Except for Windows 7 and Windows Server 2008 R2, the default security settings for legacy Windows operating systems allow a user who is not a member of the local Administrators group to install only trustworthy printer drivers, such as those provided with Windows operating systems or in digitally signed printer-driver packages.
To allow users who are not members of the local Administrators group to install printer connections that are deployed using Group Policy and include printer drivers that are not digitally signed, you must configure the Point and Print Restrictions Group Policy settings. If you do not configure these Group Policy settings, users might need to provide local Administrators group credentials.
The following procedure assumes that you are using the version of the Group Policy Management Console (GPMC) that is included with Windows Server 2008 R2. To install GPMC on Windows Server 2008 R2, use the Add Features Wizard in Server Manager. If you are using a different version of GPMC, the steps might vary slightly.
|To change driver installation security settings for printers that are deployed by using Group Policy|
Open the GPMC.
Open the GPO where the printer connections are deployed, and navigate to User Configuration, Policies, Administrative Templates, Control Panel, and then Printers.
Right-click Point and Print Restrictions, and then click Properties.
Clear the following check boxes:
- Users can only point and print to these
- Users can only point and print to machines
in their forest
- Users can only point and print to these servers
In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
Scroll down, and in the When updating drivers for an existing connection box, select Show warning only.
After configuring these settings, all users are able to receive printer connections and the drivers to their user accounts by using Group Policy, without prompts or warning. Users receive a warning before updated drivers from the print server are installed, but they do not need to belong to the local Administrators group to install the updated drivers.