Point and Print in a Cross-Forest World

[jwgoerlich]

I am configuring Power Users on WinXP machines such that they can
connect to a Win2003 print server. Administrators can connect printers
without a problem. The Power Users cannot. On the first connection, the
users see the following:

"A policy is in effect on your computer which prevents you from
connecting to this print queue. Please contact your system
administrator."

Once the initial connection to the print server has been made, Power
Users can connect and disconnect to the various shared printers. The
printers are using 3rd party user-mode drivers.

The quirk in this environment is that the users are in one domain and
the workstations are in another. These domains are in the same forest
which article 319939 suggests is unsupported. Each OU has a GPO with
the following set:

Computer Configuration
Windows Settings\Security Settings\Local Policies\Security Options
Devices: Prevent users from installing printer drivers: Disabled

Windows Settings\Security Settings\Local Policies\User Rights
Assignment
Load and unload device drivers: Administrators; Power Users

User Configuration
Administrative Templates\Control Panel\Printers
Point and Print Restrictions: Disabled

Because this symptom only exhibits itself on the initial connection, I
am looking at Point and Print as the culprit. Any suggestions or advice
appreciated.

J Wolfgang Goerlich


Related Links:

Microsoft Article 319939, Description of the Point and Print
Restrictions policy setting in Windows Server 2003 and Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;319939

Microsoft Article 888046, You receive an error message when you try to
install a shared network printer on a Windows Server 2003-based or
Windows XP SP1-based computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;888046

 

[Ace Fekay [MVP]]

In

I am configuring Power Users on WinXP machines such that they can
connect to a Win2003 print server. Administrators can connect printers
without a problem. The Power Users cannot. On the first connection,
the users see the following:

"A policy is in effect on your computer which prevents you from
connecting to this print queue. Please contact your system
administrator."

Once the initial connection to the print server has been made, Power
Users can connect and disconnect to the various shared printers. The
printers are using 3rd party user-mode drivers.

The quirk in this environment is that the users are in one domain and
the workstations are in another. These domains are in the same forest
which article 319939 suggests is unsupported. Each OU has a GPO with
the following set:

Computer Configuration
Windows Settings\Security Settings\Local Policies\Security Options
Devices: Prevent users from installing printer drivers: Disabled

Windows Settings\Security Settings\Local Policies\User Rights
Assignment
Load and unload device drivers: Administrators; Power Users

User Configuration
Administrative Templates\Control Panel\Printers
Point and Print Restrictions: Disabled

Because this symptom only exhibits itself on the initial connection, I
am looking at Point and Print as the culprit. Any suggestions or
advice appreciated.

J Wolfgang Goerlich


Related Links:

Microsoft Article 319939, Description of the Point and Print
Restrictions policy setting in Windows Server 2003 and Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;319939

Microsoft Article 888046, You receive an error message when you try to
install a shared network printer on a Windows Server 2003-based or
Windows XP SP1-based computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;888046

Have you verified that the user account is actually getting the setting
applied to them called, "Members of the Power Users group with the "Load and
unload device drivers" policy permission" thru RSOP or using the GPMC?

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

 

[jwgoerlich]

Have you verified that the user account is actually getting the setting

applied to them called, "Members of the Power Users group with the "Load and
unload device drivers" policy permission" thru RSOP or using the GPMC?

I verified all policy settings thru the RSOP. I checked from a DC in
the users' domain and also from a DC in the workstations' domain.

Once the initial connection to the print server is made, Power Users
can connect or disconnect printers at will. This includes printers
which do not have the driver already installed. Thus, the "Load and
unload device drivers" setting appears to be working.

J Wolfgang Goerlich

 

[Alan Morris [MSFT]]

Are the clients running XP SP2?

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[jwgoerlich]

Are the clients running XP SP2?

Yes.

J Wolfgang Goerlich

 

[Ace Fekay [MVP]]

In

Yes.

J Wolfgang Goerlich

Run a "gpresult" on the client to determine what policies applied to it
please.

Ace

 

[jwgoerlich]

Run a "gpresult" on the client to determine what policies applied to it
please.

Gpresult shows that the user and computer policies are applied.

J Wolfgang Goerlich

 

[Ace Fekay [MVP]]

Ace Fekay [MVP] wrote:
Gpresult shows that the user and computer policies are applied.

J Wolfgang Goerlich

I'm at a lost at this point. I would have thought an incorrect or overriding
setting is causing it not to work. Sorry I wasn't helpful, other than if
those articles helped in any way.

Maybe Alan may have more suggestions. Otherwise, if you find the issue,
please post back and let us know.

Ace