If your environment consists of users that are local admins on the machine, this is something you should really try to get away from. Running in full administrative mode in a Windows environment is probably one of the most dangerous things that can be done from an security standpoint. One of the luxury’s of User Account Control is that it allows you to elevate privileges when needed. One of the many advantages of deploying Windows 7 is that standard users can do more then what they could do previously with Windows XP. A very common computing task for the everyday worker is installing a Network Printers. I don’t know about you, but, the last thing I want to have to do is call the IT Service Desk to assist me with this effort. Ugh! 🙂
In Windows 7, as a standard user, you’re not able to do this without making a few changes to the supporting infrastructure first. There is a computer policy you can deploy to Win7 clients in your environment.
Step by Step
- In the GPMC, right-click the OU on which you want to apply the Windows 7 Printer Policy, and choose “Create a GPO in this domain, and link it here.”
- Name the GPO something appropriate, “Windows 7 Printers”
- Right-click on the new GPO, and choose Edit from the shortcut menu to open the Group Policy Management Editor.
- Drill down to Printers by choosing Computer Configuration_Policies_Administrative Templates: Policy definition. Click Printers and double click on Point and Print Restrictions.
- Enable the Policy
- Disable the “Users can only point and print to these servers”
- Enable the “Users can only point and print to machines in their forest”
- Do not show warning or elevation prompt for both “When installing drivers for a new connection” and “When updating drivers for an existing connection.”
Here is a snippet of the Computer Configuration Policy:
Note: If you want to restrict this policy specifically for Windows 7 machines, use the following WMI filter:
Query looks like this: “Select * from WIN32_OperatingSystem where Version=’6.1.7600″ and ProductType=1”