Announcement

Collapse
No announcement yet.

Illegal adding driver of printer

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Illegal adding driver of printer

    Dear All,

    Could you help me? I have Windows Server 2003 TS and problem with Group Policy, i prohibited to add user's driver of printer, but anyway somebody connect with desk jet printers and add driver to server. How i can be protected from it?
    Best regards,

    Look before you leap!

    MCSA 2003, MCDBA 2000
    IT Consultant.

  • #2
    Re: Illegal adding driver of printer

    How did you prohibited the user from adding his driver?
    Have you used Computer Settings\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection\Do not allow client printer redirection, by any chance?
    If not, I would use it...
    Another thing: are you sure that the GPO you set applies to the user that added the driver?

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

    Comment


    • #3
      Re: Illegal adding driver of printer

      in general, users must be connected with their printers, but only with accepted models of printers (which drivers i installed in server). I don't understand, If i enable this GP, our users can connect with their printers or all user's printers will reject (because many of users - outside)?

      GPO is certain applied to servers.
      Best regards,

      Look before you leap!

      MCSA 2003, MCDBA 2000
      IT Consultant.

      Comment


      • #4
        Re: Illegal adding driver of printer

        Let's bring some light into this:
        - if you configure the setting I posted in the previous post, nobody will be able to connect their printers. At least not from the users/group this setting is applied to.
        - I don't know if there is any way of allow certain drivers and other not... Not with GPO, anyway, because the setting is machine-bounded.
        - are the users which connect with approved printers part of any group? Or can they be made part of a group? If so, you may want to check Local Security -> Local Policies -> User Rights Assignment -> Load and Unload device drivers . You may give the group that right, and not the others... BTW, I hope the users are not part of the local Administrators group on the TS servers.
        And you did not answer my first question: How did you prohibited the user from adding their driver?

        Sorin Solomon


        In order to succeed, your desire for success should be greater than your fear of failure.
        -

        Comment


        • #5
          Re: Illegal adding driver of printer

          In the first place, i prohibited to add drivers from users trough Local Security, such as Local Policies->User Rights Assignment->Load and unload device drivers only for Administrator and Local Policies->Security Options->Prevent users from instaling printer driver - state is Allow.

          In the second place is that users included in Local Group of Remote users only.

          In the third place is that i'm sure that they under action of my GPO, isn't it right for Local Policies?

          The fourth is that it happen with desk jet printer drivers only, they couldn't connect with laser jet printer which driver i didn't install.

          I have no idea how it can be
          Best regards,

          Look before you leap!

          MCSA 2003, MCDBA 2000
          IT Consultant.

          Comment


          • #6
            Re: Illegal adding driver of printer

            Hmmmm...
            I'm out of ideas at the moment... I hope Yuval will pop in ...

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: Illegal adding driver of printer

              Hi,

              How you find out that the TS add the new driver? The TS contains a build in list for printer drivers.
              Also, you may enabled the option:

              http://technet2.microsoft.com/window...248b01033.mspx

              So you may "think" that the server is using the deskjet drivers.

              Also, I guess that the users are regular users (not local admins etc. on the TS) so
              its not practicl to users to install drivers (beside you give a local user right or/and
              add the users to admin group).

              Please check this issue + the event log.
              Best Regards,

              Yuval Sinay

              LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

              Comment


              • #8
                Re: Illegal adding driver of printer

                Hi,

                I delete printer drivers of 6 models every week from TS. These are next models:

                -Epson LQ-200
                -Epson Stylus Color 680 ESC/P 2
                -HP deskjet 845c
                -HP deskjet 940c
                -Lexmark Z12 Color jetprint
                -Lexmark Z22-Z32 Color jetprint

                I didn't activate policy for Terminal Server Fallback printer driver behavior, so it's disabled by default.

                Other printer drivers which i didn't install to dicline, i see it in Event Log, about these 6 models i'll check it today in Event Log.

                Anyway, thank you boys for your advices!
                Best regards,

                Look before you leap!

                MCSA 2003, MCDBA 2000
                IT Consultant.

                Comment


                • #9
                  Re: Illegal adding driver of printer

                  I catch in System Event Log next entries:

                  Source: Print
                  Event ID: 20
                  User: NT AUTHORITY\SYSTEM
                  Description:
                  Printer driver hp deskjet 940c for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPFDJ940.GPD, UNIDRV.HLP, HPFDJ50.INI, HPFUI50.DLL, HPFIMG50.DLL, HPF940AL.DLL, HPFDJ94X.GPD, HPFDJ200.HLP, HPFNAM50.GPD, STDNAMES.GPD, HPFUD50.DLL, UNIRES.DLL.

                  Source: Print
                  Event ID: 9
                  User: NT AUTHORITY\SYSTEM
                  Description:
                  Printer hp deskjet 940c (from PC-NOP) in session 6 was set.

                  It said that driver was added from System account and GP don't work, do you have any ideas how to protect from it?
                  Best regards,

                  Look before you leap!

                  MCSA 2003, MCDBA 2000
                  IT Consultant.

                  Comment


                  • #10
                    Re: Illegal adding driver of printer

                    The required permssion to install printer driver are local admin or:

                    http://support.microsoft.com/kb/297780

                    However, if you use GPO to push printers to users, and you dont block it from running during the TS, the GPO using NT AUTHORITY\SYSTEM as you can see in the event log
                    Best Regards,

                    Yuval Sinay

                    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

                    Comment


                    • #11
                      Re: Illegal adding driver of printer

                      I don't use GPO to push printers to users.
                      Only Administrator have rights to install drivers.
                      All outside users are in local group remote users merely.
                      It's above my mind
                      Best regards,

                      Look before you leap!

                      MCSA 2003, MCDBA 2000
                      IT Consultant.

                      Comment


                      • #12
                        Re: Illegal adding driver of printer

                        Please run gpresult to find what GPO's effect the TS and users...
                        Best Regards,

                        Yuval Sinay

                        LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

                        Comment


                        • #13
                          Re: Illegal adding driver of printer

                          Hi!

                          It's me again. I ckecked GPResult and tested working of GP. Users was applied by necessary GP and install print drivers on servers are blocked through GP, but they still install it.
                          Best regards,

                          Look before you leap!

                          MCSA 2003, MCDBA 2000
                          IT Consultant.

                          Comment


                          • #14
                            Re: Illegal adding driver of printer

                            Users cant add printer drivers they need etc. Someone give them permssion etc.
                            The trick is to find it... It can be domain/local user right, membership of group etc.
                            Best Regards,

                            Yuval Sinay

                            LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

                            Comment


                            • #15
                              Re: Illegal adding driver of printer

                              Originally posted by yuval14 View Post
                              Users cant add printer drivers they need etc. Someone give them permssion etc.
                              The trick is to find it... It can be domain/local user right, membership of group etc.
                              OK. Thank you. I'll find the truth.
                              Best regards,

                              Look before you leap!

                              MCSA 2003, MCDBA 2000
                              IT Consultant.

                              Comment

                              Working...
                              X