question

Norell-5232 avatar image
0 Votes"
Norell-5232 asked FrankTZE-8830 commented

Non admin user can't install driver from shared printer

I am running into a problem where non admin user cannot install the shared printer. If I use admin user there is no problem at all.

I have tried the following
-Turn Off password in the host computer in the advance sharing settings.
-Turn on file and printer sharing in the host computer in the advance sharing settings.
-Reinstall printer driver in the client computer printer using admin user.

I got stuck with the credentials below even though my user and password are correct.

188116-image.png


188080-image.png

188132-image.png


windows-server-print
image.png (183.3 KiB)
image.png (201.1 KiB)
image.png (167.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The issue is caused by permission problem.

Apart from local administrators permission, there is another local group called "Device Owners" which can serve the purpose.

Instead of placing the group of users to the local administrators group , you can consider placing them to the local "Device Owners".

The device owners group can be reached by "Computer Management --> Local users and groups --> Groups --> Device Owners"

0 Votes 0 ·
TheAlanMorris avatar image
0 Votes"
TheAlanMorris answered

@Norell-5232 ,

What's up with the IP rather than a machine name?

Is this a workgroup configuration?

If you do not need to know who is printing, enable the guest account so all jobs go into the print system as guest.

As long as the machine is not running a Home version of Windows, use the MMC Local user and groups snapin to enable the guest account.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered SyedFahadAli-5266 commented

Hi @Norell-5232

By default, non-admin domain users do not have permission to install the printer drivers on domain computers. To install a driver, the user should have local admin privileges (must be a member of the local Administrators group).

You can use Group Policy to allow users permission to install printers

Create a new (or edit an existing) GPO object (policy) and link it to the OU (AD container), which contains the computers on which is necessary to allow users to install printer drivers (use the gpmc.msc snap-in to manage domain GPOs). You can implement the same settings on a standalone (non-domain) computer using the Local Group Policy Editor (gpedit.msc).

Expand the following branch in the Group Policy editor: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Find the policy Devices: Prevent users from installing printer drivers.

Set the policy value to Disable. This policy allows non-administrators to install printer drivers when connecting a shared network printer (the printer’s driver downloaded from the print-server host). Then you can set the policy value to Disable, any unprivileged user can install a printer driver as a part of a shared printer connection to a computer. However, this policy does not allow downloading and installing an untrusted (not-signed) printer driver.

The next step is to allow the user to install the printer drivers via GPO. In this case, we are interested in the policy Allow non-administrators to install drivers for these device setup classes in the GPO section Computer Configuration > Policies > Administrative Templates > System > Driver Installation.

Enable the policy and specify the device classes that users should be allowed to install. Click the Show button and in the appeared window add two lines with device class GUID corresponding to printers:

Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7};
Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}.
You can find a full list of the device class GUIDs in Windows here.

When you enable this policy, members of the local Users group can install a new device driver for any device that matches the specified device classes.

Note. You can enable this policy through the registry using the command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" /v AllowUserDeviceClasses /t REG_DWORD/d 1 /f
You can find the list of allowed to install device GUIDs under the registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses.

Now save the policy.


I hope this answers your question.

Thanks.


--If the reply is helpful, please Upvote and Accept as answer--

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are procured Managed Print Services and facing the same issue after the updates. If we allow the users as you defined as a workaround, isn't make the environment vulnerable? Please advise.

1 Vote 1 ·
TheAlanMorris avatar image
0 Votes"
TheAlanMorris answered

@SyedFahadAli-5266

This all depends if you prevent the client from connecting to any shared printers outside of your control. If you secure the print server environment and allow only connections to the shares you provide, then this will mitigate the issue.

Moving to the Type 4 driver model ensures no binaries are copied from the server to the client and does not require the above configurations.

The client experience may feel degraded but they will be able to get squiggly lines on a piece of paper.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SyedFahadAli-5266 avatar image
0 Votes"
SyedFahadAli-5266 answered

Thank you for your response.

So its clear that if the printers are under control then this will mitigate the vulnerability if we are giving the rights of printer installation to end user/s.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SyedFahadAli-5266 avatar image
0 Votes"
SyedFahadAli-5266 answered

Both group policies have been applied but still user cant install the printer driver. Please advise.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.