Windows 7 / Getting Started

Allowing Nonadministrators/Power Users to Install Printers

To add a local printer to a computer in pre-Windows Vista world, the user had to be a member of the local Administrators group or be a member of the Power Users group and have the user right to load/unload device drivers. Loading drivers is the issue. Unless the driver is part of the OS, the normal user does not have permission to install the drivers needed. This is one reason normal users were made members of the local Administrators group.

With Windows Vista, the user no longer needs to be a local administrator. In Vista, a normal user can add a printer if the driver is in-box (part of the operating system) and the user is physically at the Vista machine. The in-box drivers are those contained in the trusted driver store that is part of the new Vista functionality. Any driver in the driver store is trusted and therefore available to a user.

The best practice is for administrators to add the drivers used by printers within the environment to the driver store of the desktop machines using the pnputil.exe driver store utility. Thus, all the drivers needed for the environment are available. If it's not possible to keep the driver store maintained to always include all needed drivers, users can be delegated permission to install printer drivers via group policy settings.

This policy allows digitally signed and trusted drivers to be installed by a standard user. Drivers should be digitally signed by Microsoft, a commercially acquired certificate, or an internally trusted certificate. The GUID of the device class that is being given permission to be added by a user is selected by the policy. A full list of the device classes can be found at http://msdn2.microsoft.com/en-us/library/ms791130.aspx and http:// msdn2.microsoft.com/en-us/library/ms791134.aspx. Here are some common ones:

  • Printers: {4d36e979-e325-11ce-bfc1-08002be10318}
  • Network clients: {4d36e973-e325-11ce-bfc1-08002be10318}
  • SCSI/I394 printers: {4658ee7e-f050-11d1-b6bd-00c04fa372a7}

To allow users to install drivers, enable the policy setting found in Computer Configuration, Administrative Templates, System. In the driver installation part of a GPO, enable the Allow Non-administrators to Install Drivers for These Device Setup Classes policy. After it is enabled, click the Show button, which sets the GUIDs that relate to device classes. Only normal printer drivers that can be installed by users who receive the policy are enabled. Only administrators can install nonsigned drivers, so it's important that devices come with signed drivers.

[Previous] [Contents] [Next]