This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 85%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
I am running into a problem where non admin user cannot install the shared printer. If I use admin user there is no problem at all.
I have tried the following
-Turn Off password in the host computer in the advance sharing settings.
-Turn on file and printer sharing in the host computer in the advance sharing settings.
-Reinstall printer driver in the client computer printer using admin user.
I got stuck with the credentials below even though my user and password are correct.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 6%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFT%3C/text%3E%3C/svg%3E)
The issue is caused by permission problem.
Apart from local administrators permission, there is another local group called "Device Owners" which can serve the purpose.
Instead of placing the group of users to the local administrators group , you can consider placing them to the local "Device Owners".
The device owners group can be reached by "Computer Management --> Local users and groups --> Groups --> Device Owners"
@Norell ,
What's up with the IP rather than a machine name?
Is this a workgroup configuration?
If you do not need to know who is printing, enable the guest account so all jobs go into the print system as guest.
As long as the machine is not running a Home version of Windows, use the MMC Local user and groups snapin to enable the guest account.
Thanks
Hi @Norell
By default, non-admin domain users do not have permission to install the printer drivers on domain computers. To install a driver, the user should have local admin privileges (must be a member of the local Administrators group).
You can use Group Policy to allow users permission to install printers
Create a new (or edit an existing) GPO object (policy) and link it to the OU (AD container), which contains the computers on which is necessary to allow users to install printer drivers (use the gpmc.msc snap-in to manage domain GPOs). You can implement the same settings on a standalone (non-domain) computer using the Local Group Policy Editor (gpedit.msc).
Expand the following branch in the Group Policy editor: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Find the policy Devices: Prevent users from installing printer drivers.
Set the policy value to Disable. This policy allows non-administrators to install printer drivers when connecting a shared network printer (the printer’s driver downloaded from the print-server host). Then you can set the policy value to Disable, any unprivileged user can install a printer driver as a part of a shared printer connection to a computer. However, this policy does not allow downloading and installing an untrusted (not-signed) printer driver.
The next step is to allow the user to install the printer drivers via GPO. In this case, we are interested in the policy Allow non-administrators to install drivers for these device setup classes in the GPO section Computer Configuration > Policies > Administrative Templates > System > Driver Installation.
Enable the policy and specify the device classes that users should be allowed to install. Click the Show button and in the appeared window add two lines with device class GUID corresponding to printers:
Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7};
Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}.
You can find a full list of the device class GUIDs in Windows here.
When you enable this policy, members of the local Users group can install a new device driver for any device that matches the specified device classes.
Note. You can enable this policy through the registry using the command:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" /v AllowUserDeviceClasses /t REG_DWORD/d 1 /f
You can find the list of allowed to install device GUIDs under the registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses.
Now save the policy.
I hope this answers your question.
Thanks.
--
--If the reply is helpful, please Upvote and Accept as answer--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 45%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESF%3C/text%3E%3C/svg%3E)
We are procured Managed Print Services and facing the same issue after the updates. If we allow the users as you defined as a workaround, isn't make the environment vulnerable? Please advise.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 47%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESV%3C/text%3E%3C/svg%3E)
I should add that apart from the computer configuration allowing users to install printers there also is a user configurations which blocks installation for users. it is in the following path:
user configuration -> admin templates -> control panel/Printers -> Prevent adding printers Disable and restrictions on point and print disable
Now users in your domain can add printers.
This all depends if you prevent the client from connecting to any shared printers outside of your control. If you secure the print server environment and allow only connections to the shares you provide, then this will mitigate the issue.
Moving to the Type 4 driver model ensures no binaries are copied from the server to the client and does not require the above configurations.
The client experience may feel degraded but they will be able to get squiggly lines on a piece of paper.
Thanks
Thank you for your response.
So its clear that if the printers are under control then this will mitigate the vulnerability if we are giving the rights of printer installation to end user/s.
Both group policies have been applied but still user cant install the printer driver. Please advise.