialog that will provide an option to allow us to install the driver.
After clicking on the Install Driver button, the drivers will start to be downloaded and then you will receive the UAC prompt requesting administrative e credentials.
As mentioned this is the expected behavior using the default policy configurations. To proceed with the install in this manner you will need to supply administrative credentials. In our case we do not want to be prompted when installing the network printer. In order to do this, please cancel all dialogs and proceed with the following steps.
Below are a few external articles with information on User Account Control (UAC)
What is User Account Control?
https://windows.microsoft.com/en-US/windows7/What-is-User-Account-Control
Inside Windows 7 User Account Control
https://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx
4. Preparation and Configuration for Windows 7 “Point and Print Restrictions” Policy:
Now we will walk through the necessary steps to allow the ability for a Standard User to install a network printer on a Windows 7 client without being prompted for administrative credentials.
First we will need to download and install the “Remote Server Administration Tools for Windows 7” on a computer running Windows 7 logged on as a Domain Administrator
The Remote Server Administration Tools for Windows 7 is a free download. Below you will find some information about the tool and the Microsoft external download link to obtain the tool.
About Remote Server Administration Tools
You can install the Administration Tools pack on computers that are running the Windows 7 operating system, and use the Administration Tools pack to manage specific technologies on computers that are running either Windows Server® 2008 R2, Windows Server 2008, or, in some cases, Windows Server 2003.
The Administration Tools pack includes support for remote management of computers that are running the Server Core installation option of either Windows Server 2008 R2 or Windows Server 2008. However, Remote Server Administration Tools for Windows 7 cannot be installed on any versions of the Windows Server operating system.
Administration Tools are secure by default. The default Administration Tools configuration opens only those ports and enables only those services and firewall exceptions required for remote management to work.
System requirements
Remote Server Administration Tools for Windows 7 can be installed on computers that are running the Professional, Enterprise, or Ultimate editions of Windows 7.
Remote Server Administration Tools for Windows 7 runs on both x86- and x64-based editions of Windows 7, and can be used to manage roles and features that are running on either the Server Core or full installation options of the x64-based Windows Server 2008 R2 operating system.
Remote management is also supported for some roles and features that run on Windows Server 2008 or Windows Server 2003.
Remote Server Administration Tools for Windows 7 should not be installed on a computer that is running the Windows Server 2003 Administration Tools Pack or Windows 2000 Server® Administration Tools Pack. Remove all versions of Administration Tools Pack or Remote Server Administration Tools for Windows Vista SP1 from the computer before you install Remote Server Administration Tools for Windows 7.
Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)
https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7887
Remote Server Administration Tools for Windows® 7 with SP1 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server® 2008 R2, Windows Server® 2008, or Windows Server® 2003, from a remote computer that is running Windows 7 or Windows 7 with SP1.
5. Remote Server Administration Tools for Windows 7 Installation:
Download the respective file for the operating system platform and then double-click on the file to install the RSA tools. When prompted with the install of KB958830 click “Yes”.
Description of Remote Server Administration Tools for Windows 7
https://support.microsoft.com/kb/958830
Once the patch update completes, the Remote Server Administration help menu will display providing additional installation procedures for the Remote Server Administration Tools (RSA) Tools as noted in the below image.
6. Adding the Group Policy Management Feature:
Open Programs and Features from the Control Panel and click the “Turn Windows Features on or off” Action item.
In our example we are only going to install only the “Group Policy Management Tools” feature. From Windows Features expand Remote Server Administration Tools > Feature Administration Tools > and select Group Policy Management Tools. And then click OK
Once this completes you will notice a new MMC Snap-in listed under Administrative Tools labeled “Group Policy Management”
7. Creating the Windows 7 “Point and Print Restrictions” Policy:
Double-click on the Group Policy Management snap-in to open the MMC. In our example below after expanding Forest > Domains > KDSCN.COM you will see the OU that was created labeled Windows 7 Point and Print
Right-click on the OU and select “Create a GPO in this domain, and link it here…”
In our example we named the GPO “Windows 7”
Right-click on the GPO “Windows 7” and select Edit. This will allow us to modify the current policy settings. We will be modifying the Point and Print Restrictions. You will now notice that we have Point and Print Restrictions listed under both Computer Configuration and User Configuration
"Computer Configuration\Policies\Administrative Templates: …\Printers"
“User Configuration\Policies\Administrative Templates: …\Control Panel\Printers”
The default setting for both are set to Not Configured.
Below is an explanation of the Windows 7 “Point and Print Restrictions” Policy
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
When the policy setting is enabled:
-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
When the policy setting is not configured:
-Windows Vista client computers can point and print to any server.
-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
When the policy setting is disabled:
-Windows Vista client computers can create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
8. Disabling the Windows 7 “Point and Print Restrictions” Policy:
First we will expand to and select "Computer Configuration\Policies\Administrative Templates: …\Printers", double-click on Point and Print Restrictions in the right hand pane and set it to Disabled. Click OK to save the changes
Next expand to and select “User Configuration\Policies\Administrative Templates: …\Control Panel\Printers”, double-click on Point and Print Restrictions in the right hand pane and set it to Disabled. Click OK to save the changes
We have completed the necessary changes for the Windows 7 “Point and Print Restrictions” policy go ahead and close the Group Policy Management snap-in.
9. Assigning a User or Computer to the “Windows 7 Point and Print” OU
Now log onto the Windows Server 2003 domain controller, expand KDSCN.COM and the right-click on the OU labeled “Windows 7 Point and Print” and choose Properties
Click on the Group Policy Tab and you will see the policy “Windows 7” that we had just created.
Click the cancel button to close the OU Properties to return to the Active Directory Users and Computers MMC.
Next will will need to select the User or Computer that we would like to move into the “Windows 7 Point and Print” OU. In our example we are going to move a computer from the Computers OU. To Move the computer we will need to select and right-click on the computer and then select Move. In our example we are moving the computer PC71.
You will then have a dialog that will allow you to select which container to move the computer into. In our example we selected the container “Windows 7 Point and Print” and then click Ok.
The computer “PC71” will then be moved into the “Windows 7 Point and Print” OU as you can see in the below image.
10. Applying the “Point and Print Restriction” Policy to the Computer
In order for the group policy to take effect you will need to restart the client computer. Once the system has been restarted be sure to log onto the system using the Domain User account. In our example we are using the account KDSUser71 which is a Standard User (Non-Administrator).
11. Standard user Network Printer Install
In the image below we opened a UNC path to the Windows 2003 Print Server i.e. \\PS we see that both printers (LexmarkE and XeronGlo) are listed. To proceed we double-click on the printer XeroxGlo to install the network printer. We do not receive any driver install or UAC prompt for the printer driver and the driver and printer begins to install.
Once the printer driver installation completes the printer queue will be displayed.
This completes the procedures for allowing a Standard user to install a network printer without being prompted for administrative credentials.
Note: If the domain controller is Windows Server 2008 you can create the Point and Print Restriction Policy directly from within Group Policy Management MMC on the domain controller. Also the policy that was created from the RSA Tool will carry over if the Windows Server 2003 domain is upgraded to Windows Server 2008.
Below you will find some additional information with regards to Remote Server Administration Tools, Group Policy Management, Windows 7 and Windows Server 2008 Service pack, Printer Security, and Point and Print.
Additional Information:
Remote Server Administration Tools for Windows 7
https://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
958830 Description of Remote Server Administration Tools for Windows 7
https://support.microsoft.com/default.aspx?scid=kb;EN-US;958830
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2
https://support.microsoft.com/default.aspx?scid=kb;en-US;976932
Control Printer Driver Installation Security
https://technet.microsoft.com/en-us/library/cc753269.aspx
Point and Print Security on Windows Vista
https://msdn.microsoft.com/en-us/windows/hardware/gg463359.aspx
982728 "Windows cannot connect to printer" error message when you try to create a Point and Print connection to a remote printer from a Windows 7 or Windows Server 2008 R2-based client computer
https://support.microsoft.com/kb/982728
2307161 The Point and Print User configuration policy is ignored by Windows 7, Windows Server 2008 R2 and Service Pack 2 release of Windows Vista, Windows Server 2008.
https://support.microsoft.com/kb/2307161
816100 How to prevent domain Group Policies from applying to certain user or computer accounts
https://support.microsoft.com/default.aspx?scid=kb;EN-US;816100
946225 You are prompted to install a new printer driver in Windows Vista when you try to print to a Windows Server 2008-based print server or to a Windows Server 2003-based print server
https://support.microsoft.com/default.aspx?scid=kb;EN-US;946225
319939 Description of the Point and Print Restrictions policy setting in Windows Server 2003 and Windows XP
https://support.microsoft.com/default.aspx?scid=kb;EN-US;319939