Never modify the default domain policy. Always create organisational

the (selected) domain users within that unit to install local printers. ... Test Organisational Unit to deploy the Group Policy into the desired computer group, with a ...
Télécharger le PDF
75KB taille 2 téléchargements 194 vues
commentaire
Report
Allow Domain Clients to install local Printers (and Network Printers) without Admin rights via Group Policy This is a common requirement where IT administrators face the ultimate challenge. How do you lock down a workstation but open up certain functions to make them practical? For instance, the most common requirement is to give users the right to install Local Printers for those mobile workforce (roaming or "road warriors") without opening up the whole domain pc/laptop to full administrative access by that user.

Let's face it, if it were up to us, we wouldn't even let our users power the darn things on! But, since we all have a job to do, including our users, this guide will enable you to deploy a group policy to an organisation unit that will enable the (selected) domain users within that unit to install local printers. (Say, they have a beautiful HP inkjet at home they wish to use, or that laserjet in their remote office they travel to).

This guide is also suitable to enable programs that require the creation of a Printer Driver during operation such as Adobe Acrobat Standard/Professional and Pegasus Opera II Enterprise client (for example). In fact, this guide was written specifically to solve the problem for the latter!

So the trick is not easy or fast! Well, unless you use Guru Guy's guide!

Pre-requisites:



Create a Domain Security Group of the desired Domain Users whom will be given rights to install the printers E.g. “Printer Users”; Add all deesired members to this group.



Optionally, create a Domain Security Group "Printer Computers" with desired machines/computers as members to which you want to allow printers to be installed on. (By default, when you assign a Group Policy to an Organisation Unit, all machines in that unit are affected - this security group will allow further filtering by only affecting the desired machines within that unit!) Much more affective way to ensure that the users don't have full printer rights across the whole organisation!



Create an Organisational Unit in Active Directory for all of the machines (computers/laptops) to which desired users can install the printers on. E.g. “Test OU” (You can use an existing OU but see the note below! Guru Guy recommends creating a test OU for small deployement, specifically where modification of user rights is concerned!)



Place a test PC or 2 into this OU so that only a couple of computers are affected (once complete and tested, move the rest into this or apply the policy to your existing OU - again, see note below)



Install the Group Policy Management Tool (GPMT) to allow advanced modification and creation of domain Group Policies.

Never modify the default domain policy. Always create organisational units and never include domain admins or server computers in these units. For these instructions we have created an Organisation Unit (OU) called “test”.

So, you should have: 1.

Printer Users (of all desired domain users e.g. Polly Edwards, Diane Lane etc.)

2.

Printer Computers (of all desired machines as members to which your users can install printers on)

3.

Test Organisational Unit to deploy the Group Policy into the desired computer group, with a test workstation computer moved into the OU in Active Directory

4.

Group Policy Management Tool installed

Step-by-Step instructions

Assuming you’ve followed the pre-requisites above, continue below for deployment: 1.

Open up the Group Policy Management Tool

2.

Navigate to your TEST OU that should be located our underneath the domain policy.

3.

Create and Link a new Group Policy Object (GPO) to the Organisation Unit and call it “Power Users”. This GPO will increase the users to a level that can install printers even if they are standard (restricted) domain users of that workstation/laptop and are NOT a member of the local machine Adminstrators group. (This policy will inherently allow user general “Power User” privileges such as modifying system time & date etc. This GPO will apply to all users of the PCs/Laptops in that Organisation Unit and any members logging onto those PCs listed in the “Printer Users” group. For full information about the Power User group privileges, consult the Windows XP documentation.

4.

In the New GPO, navigate to: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

5.

Under “Load and Unload Device Drivers” edit the properties.

6.

Tick “Define these policy settings” and add the Printer Users Group via Domain\Group format e.g. “GURUGUY\Printer Users”. Also, be sure to add "Administrator" and "Administrators" to the list. This will allow local admins to each PC having full access. Wihtout adding these two groups, you essentially remove priveledges of the Administrators! Once done, click OK to close the policy.

7.

Navigate to: Computer Configuration\Windows Settings\Security Settings\Local

8.

Under the policy “Devices: Prevent Users from installing printer drivers” define the policy to be

Policies\Security Options

“Disabled”. 9.

Navigate to Computer Configuration\Windows Settings\Security Settings\Restricted Policies This section enables modification of the laptop/computer local user groups. What we need to do here is allow the desired "printer users" to be a member of the “Power Users” group on that local PC… Warning: Modification of the "Restricted Policies" is very powerful and complex. NEVER modify this policy which affects domain Admins, Servers, Domain Controllers etc. This policy should only apply to a hand-ful of desired workstation machines. For more information consult's MS Knowledgebase on Restricted Policies.

10. Right-Click “Restricted Groups” and click “Add Group” and name it “Power Users”. (Make sure it is a group name that does NOT exist in the domain active directory so the policy is not misinterpretted.) 11. In “Members of this Group” section, add DOMAIN\GROUP e.g. "GURUGUY\Printer Users” 12. In the “this group is a member of” section, add and type: “Power Users”.

13. OK out of that window and you should have something like the below:

14. Navigate to Computer Configuration\Administrative Templates\Printers modify the policy “Disallow installation of printers using Kernel-mode drivers” to Disabled 15. Navigate to User Configuration\Administrative Templates\Control Panel/Printers and modify the policy “Point and Print Restrictions” to disabled. 16. Close the GPO and view the “scope” tab of the policy in the Group Policy Management Pane. Under Security Filtering add “Printer Users” and “Printer Computers”. 17. Once users have been assigned to both security groups, and a machine is moved from Active Directory “Computers” into your new Organisation Unit, log into a machine to test the policy. 18. Type in the Start->Run “gpupdate /force” on a test workstation. This will refresh the group policy. 19. Reboot the computer, login, and to see the Group Policy has taken affect, go to Control Panel -> Printers -> Add Printer. After the Wizard introduction the option to select "Local Printer" should NOT be greyed out. (Normally it is and only Install Network Printer" is available to choose from). If not, update Group Policy again after making sure the PC is in the Organisational Unit you recreated, the machine you are on is a member of the "Printer PCs" group and the User you are logged in as is a member of the DOMAIN\Printer Users Group. 20. Congratulations, you've not enabled your desired users to install printers on your desired PCs!