group policy

Allow non-admins to install printer drivers via GPO

By default domain users do not have permissions to install the printer drivers on the domain computers and their installation requires the user to have a specific rights (as a rule the local Administrator rights). This is great from the point of security, because installation of the incorrect or fake device driver could compromise PC or degrade the system performance. However, this approach is extremely inconvenient in terms of IT-department, because it requires Support-team intervention when user tries to install a new printer driver.

You can grant rights to users to install printer drivers on their computers (without need to giving users local Admin rights) using Active Directory Group Policies.

Configure GPO to Allow Users to Install Printer Driver

At first, create a new (or edit an existing) policy and link it to the OU (AD container), which contains the computers on which is necessary to allow users to install the printer drivers (on a separate computer, the same setings can be implemented using local policy editor – gpedit.msc).

Expand the following branch in the Group Policy editor: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options, where you need to find the policy Devices: Prevent users from installing printer drivers.

READ ALSO  15 useful Windows Admin Tools

Disable this policy. This policy allows users to install shared printer drivers as a part of connecting to a shared printer.

gpo prevent install printers

The next step is to allow the user to install the local printers (and their drivers). In this case, we are interested in the policy Allow non-administrators to install drivers for these device setup classes in the section Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation.

Enable the policy and specify the device classes that users should be allowed to install. Click the Show button and in the appeared window add two lines with device class GUID corresponding to printers:

  • Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7}
  • Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}

You can find full list of the device class GUIDs in Windows here.

Now save the policy.

allow nonadmin install printers

In Windows Vista and higher there is another feature relating to the UAC, which occurs when you are trying to install a network printer. In that case, if UAC is enabled, a message appears in which you want to specify the credentials of Administrator. If UAC is turned off when you try to install the printer by the common user – the system freezes for some time and finally displays an error message: “Windows cannot connect to the printer. Access is denied “.

READ ALSO  MS Office 2016 activation with KMS

connect to printer

To solve this problem you need to disable the policy Point and Print Restrictions. This policy is located in the computer and the user branches of the GPO editor, and to maintain compatibility with previous versions of the Windows operating system, it is recommended to disable both policies. They are located in the following sections:

  • Computer Configuration -> Policies -> Administrative Templates -> Printers
  • User Configuration -> Policies ->Administrative Templates ->Control Panel ->Printers

gpo point print restrictions

It remains to test the policy on clients (requires restart). After rebooting and applying Group Policy, the user will be allowed to install local and shared network printers without Admin rights.

Tip. After installing the update KB3170455, released on July 12 2016, to successfully install the printer, the printer driver must meet the following requirements:

  • The driver must be signed by a trusted digital signature
  • The driver must be packed (Package-aware print drivers). Installing of the unpacked drivers through Point and Print Restrictions is impossible

You may also like:

Remove Windows Vista/7 Printer Driver If you right click on a printer and delete it, this doesn't remove the printer driver from the machine. Sometimes when working with print servers and ...
Deploy Local GPO with MDT 2013 Local Group Policy of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That's why ...
Removing Windows XP Printer Driver If you right click on a printer and delete it, this doesn't remove the printer driver from the machine. Sometimes when working with print servers and ...
Configuring Internet Explorer 11 Proxy Settings us... The article shows how to configure proxy settings for Internet Explorer 11 browser using Active Directory Group Policies (GPO). In earlier versions of...
Deploy Printers in Domain using Group Policy One of the most important features of Group Policies usage in Active Directory Domain environment is the possibility to connect a shared network print...