Permissions required to delegate printer management

Hi,

I'm looking for detail around the exact permissions to allow an otherwise
unprivileged domain user to manage all aspects of printing on a print server.
The server is Windows 2003 R2 and is a domain member but not a domain
controller.

I've tried adding a domain user to the server's local 'Printer Operators'
group. When the user logs in and runs the 'Add Printer' wizard they cannot
add a local printer, but can add a network connected printer. I'm guessing
that they wouldn't be able to add a port either.

Is there some additional permission(s) I can grant the user (or a group) or
is it the case that to fully administer printers (add printers, manage
printers, manage print jobs and delete printers) you need to allow membership
of the local administrators group on the server ?

Thanks in advance for your assistance,

Gareth

Hello,

Thank you for using newsgroup!

Based on my knowledege, by default, only Administrators have the
permissions to load and unload device drivers, you need this permissions to
install a local Printer. Print Operators only have the permissions for
managering Printer, but not install Printer driver permissions. You can add
load and unload device drivers permissions to Print Operators, to do this,
refer to the following steps:
1. Type Secpol.msc in Run.
2. Expand Local Policies\User Rights assignment.
3. Locate to load and unload device drivers policy.
4. Add Print Operators account into the list.
5. Run Gpupdate /force under CMD mode.
6. Reboot computer to take affect.

Hope this helps.

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Mike,

Thanks for your response. I've followed the steps you've outlined (on R2)
and whilst the print operators now have the privilege to load and unload
device drivers, the add printer wizard will still not allow the addition of a
local printer (the option is greyed out).

Please could you let me know if there is actually a way of doing this or
whether the delegation of administration for print servers requires admin
rights on those servers ?

Many thanks,

Gareth

"Mike Luo [MSFT]" wrote:

> Hello,
>
> Thank you for using newsgroup!
>
> Based on my knowledege, by default, only Administrators have the
> permissions to load and unload device drivers, you need this permissions to
> install a local Printer. Print Operators only have the permissions for
> managering Printer, but not install Printer driver permissions. You can add
> load and unload device drivers permissions to Print Operators, to do this,
> refer to the following steps:
> 1. Type Secpol.msc in Run.
> 2. Expand Local Policies\User Rights assignment.
> 3. Locate to load and unload device drivers policy.
> 4. Add Print Operators account into the list.
> 5. Run Gpupdate /force under CMD mode.
> 6. Reboot computer to take affect.
>
> Hope this helps.
>
> Mike Luo
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Thank you for your update.

Could you capture a screenshot of the problem?

I suggest you add the user to Power Users group, to see if the problem
persists.

Thanks & Regards,

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Mike,

As a matter of policy I prefer not to use the power users group (it just
means that there are two heavily privileged groups to watch instead of one).
I'll send a screenshot to you via email.

Thanks,

Gareth
"Mike Luo [MSFT]" wrote:

> Thank you for your update.
>
> Could you capture a screenshot of the problem?
>
> I suggest you add the user to Power Users group, to see if the problem
> persists.
>
> Thanks & Regards,
>
> Mike Luo
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

I've tested the 'power users' idea (out of curiosity) and the problem still
remains (adding a network printer is fine but it is not permitted to add a
local printer).

Thanks,

Gareth

"Gareth" wrote:

> Hi Mike,
>
> As a matter of policy I prefer not to use the power users group (it just
> means that there are two heavily privileged groups to watch instead of one).
> I'll send a screenshot to you via email.
>
> Thanks,
>
> Gareth
> "Mike Luo [MSFT]" wrote:
>
> > Thank you for your update.
> >
> > Could you capture a screenshot of the problem?
> >
> > I suggest you add the user to Power Users group, to see if the problem
> > persists.
> >
> > Thanks & Regards,
> >
> > Mike Luo
> >
> > Microsoft Online Partner Support
> > Get Secure! - www.microsoft.com/security
> >
> > =====================================================
> > When responding to posts, please "Reply to Group" via your newsreader so
> > that others may learn and benefit from your issue.
> > =====================================================
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >

Hello,

Thank you for your update!

Based on your result, it may be caused by incorrect security policies. To
reset your operating system back to the original installation default
security settings:

1. Click Start, click Run, type cmd, and then press ENTER.
2. Type secedit /configure /cfg %windir%\repair\secsetup.inf /db
secsetup.sdb /verbose, and then press ENTER. You receive a "Task is
completed" message, and a warning message that something could not be done.
You can safely ignore this message. For more information about this
message, view the %windir%\Security\Logs\Scesrv.log file.

Thanks & Regards,

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

How are things going? I have not heard back from you in a few days and
wanted to check on the status of the problem. Please let me know how the
troubleshooting steps turned out.

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.