AD printer installs require admin rights

2

I'm working on overhauling how we manage printers in one environment. We have a print server where folks can hit \\servername and select the printer(s) desired. This works perfectly - no UAC prompts, trust prompts, etc.

I'd like to make use of the "Add Printer / Device" (DevicePairingWizard.exe) wizard so we can have multiple print servers display in the same window. It opens, but when a non admin attempts to add a printer it produces a UAC prompt. It only happens on printers that I don't already have a driver installed for.

This is specifically "Change Printing Settings" and references printui.exe \\servername\printer. If I cancel out it produces a 0x00000bcb for a missing driver.

The clients are Windows 10. Print server 2008r2, domain controllers 2012r2, domain level 2012r2, functional level the same.

I think the point and click restrictions are OK (based on the direct access to shares working) but the settings are as such, and defined under the computer object.

screenshot

What am I doing wrong here?

EDIT:

I have tried the "Disabled" point and print restrictions as @Ruscal and @yagmoth555 suggest without impact.

When I run the executable directly and without any arguments it still comes back with the UAC prompt. Looks like it's something embedded in the executable itself.

Looking at what this executable is supposed to do it should just pass through the command to the associated rundll command.

This fails with a UAC prompt.

C:\windows\system32\printui.exe /gm /in /n "\\printserver.mydom.com\canon1"

This is the command (captured by sysinternals procmon) it executes when run with admin rights. This command will run correctly and install the printer even without elevated permissions.

rundll32 printui.dll,PrintUIEntry /gm /in /n "\\printserver.mydom.com\canon1"
group-policy
printing
asked on Server Fault Apr 21, 2017 by Tim Brigham • edited Apr 21, 2017 by Tim Brigham

1 Answer

0

This is the key:

It only happens on printers that I don't already have a driver installed for.

If your print server already has drivers staged for all printers it is managing, your users won't actually have to 'install' anything, just instantiate a virtual printer thru the server. Thus, no UAC prompts.

This does mean you, as the printer server admin, have to "install" drivers for any new printers/print pools you set up. That's why they pay us the big money.

answered on Server Fault Apr 21, 2017 by George Erhard

User contributions licensed under CC BY-SA 3.0