Install printers as a non admin on a laptop

**Weyland** · June 10th, 2004, 01:38 PM

I've been chartered to do the following at the place I'm working at. We have a locked down environment that does not allow users to add software or printers when attached to the network. The laptops are also setup the same way. What I'm trying to do is maintatin this security when they are off the network but allow one thing. Install Printers.

I know that there is a local security policy that is enabled by default that prevents users from installing the print drivers. Here is my question.

If i used the domain group policies and apply it to a group of laptops that is on the network and allow them to install printers, this gives them access to the network to install printers - We don't want that. I however do want the users to be able to install printers when they are off the network (because we cannot know every printer that these people have at home) How can this be done

Thanks!

Weyland

**WebHead** · June 10th, 2004, 01:42 PM

Perhaps create a group that DOES NOT allow adding printers at work. Then another group with a different name that DOES allow adding printers. Each group with it's own permissions. The the addition of printers will be defined by the user login based off the group permission settings. Not sure if you're looking for something more complicated, but thats just off the top of my head.

**Ya_know** · June 10th, 2004, 01:47 PM

I don't think you can have the best of both worlds man. You are asking too much of the existing model.

Other than having them logon locally, with local admin group (Edit: or power user) membership, when they are off line, I can't think of anything, but then you run into the multi profile issue, a real drag there.

Then I am no GP expert, there may be a way to override cached group policies with a local one once you are off line…it’s an interesting dilemma, if you come up with a solution, please do share it with us.

**cyberhh** · June 11th, 2004, 12:52 PM

One possible solution:

Create a local user account for the laptop user. Call it [username]ad - that way they realize that they are logged in using increased permissions. Give those user ID's Power User rights, this should allow them to add printers to the laptops that are available to their normal profile. Another option would be to have an OU created called "mobile workforce" and add all your laptop users to it, you could then have the group policy ignored for this OU and a new one created for them.

**Weyland** · June 11th, 2004, 03:17 PM

Thanks for all the inputs to this question. I actually have thought about all the suggestion ranging from different GPO's applied to different Groups or OU's to new userid on the local laptop to making them Power or Admins. However doing any one of those things can cause a security risk to the laptop (intentional or unintentional). Our laptops are in a lockdown state so users cannot install software or anything else for that matter when they are on the Coprorate LAN and we like to maintain that when they are off net also. So for SA's out there who don't want to give admin or power user rights to users to do a simple printer install, read on

The good news. I found a way to do this. Now a "regular" user to the laptop can have permissions to install printers without making them a local admins. Its based upon the well known runas command.

We created an executable with a third party tool called Autoit (version 3)(www.autoitscripts.com) Basically you will need to find out the name of the .cpl file that needs to be opened. In this case we need to run the "add printer" function. One caveat here though. The original source file *.au3, has the password displayed but once you convert it to an .exe, you can't really "reverse" it out to find out what the local admin password is

For those interested, here is the script:

; AutoIt Version: 3.0
; Language: English
; Platform: Win9x / NT - NOTE :this works on XP also
; Author: A.N.Other <[email protected]>
;
; Script Function:
; Template AutoIt script.
;
; ----------------------------------------------------------------------------

; ----------------------------------------------------------------------------
; Set up our defaults
; ----------------------------------------------------------------------------

;AutoItSetOption("MustDeclareVars", 1)
;AutoItSetOption("MouseCoordMode", 0)
;AutoItSetOption("PixelCoordMode", 0)
;AutoItSetOption("RunErrorsFatal", 0)
;AutoItSetOption("TrayIconDebug", 1)
;AutoItSetOption("WinTitleMatchMode", 4)

; ----------------------------------------------------------------------------
; Script Start
; ----------------------------------------------------------------------------
RunAsSet("Administrator", @Computername, "xxxxxxxxx")
Run("C:\Windows\system32\rundll32.exe printui.dll,PrintUIEntry /il", "C:\Windows\system32", @SW_MINIMIZE)

;NOTE here:xxxxxx=password of the local computer administrator

**Weyland** · June 11th, 2004, 03:20 PM

Oh I forgot. Once you convert the .au3 file to a .exe, all you do is copy the .exe to the laptop somewhere, create a shortcut to it and have the user doubleclick it to launch the Printer wizard

Cheers!