Connecting XP Pro Clients to Network Printers on Server 2003

[Elam]

When my XP Pro clients tried to connect to network
printers on a 2003 server, they are getting a security
policy error message. This error message is preventing the
users to connect to network printers. I have to
temporarily grant them local admin rights in order to do
so. I cannot locate the local security policy that
pertains the network printers.

Please help.

 

[Alan Morris\(MSFT\)]

I assume the XP clients are all running SP1.

There is a policy on XP SP1 that prevents true connections to "untrusted"
(not in the same domain forest) servers.
http://support.microsoft.com/default.aspx?scid=kb;en-us;319939
Description of the Point and Print Restrictions Policy Setting in Windows
Server 2003 and Windows XP

a.. By default, this policy setting is not configured. If you do not
configure this policy setting, users cannot download Point and Print drivers
from computers that are not in their Active Directory forest. The result of
not configuring the setting is the same as enabling the policy and setting
it to Users can only Point and Print to machines in their Forest.

I have also seen this failure when the DC is running NT4
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[ELam]

My DC is indeed still running NT for the time being.
However, the new print server running 2000. How do I
correct the problem? I cannot find the appropriate GPO
since we do not have a forest yet, correct?

Thanks for the help.

-----Original Message-----
I assume the XP clients are all running SP1.

There is a policy on XP SP1 that prevents true connections to "untrusted"
(not in the same domain forest) servers.
http://support.microsoft.com/default.aspx?scid=kb;en- us;319939
Description of the Point and Print Restrictions Policy Setting in Windows
Server 2003 and Windows XP

a.. By default, this policy setting is not configured. If you do not
configure this policy setting, users cannot download Point and Print drivers
from computers that are not in their Active Directory forest. The result of
not configuring the setting is the same as enabling the policy and setting
it to Users can only Point and Print to machines in their Forest.

I have also seen this failure when the DC is running NT4
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh; [ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

When my XP Pro clients tried to connect to network
printers on a 2003 server, they are getting a security
policy error message. This error message is preventing the
users to connect to network printers. I have to
temporarily grant them local admin rights in order to do
so. I cannot locate the local security policy that
pertains the network printers.

Please help.

.

 

[Alan Morris\(MSFT\)]

Someone with the same config did this:

Thank you for your response.

Yes, that is the problem. I have gone into the local gpo mmc and added

power users to the 'load and unload device drivers' right. I then in turn
added our 'domain users' group to the local 'power users' group. I logged
in as a regular domain user and was able to add a network printer with the
'add printer wizard'. I am going to test if it works for typing unc paths
of the printers.
=====================================================
A couple of other suggestions:
Stay with XP gold with security updates

Install the drivers you need with a WMI script (can be performed
remotely)prndrvr.vbs. Since the driver is preinstalled, the connection is
made without having to download from the server.



Additional information:
This policy was added in SP1 for XP. The problem is the code that is used
to determine if the server is a trusted machine does not work when the
Domain Controller is NT4. The new functions that work on NT4 DCs have been
added to XP SP2.

The policy blocks copying the driver from the server, but when the driver
exists on the client or the client can install the driver from the local
driver.cab file, then the connection can be made (as you found out by
elevating the users to power users).

Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

My DC is indeed still running NT for the time being.
However, the new print server running 2000. How do I
correct the problem? I cannot find the appropriate GPO
since we do not have a forest yet, correct?

Thanks for the help.

-----Original Message-----
I assume the XP clients are all running SP1.

There is a policy on XP SP1 that prevents true connections to "untrusted"
(not in the same domain forest) servers.
http://support.microsoft.com/default.aspx?scid=kb;en- us;319939
Description of the Point and Print Restrictions Policy Setting in Windows
Server 2003 and Windows XP

a.. By default, this policy setting is not configured. If you do not
configure this policy setting, users cannot download Point and Print drivers
from computers that are not in their Active Directory forest. The result of
not configuring the setting is the same as enabling the policy and setting
it to Users can only Point and Print to machines in their Forest.

I have also seen this failure when the DC is running NT4
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh; [ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

When my XP Pro clients tried to connect to network
printers on a 2003 server, they are getting a security
policy error message. This error message is preventing the
users to connect to network printers. I have to
temporarily grant them local admin rights in order to do
so. I cannot locate the local security policy that
pertains the network printers.

Please help.

.