Eliminate UAC for Printer Driver installation

 

During the IT Pro Conference, someone asked if they could eliminate the UAC (and the local administrator requirements) just for printer driver installations on Windows Vista machines.  Printer Drivers are the most difficult issue when it comes to removing the requirement for local administrator access to a machine.  I've monkeyed with  this a little, I have more research to do, but I think I found a way to solve this predicament.  Point and Print.  This feature was included in Windows XP and in Windows Vista we require local administrator privileges to install these drivers.  There is a Group Policy setting that tells Windows Vista to not require local administrator privileges for printer drivers that are already installed on your servers.  This is the Point and Print functionality... 

Below is a screen capture of the Group Policy setting that disables the local Point and Print Restrictions.  This will allow Windows Vista users to install printer drivers without local administrator permission.  This is a Local Machine policy, but you should also be able to define an AD based Group Policy to do the same thing.  Let me warn you, the reason we require local administrator privileges is to prevent malicious device drivers.  This setting will allow any device driver to be installed.  Now you can define the policy setting Package Point and print - Approved Servers to allow users to install the printer drivers from only an approved list of servers.  This will allow normal users to install any printer driver, once it's been approved and installed on your servers. 

To disable the Point and Print restrictions, you need to get to the screen below, To do that, let's click on Start (or the Vista Perl)  -> and in the Search box, type mmc and press enter. Once the management console comes up, choose File -> Add / Remove Snap in... Choose Group Policy Object and then click Add... If you are defining a local policy, choose local computer.  If you are an AD admin, you should know how to set an AD group policy.  If not, let me know and I'll include those instructions later.  Once you click OK, you should be back to the Local Computer Policy screen like below.  Go ahead and expand the Local Computer Policy, and then choose  User Configuration -> Administrative Templates -> Control Panel -> Printers.  Then you're able to disable the Point and Print Restrictions. 

 

PointPrint

Once you make this local policy change, you need to either reboot your computer, or go to a command prompt and execute the command gpupdate / force to ensure the local policy gets applied.  Now you should be able to browse to a local server and double click on a shared printer.  Now the printer driver will install without requiring local administrator privileges.

Give this a try and let me know how it works for you.

Until next time!

Rob

Published Thursday, May 22, 2008 12:02 AM by rwagg
Filed under: , , ,

Comments

# re: Eliminate UAC for Printer Driver installation

Thanks for this.

This is exactly what I needed to do, but unfortunately it doesnt work for me, at least not as a Domain level AD Group policy.

My users are still being prompted for the administrator logon in order to install the drivers. I love the fact that UAC means I dont have to worry anymore about users trying to 'do their own thing' without having loads of messy Group Policies, but the printer driver issue is causing me a real headache.

Do you think if I visited each machine and created a local policy it might work? I did do an RSOP having logged on to the domain and it is definately picking up the new policy, it just doesnt seem to make any difference.

Tuesday, May 27, 2008 7:37 AM by David

# re: Eliminate UAC for Printer Driver installation

David,

Super question and the answer is yes you can even do this in a domain.  If the Domain Group Policy does not over ride these local policy settings, you could set this policy on each machine, but the better solution is to set this policy at the domain level, not the local machine level.  I started with the local policy to cover some of the basics of local group policy.

Let me be VERY CLEAR.  If you modify domain group policies, you have the power to affect incredible change, positive or negative.  Please DO NOT deploy a domain group policy without fully testing it.  test test test!

With that said, yes, you can create a domain policy and it will apply to all of your Windows Vista machines.  If you are still using Server 2003 or SBS 2003 as your domain controllers, you will need to extend your schema first.  I am planning to blog about the details of this scenaro very soon.

Thanks for the question!

Friday, May 30, 2008 10:52 AM by rwagg

# re: Eliminate UAC for Printer Driver installation

Great tips....waiting with anticipation of your next post on how to do this across an AD domain - will save my admins an enormous amount of time.

Thanks for your work.

John

Saturday, May 31, 2008 8:08 PM by John

# re: Eliminate UAC for Printer Driver installation

It's a huge step forword in Administration Security. Now we don't need to give Local Admin rights to Domain Users on their PCs, having the excuse of printer installation.

Just need this feature also on Windows XP...

Do you have any hint on this?

Friday, August 29, 2008 4:54 AM by Rui Araujo

# re: Eliminate UAC for Printer Driver installation

I took a quick look at your question this morning and ran across support.microsoft.com

It says that Administrator Credentials are require in Windows XP.  I do not think we can do this in XP, that was one of the big pushes for Windows Vista.  If I find anything more encouraging, I'll pass it on.

Thanks for the comments!

Rob

Friday, August 29, 2008 9:18 AM by rwagg

# re: Eliminate UAC for Printer Driver installation

I wanted to research this subject and write a paper. Your post what a thousand words would not. Nice job.

______________________________________________________________________________________

http://applyfoodstamp.com

Tuesday, September 23, 2008 11:51 AM by Apply food stamp

Leave a Comment

(required) 
(required) 
(optional)
(required)