Windows 7 / Getting Started

Allowing Nonadministrators/Power Users to Install Printers

To add a local printer to a computer in pre-Windows Vista world, the user had to be a member of the local Administrators group or be a member of the Power Users group and have the user right to load/unload device drivers. Loading drivers is the issue. Unless the driver is part of the OS, the normal user does not have permission to install the drivers needed. This is one reason normal users were made members of the local Administrators group.

With Windows Vista, the user no longer needs to be a local administrator. In Vista, a normal user can add a printer if the driver is in-box (part of the operating system) and the user is physically at the Vista machine. The in-box drivers are those contained in the trusted driver store that is part of the new Vista functionality. Any driver in the driver store is trusted and therefore available to a user.

The best practice is for administrators to add the drivers used by printers within the environment to the driver store of the desktop machines using the pnputil.exe driver store utility. Thus, all the drivers needed for the environment are available. If it's not possible to keep the driver store maintained to always include all needed drivers, users can be delegated permission to install printer drivers via group policy settings.

This policy allows digitally signed and trusted drivers to be installed by a standard user. Drivers should be digitally signed by Microsoft, a commercially acquired certificate, or an internally trusted certificate. The GUID of the device class that is being given permission to be added by a user is selected by the policy. A full list of the device classes can be found at http://msdn2.microsoft.com/en-us/library/ms791130.aspx and http:// msdn2.microsoft.com/en-us/library/ms791134.aspx. Here are some common ones:

  • Printers: {4d36e979-e325-11ce-bfc1-08002be10318}
  • Network clients: {4d36e973-e325-11ce-bfc1-08002be10318}
  • SCSI/I394 printers: {4658ee7e-f050-11d1-b6bd-00c04fa372a7}

To allow users to install drivers, enable the policy setting found in Computer Configuration, Administrative Templates, System. In the driver installation part of a GPO, enable the Allow Non-administrators to Install Drivers for These Device Setup Classes policy. After it is enabled, click the Show button, which sets the GUIDs that relate to device classes. Only normal printer drivers that can be installed by users who receive the policy are enabled. Only administrators can install nonsigned drivers, so it's important that devices come with signed drivers.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server File System and Print Management
  2. File System Types and Management
  3. New Technology File System (NTFS)
  4. New NTFS Features in Windows Server 2008
  5. Formatting and Managing File Systems
  6. Converting File Systems
  7. File Management
  8. File Permissions
  9. Shares
  10. NTFS Quotas
  11. Encrypted File System (EFS)
  12. Shadow Copy Feature
  13. File Server Resource Manager
  14. File Server Resource Manager Options
  15. Reporting
  16. Quotas
  17. File Screening
  18. Exporting and Importing File Screens and Quotas
  19. Print Management
  20. Print Management MMC
  21. Printer Properties
  22. Listing a Printer in the Active Directory
  23. Connecting Users to Network Printers
  24. Deploying Printers
  25. Allowing Nonadministrators/Power Users to Install Printers
  26. Migrating a Printer
  27. Automatic Network Print Addition
  28. Print Server Configuration
  29. Customizing Views of Information