By default, non-admin users cannot install printer drivers in Windows due to insufficient privileges. Default Windows security settings require a user to have local admin permissions to install a driver. However, this is extremely inconvenient as it requires the involvement of the IT support team every time a user wants to install a new printer.
You can allow non-administrator users to install printer drivers on their Windows computers (without granting local administrator rights) by using Group Policies (GPO).
Contents
Any printer shared via a print server can be manually connected by Windows users. Just open list of printers on the print server (Win+R > \\YourPrintServerName), right-click on the shared printer you want to use and click Connect.
Such a shared printer will be added to your user profile without prompting for elevation in the following cases:
- If a printer driver used for this printer is already pre-installed (added to the Driver Store) on your computer;
- If a Type 4 User Mode printer driver is used for shared printer. The v4 class print drivers do not require client-side administrative permissions to install on client devices.
In other cases, if the printer driver is missing, the UAC “Printer driver software installation” window will appear, and you will be asked to enter the administrator credentials to install the driver.
Install the V4 Printer Drivers on the Windows Print Server
Microsoft recommends that only type 4 user mode printer drivers are used on the print server. In this case, users don’t need elevated privileges to install a driver and connect to the shared printer.
You can check the type of drivers installed on the print server using the Print Management Console.
- Open the printmanagement.msc MMC snap-in on the print server
- In the top menu, select View > Add/Remove Columns;
- Add the Type column to the list of driver properties displayed;
- For new v4-aware print drivers, the Type field will show Type 4 – User Mode. Shared printers with such drivers can be connected without administrator rights.
Install or replace v3 print drivers on the print server with v4. This is the safest and easiest way to allow non-administrators to install printers. For example, for Hewlett-Packard printers, you can use the HP Smart Universal Printing Driver for Windows V4 (64-bit).
However, not all vendors provide print drivers in v4 format. If only v3 drivers (Type 3- User Mode) are available for a shared printer, skip to the next section which describes how to allow drivers to be installed from trusted print servers using the Point and Print policy.
In this case non-admin users can only manually install a printer driver from a print server that meets the following requirements:
- The driver must be signed with a trusted digital signature;
- The driver must be packaged (Package-aware v3print drivers). Non-admin users cannot install unpacked (non-package-aware) drivers via Point and Print Restrictions policy. Packaged-aware print driver contains the True value in the Packaged column.
Enable Point and Print Restrictions Policy with GPO
The Point and Print Restrictions policy allows you to specify trusted print servers from which users can download and install drivers without UAC elevation.
- Open the domain Group Policy Management console (gpmc.msc), right-click the Active Directory OU (AD container) containing the computers to which you want to apply the policy, and create a new GPO;
- Edit your GPO;
- Go to Computer Configuration > Policies > Administrative Templates > Printers;
- Enable the policy Point and Print Restrictions;
- Check the option Users can only point and print to these servers. Enter the names (FQDNs) of the trusted print servers, separated by semicolons;
- For the last two options, select Do not show warning or elevation prompt;
Save your changes and edit the Package Point and print – Approved servers policy.
- Change the policy state to Enabled;
- Click the Show and add your trusted print server FQDNs.
Then navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Disable the policy Device: Prevent users from installing printer drivers.
Using Point and Print Policy After PrintNightmare Fix
Microsoft patches (released in August 2021) prevent non-admins from installing drivers from a remote print server using Point and Print without an elevation of privilege to administrator. This change addresses the PrintNightmare vulnerability (CVE-2021-34481) and is related to Windows Print Spooler security issues.
You can work around the new requirements by disabling the GPO option Limit print driver installation to Administrator under Computer Configuration > Administrative Templates > Printers (should be used rarely due to security risks).
If this option is missing in the GPO console, you will need to update the administrative template (ADMX) files on the Active Directory domain controller, or you can enable this setting through the registry.
Limit print driver installation to Administrator policy sets the RestrictDriverInstallationToAdministrators registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\ to 0. You can enable this registry key on a single computer by using the command:
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
Or, use Group Policy to deploy this registry parameter to domain computers:
Create a new registry parameter under the GPO section Computer Configuration > Preferences > Windows Settings > Registry.
- Action: Replace
- Hive: HKEY_LOCAL_MACHINE
- Key path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- Value name: RestrictDriverInstallationToAdministrators
- Value type: REG_DWORD
- Value data: 0
Once this option is set, your users will be able to connect shared network printers and install print drivers from trusted print servers.
Important note! However, be very careful about using a value of zero (0) for the RestrictDriverInstallationToAdministrators parameter, as this will make your Windows vulnerable. We recommend that you set this option temporarily while you allow users to install the printer. It is desirable to return this registry key to its default value of one (1) after the printer has been installed.
Update the Group Policy settings on client computers (reboot or run the gpupdate /force command). This policy allows the non-admin user to manually install any signed package-aware v3 class driver from a trusted print server.
Printers deployed using the GPO are automatically installed on user computers after the Print Restrictions policy is applied to them (requires restart). Windows automatically downloads and installs printer drivers from trusted print servers.
If you try to connect to a printer from a server that is not in the list of trusted servers, an error will appear:
A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator.
Group PolicyPrinter
Cyril Kardashevsky
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
