Allow user to add local printer and change time zone

Guest · Jun 20, 2006

I am trying to lock down the user desktop from installing software. All of
the users are part of the restricted users and I am OK with that. The
problem I am running into is the user can not add a local printer or change
the time zone. Some of our sale people need to do that since they are always
on the road. I check the local security policy but did not see an option. I
thought giving the permission to change the system time would allow them to
change the time zone but didnt. Any help would be appreciative.

Lanwench [MVP - Exchange] · Jun 20, 2006

In

johnisccp said:
I am trying to lock down the user desktop from installing software.
All of the users are part of the restricted users and I am OK with
that. The problem I am running into is the user can not add a local
printer or change the time zone. Some of our sale people need to do
that since they are always on the road. I check the local security
policy but did not see an option. I thought giving the permission to
change the system time would allow them to change the time zone but
didnt. Any help would be appreciative.

Are you using AD?

I believe you can use group policy to allow users to install printers - if
you're using AD you should apply this from your server, but even if you
aren't, you can do it on the local computer policy.

Computer configuration\Windows settings\Security settings\Local
Policies\Security options....
Find "Devices: Prevent users from installing printer drivers"
Tick "Define this policy setting"
and then choose Disabled.

Re the time zone change - I probably wouldn't want to do this myself. What's
the real point? If you use AD and they change the actual system time, things
will get botched when they come back to the office network. They may not
need to actually do this anyway; if you use Outlook they can change the time
zone in there (add additional time zones to the calendar), for example. That
said, you can go to

Computer configuration\Windows settings\Security settings\Local
Policies\User rights assignment....
Find "Change the system time"
Tick the box to define it, and then add the users/groups you wish.

Guest · Jun 20, 2006

Thanks for replying back Lanwench. I already disable Prevent users from
installing printer driver. I am trying to allow them to add a local printer.
The user can add a network printer but for some sale people they would need
to add a local pinter on the road. I understand what you mean about the
timezone.

Thanks

Lanwench [MVP - Exchange] · Jun 20, 2006

In

johnisccp said:
Thanks for replying back Lanwench. I already disable Prevent users
from installing printer driver. I am trying to allow them to add a
local printer. The user can add a network printer but for some sale
people they would need to add a local pinter on the road. I
understand what you mean about the timezone.

Did you try the GP setting I mentioned, exactly? You don't need to do
anything to let domain users add *network* printers; that's permitted by
default. I believe the GP stuff referred to will apply to *local*
printers....

And also, you never answered my question about a domain/AD. In addition to
the time change concerns, note that if something is prohibited via policy
"upriver," you can't enable it easily 'downstream'.

Steven L Umbach · Jun 21, 2006

Hey Lanwench. The following KB article may help that states that the user
must be a power user and have the right to install device drivers. ---
Steve

http://support.microsoft.com/?kbid=297780

SUMMARY
This article describes the user rights that a user must have to install or
to modify a local printer on a Microsoft Windows XP-based or Microsoft
Windows 2000-based computer.
MORE INFORMATION
To install or to modify a local printer, either of the following conditions
must be true: . You must be logged on as an administrator or a member of the
Administrators group.
. You must be logged on as a member of the Power Users group and have
the Load/Unload Device Drivers user right. The Load/Unload Device Drivers
user right is a Group Policy setting.

"Lanwench [MVP - Exchange]"

Lanwench [MVP - Exchange] · Jun 22, 2006

In

Steven L Umbach said:
Hey Lanwench. The following KB article may help that states that the
user must be a power user and have the right to install device
drivers. --- Steve

Thanks, Steve -

Drat. I do tend to leave my laptop users with power user rights...for many

reasons. I would love to avoid it said:
http://support.microsoft.com/?kbid=297780

SUMMARY
This article describes the user rights that a user must have to
install or to modify a local printer on a Microsoft Windows XP-based
or Microsoft Windows 2000-based computer.
MORE INFORMATION
To install or to modify a local printer, either of the following
conditions must be true: . You must be logged on as an administrator
or a member of the Administrators group.
. You must be logged on as a member of the Power Users group and
have the Load/Unload Device Drivers user right. The Load/Unload
Device Drivers user right is a Group Policy setting.

"Lanwench [MVP - Exchange]"

In

Did you try the GP setting I mentioned, exactly? You don't need to do
anything to let domain users add *network* printers; that's
permitted by default. I believe the GP stuff referred to will apply
to *local* printers....

And also, you never answered my question about a domain/AD. In
addition to the time change concerns, note that if something is
prohibited via policy "upriver," you can't enable it easily
'downstream'.

Click to expand...

Steven L Umbach · Jun 22, 2006

Well as long as they don't have the user right for to install device drivers
then they should not be able to install printers if that is an issue. Laptop
users are a difficult case and you have to do what you have to do and
Software Restriction Policies via computer configuration can help lock them
down. Hope all is going well your way. --- Steve

"Lanwench [MVP - Exchange]"

Steven L Umbach said:
In

Steven L Umbach said:

Hey Lanwench. The following KB article may help that states that the
user must be a power user and have the right to install device
drivers. --- Steve

Click to expand...

Thanks, Steve -

Drat. I do tend to leave my laptop users with power user rights...for many

reasons. I would love to avoid it said:

http://support.microsoft.com/?kbid=297780

SUMMARY
This article describes the user rights that a user must have to
install or to modify a local printer on a Microsoft Windows XP-based
or Microsoft Windows 2000-based computer.
MORE INFORMATION
To install or to modify a local printer, either of the following
conditions must be true: . You must be logged on as an administrator
or a member of the Administrators group.
. You must be logged on as a member of the Power Users group and
have the Load/Unload Device Drivers user right. The Load/Unload
Device Drivers user right is a Group Policy setting.

"Lanwench [MVP - Exchange]"

In johnisccp <[email protected]> typed:
Thanks for replying back Lanwench. I already disable Prevent users
from installing printer driver. I am trying to allow them to add a
local printer. The user can add a network printer but for some sale
people they would need to add a local pinter on the road. I
understand what you mean about the timezone.

Did you try the GP setting I mentioned, exactly? You don't need to do
anything to let domain users add *network* printers; that's
permitted by default. I believe the GP stuff referred to will apply
to *local* printers....

And also, you never answered my question about a domain/AD. In
addition to the time change concerns, note that if something is
prohibited via policy "upriver," you can't enable it easily
'downstream'.

Thanks

:

In johnisccp <[email protected]> typed:
I am trying to lock down the user desktop from installing
software. All of the users are part of the restricted users and I
am OK with that. The problem I am running into is the user can
not add a local printer or change the time zone. Some of our
sale people need to do that since they are always on the road. I
check the local security policy but did not see an option. I
thought giving the permission to change the system time would
allow them to change the time zone but didnt. Any help would be
appreciative.

Are you using AD?

I believe you can use group policy to allow users to install
printers - if you're using AD you should apply this from your
server, but even if you aren't, you can do it on the local computer
policy.

Computer configuration\Windows settings\Security settings\Local
Policies\Security options....
Find "Devices: Prevent users from installing printer drivers"
Tick "Define this policy setting"
and then choose Disabled.

Re the time zone change - I probably wouldn't want to do this
myself. What's the real point? If you use AD and they change the
actual system time, things will get botched when they come back to
the office network. They may not need to actually do this anyway;
if you use Outlook they can change the time zone in there (add
additional time zones to the calendar), for example. That said, you
can go to

Computer configuration\Windows settings\Security settings\Local
Policies\User rights assignment....
Find "Change the system time"
Tick the box to define it, and then add the users/groups you wish.

Click to expand...

Click to expand...

User rights for time zone changing	1	Feb 12, 2009
Can't add local printer-greyed out	1	Apr 18, 2008
Domain Users can't change time zone	1	Jan 20, 2010
Local Power User on domain	1	Jul 28, 2010
Local security group restrictions	1	Oct 25, 2006
Can't remove site from restricted zone	3	Feb 29, 2008
Allow "Power User" to add local Plug-n-Play printer	1	Aug 29, 2006
Power User Cannot Add Local Printer	1	Apr 16, 2009

Allow user to add local printer and change time zone

Guest

Lanwench [MVP - Exchange]

Guest

Lanwench [MVP - Exchange]

Steven L Umbach

Lanwench [MVP - Exchange]

Steven L Umbach

Ask a Question

Similar Threads