Allow non-administrators to use GPO to install printer drivers. - Solution Views (2023)

Non-admin domain users are not allowed to install printer drivers on domain systems by default. A user with local admin capabilities should be able to install a driver (must be a member of the local Administrators group). This is beneficial from a security standpoint, since installing an improper or fake device driver could corrupt the PC or cause it to operate poorly. However, in terms of the IT department, this strategy is exceedingly cumbersome because it necessitates Support-team intervention whenever a user attempts to install a new printer driver.

Allow Non-Administrators to Install Printer Drivers configuring GPO

To begin, create a new (or change an existing) GPO object (policy) and link it to the OU (AD container) that contains the computers on which printer drivers must be installed (use the gpmc.msc snap-in to manage domain GPOs). The Local Group Policy Editor can be used on a standalone (non-domain) computer to apply the same settings (gpedit.msc)

In the Group Policy editor, expand the following branch: Security Settings > Local Policies > Security Options > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options Devices: Locate the policy Users should not be able to install printer drivers.

Set the value of the policy to Disable. When connecting a shared network printer (the printer’s driver obtained from the print-server host), this policy allows non-administrators to install printer drivers. The policy value can then be set to Disable, which means that any unprivileged user can install a printer driver as part of a shared printer connection to a machine. This policy, however, prohibits the download and installation of an untrusted (non-signed) printer driver.

Allow non-administrators to use GPO to install printer drivers. - Solution Views (1)

Allowing Installation of Printer Device GUIDs via GPO

Allowing the user to install printer drivers via GPO is the next stage. In this scenario, the GPO section Computer Configuration > Policies > Administrative Templates > System > Driver Installation contains the policy Allow non-administrators to install drivers for these device setup classes.

Enable the policy and specify which device classes users are permitted to install. Click the Show button, and in the resulting window, type two lines with the device class GUIDs for printers:

  • Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7};
  • Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}.

A complete list of Windows device class GUIDs may be found here.

(Video) Server 2022 - Allow (Print) Driver installation (Non Admins)

Members of the local Users group can install a new device driver for any device that matches the given device classes when this policy is enabled.

Note that you can enable this policy in the registry using the following command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" /v AllowUserDeviceClasses /t REG_DWORD/d 1 /f

You can find the list of allowed to install device GUIDs under the registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses.

Save

Allow non-administrators to use GPO to install printer drivers. - Solution Views (2)

Point and Print Restrictions Policy Configuration

When you try to install a shared network printer in Windows 10, an additional feature connected to the UAC (User Account Control) settings appears. If the User Account Control (UAC) is enabled, a notification appears asking you to provide the Administrator’s credentials. If UAC is turned off, and you try to install the printer as a non-admin user, the system lags for a while before displaying an error message that says “Windows cannot connect to the printer.” “Access is revoked.”

Allow non-administrators to use GPO to install printer drivers. - Solution Views (3)

You must disable the policy Point and Print Restrictions to resolve this issue. This policy may be found in the GPO editor’s Computer and User Configuration area. It is advised that both policies be disabled in order to enable compatibility with older versions of the Windows operating system. They can be found in the sections below:

  • Computer Configuration>Policies>Administrative Templates>Printers;
  • User Configuration>Policies>Administrative Templates>Control Panel>Printers

The security warnings and elevated prompts do not appear when the user tries to install the network printer or while the printer driver is upgrading if you disable this policy for Windows 10 PCs.

(Video) How to deploy shared printers using GPO

Allow non-administrators to use GPO to install printer drivers. - Solution Views (4)

Note. You can disable Point and Print Restrictions via the registry. Use the following command:

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v Restricted /t REG_DWORD /d 0 /f

Set the Point and Print Restriction policy to Enabled to limit the list of print servers from which users are allowed to install print drivers without admin permissions.

Then select “Users can only point and print to these servers” from the drop-down menu. Enter a list of your trusted print servers in the “Enter fully qualified server names separated by semicolons” field (FQDN).

Select “Don’t show warning or elevation prompt” for the policy parameters “Then installing drivers for a new connection” and “Then updating drivers for an existing connection” under the “Security Prompts” section.

Allow non-administrators to use GPO to install printer drivers. - Solution Views (5)

Allowing Users to Install Printer Drivers is being tested.


The policy still needs to be tested on client machines (requires restart). Users will be able to install printer drivers without Admin permissions after rebooting and implementing Group Policy adjustments.

To successfully install the printer after installing the update KB3170455, which was released on July 12, 2016, the printer driver must match the following requirements:

A trusted digital signature must be used to sign the driver.

The driver must be well-prepared (Package-aware print drivers). It is unable to install unpacked (non-package-aware) drivers using Point and Print Restrictions.

(Video) How To Deploy Printer Driver To All Computer Using Group Policy Windows Server 2016

This implies that if you try to install the non-package-aware v3, you’ll get the message “Do you trust this printer?” along with the Install driver UAC button, which requires you to install printer drivers as an administrator.

On the print server, go to Print Management > Print Servers > Server Name > Drivers to see what type of driver you have. In the Packaged column, you may see the True value for package-aware print drivers.

Allow non-administrators to use GPO to install printer drivers. - Solution Views (6)

Printer Drivers Cannot Be Deployed After August 2021 Updates


Microsoft published a security update for Windows 10 (KB5005033) in August 2021 (2021-08-10) that made major modifications to the printer installation policy. Windows begins to require administrator access to install printer drivers after installing these and the newest security updates. This update resolves the PrintNightmare vulnerability, which is linked to vulnerabilities with Windows Print Spooler.

Microsoft published a security update for Windows 10 (KB5005033) in August 2021 (2021-08-10) that made major modifications to the printer installation policy. Windows begins to require administrator access to install printer drivers after installing these and the newest security updates. This update resolves the PrintNightmare vulnerability, which is linked to vulnerabilities with Windows Print Spooler.

CVE-2021-1675 and CVE-2021-34527 both describe the PrintNightmare RCE vulnerability. An attacker can remotely execute arbitrary code on a Windows PC by exploiting a fault in the Windows Print Spooler implementation. A malicious DLL file can be loaded into the system using this vulnerability. When you try to add a printer again, you’ll get access to this file, which runs with System privileges.

When installing a printer on a PC that has the update KB5005033 installed, a UAC popup appears:

Do you have trust in this printer?

From the computer to xxx, Windows must download and install a software driver. Proceed only if you have full trust in the computer and network.

(Video) Step by Step: how to deploying printers with group policy windows server 2016 and 2019 - GPO - 2020

Allow non-administrators to use GPO to install printer drivers. - Solution Views (7)

When you click the Install driver button, a UAC box appears, prompting you to enter your administrator credentials.
To install printers on users’ computers, Microsoft suggests using Group Policy. However, this is only applicable to v4 Package-aware print drivers. A UAC popup occurs while installing any v3 driver, asking for an administrator password.
There is a workaround if you are unable to upgrade all drivers to version 4. Install the value RestrictDriverInstallationToAdministrators =0 in the registry entry HKEY LOCAL MACHINESOFTWAREPoliciesMicrosoftWindowsNTPrintersPointAndPrint on all problem PCs.

Group Policy is the simplest approach to distribute this registry parameter to computers.

Create a new registry parameter under the GPO sectionComputer Configuration>Preferences>Windows Settings>Registry.

  • Action: Replace
  • Hive: HKEY_LOCAL_MACHINE
  • Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • Value name: RestrictDriverInstallationToAdministrators
  • Value type: REG_DWORD
  • Value data: 0
Allow non-administrators to use GPO to install printer drivers. - Solution Views (8)

Users will be able to connect to any printer using this registry key.

Because it renders your print servers susceptible, this is a workaround rather than a repair.

As a result, you’ll also need to set up the Point and Print Restriction policy (described above). In the “Users can only point and print to these servers” section, add trusted print servers.

Set the following as well:

  1. If you’re installing drivers for a new connection, don’t show any warnings or escalated prompts.
  2. 2.Only provide a warning when upgrading drivers for an existing connection.

FAQs

How to install printer driver without admin rights GPO? ›

2. Install printers drivers without admin rights via GPO
  1. Press the Windows + R shortcut to open Run.
  2. In the Run box, type gpedit. ...
  3. In Group Policy Editor, navigate to the following location: ...
  4. Next, in the right-pane, look for Device: Prevent users from installing printer drivers option.
Oct 3, 2022

How to install printer driver through GPO? ›

Go to 'Print Management', click on 'Printers' and right click on the printer you want to deploy and choose 'Deploy with Group Policy'. Depending on the setting you need, check either the 'The users that the GPO applies to (per user)' or 'The computers that the GPO applies to (per machine)'.

How to restrict printer driver installation ability to administrators registry? ›

To restrict this ability to Administrators and Power Users, you can tweak the registry. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan PrintServices\Servers registry subkey, then set AddPrinterDrivers to 1. The default value of 0 lets users install printer drivers.

Do you need admin rights to add a printer? ›

Administrator privileges may be required to install printer software or print out documents, depending on your computer and printer settings and hardware. If you aren't the admin for the printer on the network, you may need to reach out to the IT person for help.

How to install without admin rights? ›

How to install without admin rights?

How do I give my printer admin rights? ›

How do I give my printer admin rights?

Can power users install printer drivers? ›

Only members of the Administrator, Power Users, or Server Operator groups can install printers on the servers.

How do I let Windows manage Printers in Group Policy? ›

Using GPO: Open the group policy editor. Navigate to User Configuration → Administrative Templates → Control Panel → Printers. Find the Turn off Windows default printer management policy and enable it.

How do I prevent non admin users from installing programs? ›

How do I prevent non admin users from installing programs?

How do I disable GPO installation drivers? ›

How do I disable GPO installation drivers?

How do I give full permission to a printer in Regedit? ›

How do I give full permission to a printer in Regedit?

Can you install something without admin access? ›

You cannot simply install software without admin rights due to security reasons. Note that you only need to follow our steps, a notepad, and some commands. However, only certain apps, such as Steam, can be installed this way.

Why do you need admin rights to install software? ›

You can decide whether you want to install or not. Administrative rights protect your system from being corrupted by other user's onyour system adding software that would change settings on the system with out your knowledge. It an added security.

Is the default permission on a printer everyone? ›

The Print permission assigns the ability for users to connect to printers and to print, pause, resume, start, and cancel their own documents. By default, this permission is given to members of the Everyone group when a print queue is created.

Are printer drivers installed on printer or computer? ›

The software is downloaded from the manufacturer and installed on either a single computer or onto a server where multiple computers will access it. You'll need a printer driver for each type of printer you have in your office because each type of printer communicates differently with the computer.

Can you use printer without installing driver? ›

The direct print function is a function that transmits a file from the host terminal to the printer without the printer driver and allows the printer to detect the file and print. Therefore, you do not need to open a file to print.

How to prevent users from installing printer drivers Intune? ›

In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button. On the Basics tab, enter a descriptive name, such as Prevent Users From Installing Printer Drivers.

How do I change printer settings in Group Policy? ›

Select the Active Directory container of the domain you want to manage (an Organizational Unit or a domain). Right-click that container, and then select Properties.
...
Configure printer-specific settings for users
  1. User Configuration.
  2. Administrative Templates.
  3. Control Panel.
  4. Printers.
Feb 23, 2023

How do I turn on file and printer sharing in Windows 10 GPO? ›

Here are the steps to do it:
  1. Leave File and Printer Sharing for Microsoft Networks turned on.
  2. Type CMD in the Search bar.
  3. Right-click on Command Prompt, and select Run as Administrator.
  4. Type netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes, and hit Enter.
Feb 23, 2018

What is the difference between GPO shared printer and TCP IP? ›

Shared Printer is used when you use a print server that shares that printer. You can assign/deploy these to users or computers. TCP/IP printers are printers that are NOT shared where the computer connects directly to the printer. These can only be assigned/deployed to computers NOT users.

How do I automatically install printer drivers in Windows 10? ›

Windows 10 automatic printer install
  1. Open Control Panel.
  2. Go to Advanced System settings.
  3. Click the Hardware tab.
  4. Go to Device Installation settings.
  5. You will be asked, Do you want to download driver software and realistic icons for your devices?
  6. Select No, let me choose what to do.
  7. Click Save changes.
Jan 23, 2017

How do I manually update my printer driver? ›

Update the device driver
  1. In the search box on the taskbar, enter device manager, then select Device Manager.
  2. Select a category to see names of devices, then right-click (or press and hold) the one you'd like to update.
  3. Select Search automatically for updated driver software.
  4. Select Update Driver.

How to bypass administrator authorization? ›

On your Window's Home screen, press "Windows logo key" + "R" to open Run dialog box. Type the command “netplwiz” and hit Enter. A new interface will popup. Here, uncheck the box that reads: “Users must enter a username and password to use this computer”.

How do I force install as administrator? ›

If a program requires Administrator privileges to perform certain functions, you need to run the program as Administrator. To run a program as Administrator in Windows 10, right-click the icon in your Start menu and select Run as administrator.

What can I use instead of admin by request? ›

Admin By RequestCompetitors and Alternatives
  • BeyondTrust Endpoint Privilege Management. Compare.
  • CyberArk Privileged Access Management. Compare.
  • Delinea Secret Server. Compare.
  • Devolutions Server. Compare.
  • Delinea Cloud & Server Suite. Compare.
  • Delinea Privilege Manager. ...
  • ManageEngine PAM360. ...
  • Safeguard for Privileged Sessions.

Why is everything asking for administrator permission? ›

Why does Windows 10 keep asking for Administrator permission? Ans. It happens when you don't have the required permissions to access a file. In that case, you can take ownership of that file by right-clicking it and selecting Properties > Security.

Should a systems administrator allow users to install software? ›

System administrator is responsible for giving you administrative access. if he has given you administrative access the you can install applications or other wise he has to install for you.

What happens if I set my printer as default? ›

What happens if I set my printer as default?

Should your printer be on default? ›

Should your printer be on default?

Which printer permission is assigned by default? ›

Which printer permission is assigned by default?

How to disable let Windows manage my default printer via GPO? ›

Using GPO:
  1. Open the group policy editor.
  2. Navigate to User Configuration → Administrative Templates → Control Panel → Printers.
  3. Find the Turn off Windows default printer management policy and enable it.
  4. Force the group policy to all client computers.
Jan 11, 2022

How do I force GPO software to install? ›

To force the GPO settings you can use the gpupdate /force command. When you run the gpupdate command you will get a message saying one or more settings must be processed before the system start or user logon. This is referring to the software installed by GPO and is expected. Type Y to restart the computer.

How do I restrict printer access to Group Policy? ›

You can use printer permissions to restrict the use of printers without setting a policy. In the Printers folder, right-click a printer, click Properties, and then click the Security tab.
...
In Group Policy editor, expand the following folders:
  1. User Configuration.
  2. Administrative Templates.
  3. Control Panel.
  4. Printers.
Sep 24, 2021

How to never install driver software from Windows Update GPO? ›

Select "Advanced system settings" Select the "Hardware" tab and then select "Device Installation Settings. From this dialog select "No, let me choose what to to" Select "Never install driver software from Windows Update.

How do I stop GPO applying to administrators? ›

Use Group Policy Management Console
  1. Click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the console tree on the left, expand Forest.
  3. Expand Domains.
  4. Expand Domain Name.
  5. Expand Group Policy Objects.
  6. Click the Group Policy object that you do not want to apply to administrators.
Apr 10, 2014

How do I disable GPO as administrator? ›

Follow the below steps in GPO to resolve the misconfiguration. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Administrator account status" to "Disabled".

How do I enable GPO policy? ›

Open the Local Group Policy Editor and then go to Computer Configuration > Administrative Templates > Control Panel. Double-click the Settings Page Visibility policy and then select Enabled.

How do I allow users to install Windows updates GPO? ›

To enable Microsoft Updates use the Group Policy Management Console go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates and select Install updates for other Microsoft products.

How do I enable File and printer sharing in Group Policy? ›

Double-click "Windows Firewall: Allow file and printer sharing exception," click the "Settings" tab and select "Enabled." Type a star (*) character in the "Allow unsolicited incoming messages" box to enable the setting for all computers or type in the IP addresses for the computers you want it to apply to.

How to disable File and printer sharing using Group Policy? ›

Click Start, point to Settings, click Control Panel, and then double-click Network. Click TCP/IP->Dial-up Adapter, click Properties, and then click the Bindings tab. Click to clear the File and Printer Sharing check box, click OK, and then click OK. Restart your computer.

What is Group Policy Printers policy? ›

Deploying printers via Group Policy lets you manage your printers from a single console and also gives you granular control over which printers to deploy to individual client PCs without needing any additional software.

How to stop Windows 10 from automatically updating device drivers using Group Policy? ›

If you're running Windows 10 Pro, the simplest way to stop automatic driver updates is through Group Policy Editor. Hit Windows Key + R and type: gpedit. msc and hit Enter or click OK. Then double-click on “Do not include drivers with Windows Update” in the right pane.

Which command is used to force a computer to download GPO settings after a GPO has been modified? ›

To force your Windows computer to check for group policy changes, you can use the gpupdate /force command to trigger the updating process. This compares the currently applied GPO to the GPO that is located on the domain controllers.

Will GPO software installation install already installed applications? ›

The GPO install keeps its own APP cache with it's own list of software, and will install the app if it's not in that list, even if it is already installed.

Videos

1. How To Allow Users To Install Program Without Admin Password Using Group Policy Windows Server 2019
(Eng.Mahmoud Enan)
2. Software Installation via GPO
(Ed Goad)
3. How to Prevent Users From Installing Printers windows 10
(E Micro Tech)
4. How to Deploy Software (MSI Packages) Via Group Policy (GPO) | Windows Server 2019
(TechnoConfig)
5. How to Run Program without Admin Privileges and Bypass UAC Prompt
(ErrorAndFix)
6. LAB GUIDE:17. Deploying Printers Using Active Directory and Group Policy
(Must be Noob)

References

Top Articles
Latest Posts
Article information

Author: Zonia Mosciski DO

Last Updated: 29/08/2023

Views: 6251

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.