Hi all,We are planning to deploy Windows 7 and allow notebook users to install their home printers. How can we manage our laptops in a secure way, i.e. not giving the users Admimistrator right and not giving them Power users rights, but still let them install a local home printer?Has anybody a hint for me?Greetings from SwitzerlandWerni

HI Werni firstly log on to ADMIN account set up parental controls allow the standard users to use the programs of your wish, block the programs which the standard user cannot use. set a password for ADMIN account that should access by only Administrators. create standard users account that users can use and they can install the home printers driver and can use in standard user accounts. please click here for setting upparental controls. hope it helps NIKHIL

Hi Nikhil,Well sounds pretty interesting. But I thought the new optio i Windows 7 which allows a user also to specify different default printers depending on which network he is, could be used to select a home printer as default printer.Your solution is ok if the user is doing some private stuff at home. But my scenario would be just a regular laptop user, who uses his cahced domain user account to log into the pc at home and who does some sort of work, and maybe he connects to the office by VPN or whatsoever.What I am looking for is therefor a solution which allows this user - to use his (cached) domain account, and to coneect to a private printer at home - withou putting him to local admins group or power users group - because idellay he should not be bale to install anything else than just a printer. - Is this just a dream?

Windows 7 does not ask for administrative rights as default. It will however ask for administrative rights if the user tries to add the printer by installing the software that came with it (CD or downloaded driver "setup.exe" usually require admin rights) or by adding a driver manually.The user would then need to manually choose analready existing driver without using the CD/Setup-program.To confirm that I tried 2 different approaches:1 - Went to "Devices and Printers". Right-clicked and clicked "Add aprinter". Chose "Add a Local Printer". Chose an already existing port. Chose an already existing driver. Worked, no prompt.2 - Went to "Devices and printers". Right-clicked and clicked "Add a printer". Chose "Add a Local Printer". Chose to add a new TCP/IP port. Entered the IP-address. Chose the device type if needed. Chose an already existing driver. Worked, no prompt.If you need your users to be able to add their own print drivers you will have to use GPO to edit the Driver Installation policy. It is located here:Computer Configuration\Policies\Administrative Templates\System\Driver InstallationThe setting is called "Allow non-administrators to install drivers for these devicessetup classes". You will need to add the device class GUID of printers.The GUIDs can be found here: http://msdn.microsoft.com/en-us/library/ms791134.aspx

Windows 7 does not ask for administrative rights as default. It will however ask for administrative rights if the user tries to add the printer by installing the software that came with it (CD or downloaded driver "setup.exe" usually require admin rights) or by adding a driver manually. The user would then need to manually choose an already existing driver without using the CD/Setup-program. To confirm that I tried 2 different approaches: 1 - Went to "Devices and Printers". Right-clicked and clicked "Add a printer". Chose "Add a Local Printer". Chose an already existing port. Chose an already existing driver. Worked, no prompt. 2 - Went to "Devices and printers". Right-clicked and clicked "Add a printer". Chose "Add a Local Printer". Chose to add a new TCP/IP port. Entered the IP-address. Chose the device type if needed. Chose an already existing driver. Worked, no prompt. If you need your users to be able to add their own print drivers you will have to use GPO to edit the Driver Installation policy. It is located here: Computer Configuration\Policies\Administrative Templates\System\Driver Installation The setting is called "Allow non-administrators to install drivers for these devices setup classes". You will need to add the device class GUID of printers. The GUIDs can be found here: http://msdn.microsoft.com/en-us/library/ff553426(v=vs.85).aspx EDIT: I've updated this with some more information as this was getting a bit old and people probably tried the same with network printers (which does not work the same way). A few more steps are required for domain infrastructures where you add non-local printers: Configure Group Policy settings for "Point and Print" on BOTH computer and user settings (Vista previously only had user settings). The Location of the settings can be found here in GPOs: Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions User Configuration\Policies\Administrative Templates\Control Panel\Printers\Point and Print Restrictions Point and Print settings will vary on what kind of restrictions you want, but if you want users to be able to install ANY printer, with ANY driver, from ANY server, set the Point and Print settings to "Disabled". There are also other Group Policy settings that are related to print services, but I won't list them here. They may or may not relate to your planned print infrastructure, so read through them properly and try them out in testlabs if the above steps does not work for you.

thank you for this post! saved me a ton of time troubleshooting this symptom in my new windows 7 workstation farm.

to get to the admin account.as long as their isn't a password on the admin account, he can just change his account to being an administrator.If that doesn't work, what does the in-house tech support have to say? They actually should be the first to talk to.

to get to the admin account.as long as their isn't a password on the admin account, he can just change his account to being an administrator.If that doesn't work, what does the in-house tech support have to say? They actually should be the first to talk to.

Thank you!!!! This was so very helpful and your tip worked..... :)

@rogergh: The link you provided now comes up as "Content removed". Is there a new link someone can provide? This solution is exactly what I am looking for.

Updated link. http://msdn.microsoft.com/en-us/library/ff553426%28v=VS.85%29.aspx

Updated link. http://msdn.microsoft.com/en-us/library/ff553426%28v=VS.85%29.aspx @Steveclements: Better late then never. Thanks so much!

Very Useful - Thanks.

This worked for me to get my students laptops local printers installed. The question is what option do we need to allow them to uninstall local printers? I am using Windows 7 on Server 2008 domain. Once the printer is installed they can not uninstall it. They are "users" on the machine.

That sounds great but you may be wrong in a couple ways. I have several network printers as my company is medium to large. Many of them are NOT "NOT" in the windows driver database. I don't need to install special software from a CD as the driver are provided by the server when you install it. I have many windows XP users and all of them work fine when installing these printers. The problem exists when installing them on windows 7. It gets 3/4 way thru installing the printer then asks for a admin account to finish. You said this is not by default that it will prompt. This is where I think you need might need to test more. I have a windows 2003 r2 domain controller. Nothing special was setup to not allow win 7 user to install. So it is by default asking for a user and pass for installing a printer. This is also the case when installing a mouse or keyboard. Something in windows XP that just worked is now in windows 7 asking for a admin. I have added the setting this thread speaks of to the domain controller for adding the hardware GUIDs to the allowed list. I have also set the setting up for point and print settings. At this point I am at a loss. I want the user to be able to install printers but win7 will not allow me to do this. I may have to roll back win7 and go with xp until this is resolved. A PLAIN howto needs to be setup from Microsoft explaining how to allow this to happen. I can't just go changing group policies until I finally get the one that resolves the issue. We as well do not want to install printers using a GPO. We scale the different departments all the time which changes printers. This would be a nightmare to administer the printers thru a GPO to install them. One last thing to add. When I am logged onto the machine as domain admin I can install these printers. So I know the drivers exist on the server. It worked with XP wishing it worked on win7

That sounds great but you may be wrong in a couple ways. I have several network printers as my company is medium to large. Many of them are NOT "NOT" in the windows driver database. I don't need to install special software from a CD as the driver are provided by the server when you install it. I have many windows XP users and all of them work fine when installing these printers. The problem exists when installing them on windows 7. It gets 3/4 way thru installing the printer then asks for a admin account to finish. You said this is not by default that it will prompt. This is where I think you need might need to test more. I have a windows 2003 r2 domain controller. Nothing special was setup to not allow win 7 user to install. So it is by default asking for a user and pass for installing a printer. This is also the case when installing a mouse or keyboard. Something in windows XP that just worked is now in windows 7 asking for a admin. I have added the setting this thread speaks of to the domain controller for adding the hardware GUIDs to the allowed list. I have also set the setting up for point and print settings. At this point I am at a loss. I want the user to be able to install printers but win7 will not allow me to do this. I may have to roll back win7 and go with xp until this is resolved. A PLAIN howto needs to be setup from Microsoft explaining how to allow this to happen. I can't just go changing group policies until I finally get the one that resolves the issue. We as well do not want to install printers using a GPO. We scale the different departments all the time which changes printers. This would be a nightmare to administer the printers thru a GPO to install them. It worked with XP wishing it worked on win7 Completely agree we need a document that actually works. It is very frustrating trying to change setting on GPO and test and change and test, etc. Does anyone know of a document of there that explains this better then the standard "here is where you put device IDs in the GPO"?Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.

Going to try this as a possible solution to this age old mobile user support question. - Thanks, Neutrino Bob.

Hi, The original answer was regarding standard users installing local printers. I have updated my original post with a few more steps that are needed to allow standard users to install network printers (from servers).

I made the changes described in the solution and they don't seem to be functioning. I added the GUIDs and set the Point and Print Restrictions to disabled under both user and computer policy settings. We are trying to allow our users to install local printers. This is on a domain. Not quite sure where to go from here. When adding the GUIDs to the policy do we need to have curly brackets around the GUID or not?

I made the changes described in the solution and they don't seem to be functioning. I added the GUIDs and set the Point and Print Restrictions to disabled under both user and computer policy settings. We are trying to allow our users to install local printers. This is on a domain. Not quite sure where to go from here. When adding the GUIDs to the policy do we need to have curly brackets around the GUID or not? Yes, you include the brackets. Here is my config and it works like a champ. Note this will not allow users to install "Printer software" like the CD-Rom, but it will allow the printer driver even if not signed. Computer Configuration -> Policies -> Administrative Templates -> Printers - Add Printer wizard - Network scan page (Managed network) = Enabled Number of directory printers 200 Number of TCP/IP printers 0 Number of Web Services Printers 0 Number of Bluetooth printers 0 Number of shared printers 0 - Point and Print Restrictions = Enabled Users can only point and print to these servers: Disabled Enter fully qualified server names separated by semicolons <blank> Users can only point and print to machines in their forest Disabled Security Prompts: When installing drivers for a new connection: Do not show warning or elevation prompt When updating drivers for an existing connection: Do not show warning or elevation prompt This setting only applies to: Windows Vista and later Computer Configuration -> Policies -> Administrative Templates -> System/Driver Installation - Allow non-administrators to install drivers for these device setup classes Enabled Allow Users to install device drivers for these classes: {4D36E979-E325-11CE-BFC1-08002BE10318} {8FCEE422-B109-4758-9A6E-5BAB7B37996F} HOPE THIS HELPS! Find this post helpful? Does this post answer your question? Be sure to mark it appropriately to help others find answers to their searches.