Local Printers

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Why is the right to add local printers restricted to Power Users? What harm can they do? I don't want my users to be Power Users. I just want them to be able to take thier laptops home and connect to thier printers. Does anyone know a way to do this?
 
I usually add my users domain accounts (Domain Users group) to the local
Administrators group. That way they have full control over their PCs w/o
compromising network's security.
..
 
One way to accomplish this would be to create a special user group. in our
case 'Local machine Admins' on the domain. Drop this group in the local
administrators group of every computer. Whenever user needs to make a
change that requires them to be an administrator, you can drop that user in
this domain group, and take him out when done. In this way no permanent
admin. rights would get assigned to the user.

The restriction not to add printers stems from control over device driver
installation; if you can install the most common printer drivers in your
standard image, then they can simply select an existing printer (or the
nearest match). I have not done this personally, so don't know of a clean
way to accomplish this.


Vance said:
I run a military network so I keep the machines locked down as much as
Click to expand...
possible. Some of the things users put on their machines can compromise
network security. eg. kaaza, stock tickers, etc.
 
One problem. He said users want to be able to add printers when they are at
home (while not on the network). I don't see how this solution would work
unless they VPN in.
 
If they logged in once to the domain while they are members of the said
group, their credentials would be cached, and they can still log in at home
without being connected to work and get it done.

They can also put the laptop in 'suspend' mode and avoid a log on.
 
Got ya.

Seeker said:
If they logged in once to the domain while they are members of the said
group, their credentials would be cached, and they can still log in at
home
without being connected to work and get it done.

They can also put the laptop in 'suspend' mode and avoid a log on.
Click to expand...
 
Glad to hear that; for a moment I thought you were gonna be difficult!!

Just kidding :-) Have a good weekend.
 
No actually, I wasn't sure how cached logins worked in regards to domain
group memberships. Thanks for clearing that up.
 
Back
Top