Announcement

Collapse
No announcement yet.

Prevent non admin users from installing printer drivers on 2012 R2 servers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Prevent non admin users from installing printer drivers on 2012 R2 servers

    I have some Remote Desktop Session Host servere where we are having difficulties because users are able to install printer drivers on the RDSH servers.

    The Devices: Prevent users from installing printer drivers is set to Enabled. But it does not help.


    The only way I seem to be able to prevent users from installing printer drivers is by setting the following two policy settings in a GPO applied to the RDSH servers,

    Only use Package Point and print, Enabled

    Package Point and print - Approved servers, Enabled (FalseName.com configured as approved server)


    But if I do this, then the users are not able to make connections to the printer queues on the print server at all. Not even for those queues I myself have installed the driver for on the RDSH servers. Is there any way I can prevent non-admin users from installing drivers, when they connect to network printers which do not have a driver on the RDSH servers?

  • #2
    What indications do you see that users are installing printer drivers?

    Do you use group policy to push printers to users?
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Are you sure the printers installed aren't users "printer redirects" rather than actually installing printers?

      Comment


      • #4
        Balthier, I am experiencing this exact issue. Did you ever find a resolution?

        Comment


        • #5
          id like to know the same thing that JermeyW asked, what makes you think they are installing other drivers? is it possible that they are on a different OS or maybe there are multiple drivers installed that are being selected as default?

          if that is the case and youre sure but the GPO doesnt seem like its working or they are circumventing it, purposely or by weird permissions structure, you could try restricting write to the print driver folder once things are set up correctly.. literally denying change to everyone but admin, even SYSTEM.. that would prevent any new drivers from being installed...

          the only other thing i can think of is creating a security group to specifically deny anyone outside the admin arena. possibly an rsop on the users that you say are changing versus an admin and regular user... idk.
          its easier to beg forgiveness than ask permission.
          Give karma where karma is due...

          Comment


          • #6
            To check if your settings are working, log in yourself using a test account and try to install a new printer and/or driver. I think you are seeing what 5habbaranks has mentioned as this appears in the Event logs and I remember seeing that the RDP redirects can be removed from event logs if they are too annoying.
            |
            +-- JDMils
            |
            +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
            |

            Comment

            Working...
            X