Allow Non-Admins to Install Printer Driver (Group Policy)

B

bshort1023

New Member
Users need to contact IT to install print drivers. Recently Windows seems to require new print drivers on the client fairly often which requires a lot of trips to users desks. We have never figured out why some users need these drivers reinstalled.

So I'm trying to set this through group policy so an administrative logon is not required. It just does not work. Hoping I am just missing something.

Active Directory environment. Created a group policy object on the domain controller and applied it to the OU where a specific computer resides.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Prevent Users from Installing Print Drivers: Disabled

Computer Configuration > Policies > Administrative Templates > System > Driver Installation
Allow users to install driver packages for these classes: Enabled
Show
{4658ee7e-f050-11d1-b6bd-00c04fa372a7}
{4d36e979-e325-11ce-bfc1-08002be10318}

Checking group policy results on that computer shows that the policy is applied.

Still requires admin username and password to install.
 
You are on the right track but a few additional steps need to be implemented. You're correct to tackle this through Group Policy, however, modifying the security policies alone is not enough. You also need to modify the local Group Policy setting on your Windows clients to allow non-administrators to install printer drivers.

Allow Non-Admins to Install Printer Drivers Procedure:

Step 1: Set the Group Policy

From your Active Directory Server, in the Group Policy Management Editor:

- Go to Computer Configuration > Policies > Administrative Templates > Printers.
- Enable the "Point and Print Restrictions" setting. Set the following options:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"

Step 2: Allow Printer Driver Installation in your Clients

On the client machines, allow yourself to install printer drivers. Remote into the computer (or do it locally).

- Open gpedit.msc (local group policy editor)
- Go to Computer Configuration > Administrative Templates > Printers
- Enable "Point and Print Restrictions"
- Configuration:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"

After these changes are implemented, your users should be able to install their own printer drivers without requiring admin credentials.

Please note that these changes have security implications. Making non-admins capable of installing printer drivers means they'll be able to install any printer drivers, including potentially malicious ones. Always balance security with convenience and educate your users about the appropriate use of these permissions.

Remember this setting works well when installing and updating printer drivers through a print server, if the printer is directly connected to the client machine using a USB for example, it might not work as expected because of hardware driver installation policies. In this case, it's necessary to update the "Device Installation Restrictions" Group Policy.
 
ChatGPT said:
You are on the right track but a few additional steps need to be implemented. You're correct to tackle this through Group Policy, however, modifying the security policies alone is not enough. You also need to modify the local Group Policy setting on your Windows clients to allow non-administrators to install printer drivers.

Allow Non-Admins to Install Printer Drivers Procedure:

Step 1: Set the Group Policy

From your Active Directory Server, in the Group Policy Management Editor:

- Go to Computer Configuration > Policies > Administrative Templates > Printers.
- Enable the "Point and Print Restrictions" setting. Set the following options:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"

Step 2: Allow Printer Driver Installation in your Clients

On the client machines, allow yourself to install printer drivers. Remote into the computer (or do it locally).

- Open gpedit.msc (local group policy editor)
- Go to Computer Configuration > Administrative Templates > Printers
- Enable "Point and Print Restrictions"
- Configuration:
- When installing drivers for a new connection: "Do not show warning or elevation prompt"
- When updating drivers for an existing connection: "Show warning only"

After these changes are implemented, your users should be able to install their own printer drivers without requiring admin credentials.

Please note that these changes have security implications. Making non-admins capable of installing printer drivers means they'll be able to install any printer drivers, including potentially malicious ones. Always balance security with convenience and educate your users about the appropriate use of these permissions.

Remember this setting works well when installing and updating printer drivers through a print server, if the printer is directly connected to the client machine using a USB for example, it might not work as expected because of hardware driver installation policies. In this case, it's necessary to update the "Device Installation Restrictions" Group Policy.
Click to expand...
Is it possible to do this all from Active Directory and not have to hit each of the hundreds of computers in the building?
 
bshort1023 said:
Is it possible to do this all from Active Directory and not have to hit each of the hundreds of computers in the building?
Click to expand...
Yes, indeed! It's totally feasible to manage this without having to manually set up each of the computers individually in your building. The plan here is to use Group Policy Objects (GPO) in your Active Directory environment to distribute these policies all at once. Here's how:

1. Create a new GPO or edit an existing relevant one.
2. Navigate to "**Computer Configuration > Policies > Administrative Templates > Printers**".
3. Locate and enable the setting "**Point and Print Restrictions**".
- In the options, select "**Do not show warning or elevation prompt**" for both "When installing drivers for a new connection" and "When updating drivers for an existing connection".

4. Once done, you need to link this policy to the relevant Organizational Units (OUs) which comprise the computers where you want this policy to be applied. You can do this by right-clicking on the relevant OU and select "Link an Existing GPO", then choose the GPO you've just configured.

5. After the GPO is linked, the policy will be distributed to all the computers in the OU when they next refresh their Group Policies. By default, this happens every 90 minutes, with a random offset of 0 to 30 minutes.

6. To force an immediate group policy update in all the computers, you could run the command "gpupdate /force" from the command prompt of any machine, or use a tool like "PsExec" to remotely execute the command on all machines.

Please handle this with care since granting such permissions can have security implications as it permits non-admins to install printer drivers, potentially allowing harmful ones to be installed as well. Always balance security and convenience and consider running a pilot on a small group of computers first to check everything works as expected.
 
I have followed all of the steps and it is still not working. Checked gpresult /r and verified that the new group policy object is being applied.
 
You must log in or register to reply here.

Similar threads

IDONTKNOWWHATIAMDOING
Windows 11 M2.NVME 4TB is no longer displayed after unsuccessful data transfer
Replies
3
Views
264
IDONTKNOWWHATIAMDOING
IDONTKNOWWHATIAMDOING
J
Windows 10 Windows Primary domain controller is not being used as primary
Replies
0
Views
943
jharmon
J
News
Delivering Microsoft Edge WebView2 Runtime to managed Windows 10 devices
Replies
2
Views
3K
Cilicis1972
C
Mike
  • Article
A Comprehensive Guide to Using and Troubleshooting BitLocker on Windows 11
Replies
0
Views
3K
Mike
Mike
News
Announcing Windows 11 Insider Preview Build 25281
Replies
0
Views
2K
News
News
Back
Top