Allow domain users to modify local printer settings Windows 7 via Group Policy
I've been scouring the internet for days and thus far have had zero luck in finding a solution.
Short Version:
I need to allow users to modify their locally installed printers. Specifically, they need to be able to rename the printers and change the assigned port (IP address). I'd like to be able to push this out through GPO somehow.
Long Version:
Due to a poorly designed, but business-critical application, certain printers need to be named certain things in order to be printed to from the application. This leaves only two options: Add all the various different printers that the user needs to print to the user's computer and let them rename the printer they want to print to, or allow the user to change the port (IP) that the printer prints to (all the printers are of the same type; they're just located in different places).
Up until now all of our users had local admin rights, a huge security issue that I'm attempting to mitigate, but I haven't yet found a way to allow my users to modify their printer settings in the way I need them to be able to without those rights. I've been pulling my hair out over this for days and even resorted to searching Bing to see if I got any different results from the seemingly useless ones Google kept giving me.
If it helps, the interim solution is to go in and manually change the security settings for each of the printers for our key users, but this isn't a long term viable solution.
Other details:
- We're running our domain on Windows Server 2008 R2.
- All users are on Windows 7 enterprise computers.
- All printers are being addressed via IP.
- I need a way to push these rights out via Group Policy.
- There is no centralized print server in place that is managing these printers. I'm working to implement one, but it's a time consuming process with the number of printers and sites we have to manage.
- I can in no way, shape, manner, or form get rid of the application causing me headaches. It is a business critical application.
I'd greatly appreciate any suggestions or advice anyone could give me regarding this.
"Load and unload device drivers" should do the trick. (Computer Settings -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Load and unload device drivers) Be aware that this may grant more privileges than you intend. That said, granting "Load and unload device drivers" to Power Users is arguably more secure than making your users local administrators.