One of our support clients is just starting to test Windows 7 in their business network and have already come up against a few issues with legacy applications, which we were expecting, but one problem we did not predict was standard users not being able to add network printers from the print server… However we have now resolved this so I thought I would share the solution for anyone else having the same problem.
What we were seeing was that when a local administrator on the Windows 7 machine tried to add a printer that was shared from our printer server there were no problems, but when a non-admin user tried they got an error saying “Cannot connect to printer. Access is denied”. I searched and searched on google but the only thing I could find was relating to Windows Vista and the solution did not work for me. So I started looking at group policies on the Windows 7 machine and found one named Point and Print Restrictions which seemed to do the trick! This policy can be found in the following location:
Computer Configuration -> Administrative Tempates -> Printers
Note that you must be on a Vista/Win7/2008 machine to be able to see this policy in the group policy editor.
You can either just set this setting to Disabled or you can set it to Enabled and then specify which print servers you want users to be allowed to add printers from (personally I just set it to “any in this forest”). Now do a gpupdate from the Windows 7 computer, reboot, and you should now be able to add network printers when logged in as a regular user.
Hope that helps a few people out, and while you’re here feel free to check out all of my tools for IT Professionals on my website here: http://www.cjwdev.co.uk/Software.html
EDIT: I wrote this blog post a long time ago but it still gets hundreds of hits a week, so I thought I’d add a few more details and other things to look into if the fix mentioned above doesn’t resolve your problem.
When a non-admin user installs a printer, the printer driver needs to be installed and this is usually the reason why the Access Denied error appears (because only admins can install drivers). If a printer that uses that driver has already been installed on that PC then they won’t have a problem, so one workaround is to just log on to the user’s PC as admin and install the printer from the print server as normal so that the driver gets installed, then when the user logs back on and tries to add the printer on their profile it should work fine. The reason the GPO mentioned in the original part of this blog post works is that it basically lets non-admin users install drivers as long as those drivers came from a shared printer installation from one of the print servers in your domain (or whatever you set the GPO options to). I guess another potential solution would be to use a computer based GPO startup script or software deployment tool such as SCCM to push out a script to all of your affected user’s PCs, and have this script install the drivers for the problem printers (because it would be running as Local System it won’t have any problems with installing the drivers).
Also I think if you deploy printers via the Preferences section of a GPO, that takes care of installing the driver with admin permissions (well, running as Local System) even though the printer connection itself gets installed as the logged on user. I can’t find any technical documentation to back this up though…