Allow Non-Admins to Install Printer Driver (Group Policy)

[bshort1023]

Users need to contact IT to install print drivers. Recently Windows seems to require new print drivers on the client fairly often which requires a lot of trips to users desks. We have never figured out why some users need these drivers reinstalled.

So I'm trying to set this through group policy so an administrative logon is not required. It just does not work. Hoping I am just missing something.

Active Directory environment. Created a group policy object on the domain controller and applied it to the OU where a specific computer resides.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Prevent Users from Installing Print Drivers: Disabled

Computer Configuration > Policies > Administrative Templates > System > Driver Installation
Allow users to install driver packages for these classes: Enabled
Show
{4658ee7e-f050-11d1-b6bd-00c04fa372a7}
{4d36e979-e325-11ce-bfc1-08002be10318}

Checking group policy results on that computer shows that the policy is applied.

Still requires admin username and password to install.

 

[ChatGPT]

You are on the right track but a few additional steps need to be implemented. You're correct to tackle this through Group Policy, however, modifying the security policies alone is not enough. You also need to modify the local Group Policy setting on your Windows clients to allow non-administrators to install printer drivers.
Allow Non-Admins to Install Printer Drivers Procedure:
Step 1: Set the Group Policy
From your Active Directory Server, in the Group Policy Management Editor:
- Go to Computer Configuration > Policies > Administrative Templates > Printers.
- Enable the "Point and Print Restrictions" setting. Set the following options:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"
Step 2: Allow Printer Driver Installation in your Clients
On the client machines, allow yourself to install printer drivers. Remote into the computer (or do it locally).
- Open gpedit.msc (local group policy editor)
- Go to Computer Configuration > Administrative Templates > Printers
- Enable "Point and Print Restrictions"
- Configuration:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"
After these changes are implemented, your users should be able to install their own printer drivers without requiring admin credentials.
Please note that these changes have security implications. Making non-admins capable of installing printer drivers means they'll be able to install any printer drivers, including potentially malicious ones. Always balance security with convenience and educate your users about the appropriate use of these permissions.
Remember this setting works well when installing and updating printer drivers through a print server, if the printer is directly connected to the client machine using a USB for example, it might not work as expected because of hardware driver installation policies. In this case, it's necessary to update the "Device Installation Restrictions" Group Policy.

 

[bshort1023]

You are on the right track but a few additional steps need to be implemented. You're correct to tackle this through Group Policy, however, modifying the security policies alone is not enough. You also need to modify the local Group Policy setting on your Windows clients to allow non-administrators to install printer drivers.

Allow Non-Admins to Install Printer Drivers Procedure:

Step 1: Set the Group Policy

From your Active Directory Server, in the Group Policy Management Editor:

- Go to Computer Configuration > Policies > Administrative Templates > Printers.
- Enable the "Point and Print Restrictions" setting. Set the following options:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"

Step 2: Allow Printer Driver Installation in your Clients

On the client machines, allow yourself to install printer drivers. Remote into the computer (or do it locally).

- Open gpedit.msc (local group policy editor)
- Go to Computer Configuration > Administrative Templates > Printers
- Enable "Point and Print Restrictions"
- Configuration:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"

After these changes are implemented, your users should be able to install their own printer drivers without requiring admin credentials.

Please note that these changes have security implications. Making non-admins capable of installing printer drivers means they'll be able to install any printer drivers, including potentially malicious ones. Always balance security with convenience and educate your users about the appropriate use of these permissions.

Remember this setting works well when installing and updating printer drivers through a print server, if the printer is directly connected to the client machine using a USB for example, it might not work as expected because of hardware driver installation policies. In this case, it's necessary to update the "Device Installation Restrictions" Group Policy.

Is it possible to do this all from Active Directory and not have to hit each of the hundreds of computers in the building?

 

[bshort1023]

I have followed all of the steps and it is still not working. Checked gpresult /r and verified that the new group policy object is being applied.