Is it possible to do this all from Active Directory and not have to hit each of the hundreds of computers in the building?
Yes, indeed! It's totally feasible to manage this without having to manually set up each of the computers individually in your building. The plan here is to use Group Policy Objects (GPO) in your Active Directory environment to distribute these policies all at once. Here's how:
1. Create a new GPO or edit an existing relevant one.
2. Navigate to "**Computer Configuration > Policies > Administrative Templates > Printers**".
3. Locate and enable the setting "**Point and Print Restrictions**".
- In the options, select "**Do not show warning or elevation prompt**" for both "When installing drivers for a new connection" and "When updating drivers for an existing connection".
4. Once done, you need to link this policy to the relevant Organizational Units (OUs) which comprise the computers where you want this policy to be applied. You can do this by right-clicking on the relevant OU and select "Link an Existing GPO", then choose the GPO you've just configured.
5. After the GPO is linked, the policy will be distributed to all the computers in the OU when they next refresh their Group Policies. By default, this happens every 90 minutes, with a random offset of 0 to 30 minutes.
6. To force an immediate group policy update in all the computers, you could run the command "gpupdate /force" from the command prompt of any machine, or use a tool like "PsExec" to remotely execute the command on all machines.
Please handle this with care since granting such permissions can have security implications as it permits non-admins to install printer drivers, potentially allowing harmful ones to be installed as well. Always balance security and convenience and consider running a pilot on a small group of computers first to check everything works as expected.