Never modify the default domain policy. Always create

advertisement
Allow Domain Clients to install local Printers (and Network Printers) without
Admin rights via Group Policy
This is a common requirement where IT administrators face the ultimate challenge. How do you lock down a
workstation but open up certain functions to make them practical? For instance, the most common requirement is to
give users the right to install Local Printers for those mobile workforce (roaming or "road warriors") without opening up
the whole domain pc/laptop to full administrative access by that user.
Let's face it, if it were up to us, we wouldn't even let our users power the darn things on! But, since we all have a job
to do, including our users, this guide will enable you to deploy a group policy to an organisation unit that will enable
the (selected) domain users within that unit to install local printers. (Say, they have a beautiful HP inkjet at home they
wish to use, or that laserjet in their remote office they travel to).
This guide is also suitable to enable programs that require the creation of a Printer Driver during operation such as
Adobe Acrobat Standard/Professional and Pegasus Opera II Enterprise client (for example). In fact, this guide was
written specifically to solve the problem for the latter!
So the trick is not easy or fast! Well, unless you use Guru Guy's guide!
Pre-requisites:
•
Create a Domain Security Group of the desired Domain Users whom will be given rights to install
the printers E.g. “Printer Users”; Add all deesired members to this group.
•
Optionally, create a Domain Security Group "Printer Computers" with desired machines/computers
as members to which you want to allow printers to be installed on. (By default, when you assign a
Group Policy to an Organisation Unit, all machines in that unit are affected - this security group will
allow further filtering by only affecting the desired machines within that unit!) Much more affective
way to ensure that the users don't have full printer rights across the whole organisation!
•
Create an Organisational Unit in Active Directory for all of the machines (computers/laptops) to
which desired users can install the printers on. E.g. “Test OU” (You can use an existing OU but see
the note below! Guru Guy recommends creating a test OU for small deployement, specifically where
modification of user rights is concerned!)
•
Place a test PC or 2 into this OU so that only a couple of computers are affected (once complete and
tested, move the rest into this or apply the policy to your existing OU - again, see note below)
•
Install the Group Policy Management Tool (GPMT) to allow advanced modification and creation of
domain Group Policies.
Never modify the default domain policy. Always create organisational units and never
include domain admins or server computers in these units. For these instructions we
have created an Organisation Unit (OU) called “test”.
So, you should have:
1.
Printer Users (of all desired domain users e.g. Polly Edwards, Diane Lane etc.)
2.
Printer Computers (of all desired machines as members to which your users can install printers
on)
3.
Test Organisational Unit to deploy the Group Policy into the desired computer group, with a test
workstation computer moved into the OU in Active Directory
4.
Group Policy Management Tool installed
Step-by-Step instructions
Assuming you’ve followed the pre-requisites above, continue below for deployment:
1.
Open up the Group Policy Management Tool
2.
Navigate to your TEST OU that should be located our underneath the domain policy.
3.
Create and Link a new Group Policy Object (GPO) to the Organisation Unit and call it “Power
Users”. This GPO will increase the users to a level that can install printers even if they are standard
(restricted) domain users of that workstation/laptop and are NOT a member of the local machine
Adminstrators group. (This policy will inherently allow user general “Power User” privileges such
as modifying system time & date etc. This GPO will apply to all users of the PCs/Laptops in that
Organisation Unit and any members logging onto those PCs listed in the “Printer Users” group. For
full information about the Power User group privileges, consult the Windows XP documentation.
4.
In the New GPO, navigate to: Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
5.
Under “Load and Unload Device Drivers” edit the properties.
6.
Tick “Define these policy settings” and add the Printer Users Group via Domain\Group format e.g.
“GURUGUY\Printer Users”. Also, be sure to add "Administrator" and "Administrators" to the list. This
will allow local admins to each PC having full access. Wihtout adding these two groups, you
essentially remove priveledges of the Administrators! Once done, click OK to close the policy.
7.
Navigate to: Computer Configuration\Windows Settings\Security Settings\Local
8.
Under the policy “Devices: Prevent Users from installing printer drivers” define the policy to be
Policies\Security Options
“Disabled”.
9.
Navigate to Computer Configuration\Windows Settings\Security Settings\Restricted
Policies
This section enables modification of the laptop/computer local user groups. What we need to do
here is allow the desired "printer users" to be a member of the “Power Users” group on that local
PC…
Warning: Modification of the "Restricted Policies" is very powerful and complex. NEVER modify this
policy which affects domain Admins, Servers, Domain Controllers etc. This policy should only apply
to a hand-ful of desired workstation machines. For more information consult's MS Knowledgebase
on Restricted Policies.
10. Right-Click “Restricted Groups” and click “Add Group” and name it “Power Users”. (Make sure it is a
group name that does NOT exist in the domain active directory so the policy is not misinterpretted.)
11. In “Members of this Group” section, add DOMAIN\GROUP e.g. "GURUGUY\Printer Users”
12. In the “this group is a member of” section, add and type: “Power Users”.
13. OK out of that window and you should have something like the below:
14. Navigate to Computer Configuration\Administrative Templates\Printers modify the policy
“Disallow installation of printers using Kernel-mode drivers” to Disabled
15. Navigate to User Configuration\Administrative Templates\Control Panel/Printers and
modify the policy “Point and Print Restrictions” to disabled.
16. Close the GPO and view the “scope” tab of the policy in the Group Policy Management Pane.
Under Security Filtering add “Printer Users” and “Printer Computers”.
17. Once users have been assigned to both security groups, and a machine is moved from Active
Directory “Computers” into your new Organisation Unit, log into a machine to test the policy.
18. Type in the Start->Run “gpupdate /force” on a test workstation. This will refresh the group policy.
19. Reboot the computer, login, and to see the Group Policy has taken affect, go to Control Panel ->
Printers -> Add Printer. After the Wizard introduction the option to select "Local Printer" should NOT
be greyed out. (Normally it is and only Install Network Printer" is available to choose from). If not,
update Group Policy again after making sure the PC is in the Organisational Unit you recreated, the
machine you are on is a member of the "Printer PCs" group and the User you are logged in as is a
member of the DOMAIN\Printer Users Group.
20. Congratulations, you've not enabled your desired users to install printers on your desired PCs!
Download