By default, non-admin users do not have permission to install the printer drivers on their computers. To install a driver, the user should have local admin privileges (must be a member of the local Administrators group). This security feature helps prevent Windows from installing incorrect or fake device drivers that could compromise computer or slow system performance. However, this is extremely inconvenient as it requires the IT support team to get involved every time a user wants to install a new driver.
You can allow non-administrator users to install printer drivers on their Windows computers (without granting local administrator rights) by using Active Directory Group Policies.
Windows users can themselves connect to a shared network printer published on a print server. To do this, open the list of printers on the print server (Win+R > \\YourPrintServerName), right-click on the printer you want to use and click Connect.
If a driver for a particular printer is installed in the Driver Store on your computer, that printer will be added to your session. If the driver is missing, the UAC “Printer driver software installation” window will appear, and you will be asked to enter the administrator password to install the driver.
Enable Point and Print Restrictions Policy with GPO
The Point and Print Restrictions policy allows you to specify trusted print servers from which users can download and install drivers without UAC elevation.
- Open the AD Group Policy Management console (gpmc.msc), right-click the Active Directory OU (AD container) containing the computers to which you want to apply the policy, and create a new GPO;
- Edit your GPO;
- Go to Computer Configuration > Policies > Administrative Templates > Printers;
- Enable the policy Point and Print Restrictions;
- Check the option Users can only point and print to these servers. Enter the names (FQDNs) of the trusted print servers, separated by semicolons;
- For the last two options, select Do not show warning or elevation prompt;
Save your changes and edit the Package Point and print – Approved servers policy.
- Change the policy state to Enabled;
- Click the Show and add your trusted print server FQDNs.
Printers deployed using the GPO are automatically installed on user computers after the Print Restrictions policy is applied to them (requires restart). Windows automatically downloads and installs printer drivers from trusted print servers.
This policy also allows the non-admin user to manually install any signed package-aware drivers from a trusted print server.
However, if you try to install the unpackaged printer driver, you will see the “Do you trust this printer?” warning will appear with the Install driver UAC button, which requires the printer driver to be installed under the admin account.
If UAC is disabled, Windows displays an error when you try to install the printer as a non-admin user “Windows cannot connect to the printer. Access is denied“.
Use Package-aware Print Drivers on Print Server
Non-admin users can only manually install a printer driver from a print server that meets the following requirements:
- The driver must be signed with a trusted digital signature;
- The driver must be packaged (Package-aware v3print drivers). Non-admin users cannot install unpacked (non-package-aware) drivers via Point and Print Restrictions policy.
You can check your driver type on the print server. Open the Print Management snap-in and go to Print Servers > Server Name > Drivers. For package-aware print drivers, you can see the True value in the Packaged column.
Microsoft recommends you using only packaged print drivers on print servers.
For some older printer models, only non-package aware drivers are available and you will need to use an additional workaround to enable the installation of such drivers.
Using Point and Print Policy After PrinNightmare Fixe
Microsoft patches (released in August 2021) block non-admins from installing unsigned non-packaged print drivers. This change addresses the PrintNightmare vulnerability and is related to Windows Print Spooler security issues.
You can work around the new requirements by disabling the GPO option Limit print driver installation to Administrator under Computer Configuration > Administrative Templates > Printers (should be used rarely due to security risks).
If this option is missing in the GPO console, you will need to update the administrative template (ADMX) files on the Active Directory domain controller, or you can enable this setting through the registry.
Limit print driver installation to Administrator policy sets the RestrictDriverInstallationToAdministrators registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ to 0.
Create a new registry parameter under the GPO section Computer Configuration > Preferences > Windows Settings > Registry.
- Action: Replace
- Hive: HKEY_LOCAL_MACHINE
- Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- Value name: RestrictDriverInstallationToAdministrators
- Value type: REG_DWORD
- Value data: 0
Once this option is set, your users will be able to connect shared network printers and install print drivers from trusted print servers.
Important note! However, be very careful about using a value of zero (0) for the RestrictDriverInstallationToAdministrators parameter, as this will make your Windows vulnerable. We recommend that you set this option temporarily while you allow users to install the printer. It is desirable to return this registry key to its default value of one (1) after the printer has been installed.