Adding Network Printer Driver in Windows XP SP2

[=?ISO-8859-1?Q?Regnar_Bang_Lyngs=F8?=]

Hi,

I have run into a nagging problem with printers on our Windows XP Pro
SP2 workstations.

Problem:

If I try to add a new printer as a normal user I get the following error
(unless the driver has been installed previously):

"A policy is in effect on your computer which prevents you from
connecting to this print queue. Please contact your system administrator"

If the user is put into the "Power Users" group - everything works well.
I don't want to do that, as ordinary users shouldn't have the other
elevated rights that comes with the "Power User" status.

What am I doing wrong?

Setup:

Print server: Clustered on two member servers in same domain as clients
Clients: Run Windows XP SP2

GPO Settings:
Load and unload device drivers
Everyone, Users, NT AUTHORITY\Authenticated Users

Devices: Prevent users from installing printer drivers
Disabled

Devices: Unsigned driver installation behavior
Silently succeed (none of the drivers are signed)

Disallow installation of printers using kernel-mode drivers
Disabled (shouldn't be necessary - none of the drivers are NT drivers)

Point and Print Restrictions
Disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Print\Providers\
LanManPrintServices\Servers\AddPrinterDrivers is set to REG_DWORD 0.

Regards
Regnar

 

[Cari \(MS-MVP\)]

See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297780

 

[=?ISO-8859-1?Q?Regnar_Bang_Lyngs=F8?=]

See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297780

I am not trying to add a Local Printer. I am trying to add a shared
printer on a member server.

As far as I understand http://support.microsoft.com/?kbid=319939 this
should be possible - also for users that are not Power Users?!

Regnar

 

[Cari \(MS-MVP\)]

See Bruce Sanderson's article at:

http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm

 

[=?ISO-8859-1?Q?Regnar_Bang_Lyngs=F8?=]

Hi,

I have run into a nagging problem with printers on our Windows XP Pro
SP2 workstations.

If anybody should run into this problem.

I (or rather we - if I should be fair to my colleagues) have found the
solution. The problems has nothing to do with a GPO (Group Policy).
Actually we had to change some settings on the Windows 2003 (2k3)
Cluster. Apparently Kerberos is needed to gain access to the Print$
share on the virtual server:

1. Open Cluster Administrator
2. Choose the cluster running your virtual print server.
3. In the Groups folder - choose the group owning the print service.
4. Take the print service offline
5. Choose the Name resource.
6. Right click and choose Properties.
7. Go the "Parameters" tab.
8. Check the box "Enable Kerberos Authentication"
9. Take the service back online.

Regards
Regnar

 

[Donovan Oliver]

Actually, it does have something to do with GPO, though not in a way you might normally=
consider. Regnar indicated that their GPO setting for Point and Print Restrictions=
was =E2=80=9CDisabled=E2=80=9D, but I wonder if it is instead =E2=80=9CUnconfigu=
red=E2=80=9D? If it is truly Disabled, then disregard the rest of this comment (unle=
ss you=E2=80=99re interested in the relationship between Kerberos authenticatio=
n and this GPO).

The default state, unconfigured, allows workstations to add a printer connection t=
o any print server in the same AD forest. This policy applies to XP SP1 and later (I beli=
eve). In order for the desktop to comply with this policy, it must confirm that the pri=
nt server is indeed in the same forest as the workstation. Apparently, it can only do t=
his if it can find the print server via its machine object in AD. Enabling Kerberos aut=
hentication forces the creation of a machine object for the virtual server in AD. Oth=
erwise the print server identity does not exist in AD and the desktop assumes the prin=
t server does not exist within the same forest.

See also http://support.microsoft.com/?id=3D888046 (which I hope MS will update=
to include this issue about clustered print servers).