Change Driver Installation Security for Printers Deployed Using Group Policy
Applies To: Windows 7, Windows Server 2008 R2
Except for Windows 7 and Windows Server 2008 R2, the default security settings for legacy Windows operating systems allow a user who is not a member of the local Administrators group to install only trustworthy printer drivers, such as those provided with Windows operating systems or in digitally signed printer-driver packages.
To allow users who are not members of the local Administrators group to install printer connections that are deployed using Group Policy and include printer drivers that are not digitally signed, you must configure the Point and Print Restrictions Group Policy settings. If you do not configure these Group Policy settings, users might need to provide local Administrators group credentials.
The following procedure assumes that you are using the version of the Group Policy Management Console (GPMC) that is included with Windows Server 2008 R2. To install GPMC on Windows Server 2008 R2, use the Add Features Wizard in Server Manager. If you are using a different version of GPMC, the steps might vary slightly.
To change driver installation security settings for printers that are deployed by using Group Policy
Open the GPMC.
Open the GPO where the printer connections are deployed, and navigate to Computer Configuration, Policies, Administrative Templates, Control Panel, and then Printers.
The Point and Print Restrictions setting can also be found under User Configuration<STRONG>Policies<STRONG>Administrative Templates<STRONG>Control Panel<STRONG>Printers. This policy is ignored by Windows 7 and Windows Server 2008 R2, but is enforced by earlier editions of Windows including Windows XP with SP1, Windows Server 2003 with SP1, and Windows Server 2008. We recommend that you change this policy setting in both locations so that all down-level clients have a consistent experience.
Right-click Point and Print Restrictions, and then click Properties.
Clear the following check boxes:
Users can only point and print to these servers
Users can only point and print to machines in their forest
In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
Scroll down, and in the When updating drivers for an existing connection box, select Show warning only.
After configuring these settings, all users are able to receive printer connections and the drivers to their user accounts by using Group Policy, without prompts or warning. Users receive a warning before updated drivers from the print server are installed, but they do not need to belong to the local Administrators group to install the updated drivers.