Eliminate UAC for Printer Driver installation

During the IT Pro Conference, someone asked if they could eliminate the UAC (and the local administrator requirements) just for printer driver installations on Windows Vista machines.  Printer Drivers are the most difficult issue when it comes to removing the requirement for local administrator access to a machine.  I've monkeyed with  this a little, I have more research to do, but I think I found a way to solve this predicament.  Point and Print.  This feature was included in Windows XP and in Windows Vista we require local administrator privileges to install these drivers.  There is a Group Policy setting that tells Windows Vista to not require local administrator privileges for printer drivers that are already installed on your servers.  This is the Point and Print functionality... 

Below is a screen capture of the Group Policy setting that disables the local Point and Print Restrictions.  This will allow Windows Vista users to install printer drivers without local administrator permission.  This is a Local Machine policy, but you should also be able to define an AD based Group Policy to do the same thing.  Let me warn you, the reason we require local administrator privileges is to prevent malicious device drivers.  This setting will allow any device driver to be installed.  Now you can define the policy setting Package Point and print - Approved Servers to allow users to install the printer drivers from only an approved list of servers.  This will allow normal users to install any printer driver, once it's been approved and installed on your servers. 

To disable the Point and Print restrictions, you need to get to the screen below, To do that, let's click on Start (or the Vista Perl)  -> and in the Search box, type mmc and press enter. Once the management console comes up, choose File -> Add / Remove Snap in... Choose Group Policy Object and then click Add... If you are defining a local policy, choose local computer.  If you are an AD admin, you should know how to set an AD group policy.  If not, let me know and I'll include those instructions later.  Once you click OK, you should be back to the Local Computer Policy screen like below.  Go ahead and expand the Local Computer Policy, and then choose  User Configuration -> Administrative Templates -> Control Panel -> Printers.   Then you're able to disable the Point and Print Restrictions. 

Once you make this local policy change, you need to either reboot your computer, or go to a command prompt and execute the command gpupdate / force to ensure the local policy gets applied.  Now you should be able to browse to a local server and double click on a shared printer.  Now the printer driver will install without requiring local administrator privileges.

Give this a try and let me know how it works for you.

Until next time!

Rob

Technorati Tags: Eliminate UAC,Windows Vista Printer driver

del.icio.us Tags: Eliminate UAC,Windows Vista Printer driver