I'm at my wits' end on this one.
Scenario
End-user is trying to print at home to her wireless printer, a LaserJet Pro M1217nfw. Every time she tries to connect, it asks for admin privileges to install the driver.
After some research, I find this article:
I make the changes to the two printer classes in Group Policy. I've ensured that the GPO has been applied to the laptop. Using a laptop with the same GPO, I was able to get my home USB printer to connect (using my normal user privs, no elevation). Great!
When my user tries it at home, though, she isn't able to get any farther than a UAC prompt. This happens when she tries to do this wirelessly or via a USB port to tes.
My theory is that I need to add another device type. If there is a way for me to determine what Device Class that printer is asking for, I suspect I could just add the GUIDs to the GPO, but I don't know how to determine that. Nothing is leaping out at me in Event Viewer.
So:
1.) What am I doing wrong for laptops accessing home printers?
OR
1A.) Is this not a best practice at all to let users install printers on work laptops? If that's the case, how do you manage users' home printing?
2.) If my solution is just to add a Device Class, how do I find out what Device Class a peripheral is identifying itself?
I've run into this before, and we had to install a third party group policy plugin that provides admin privileges to processes rather than users to do it. We used this one:
http://www.beyondtrust.com/Products/PowerBrokerForWindows/
but there are probably other, similar products that do similar things.
Basically, I had to go in and download a bunch of printer drivers and approve them by publisher (HP, Dell, Epson, etc.). We also approved a bunch of other software, and gave our users an approved software list and install directions.
The USB port method would not work unless you also included the USB device class, {88BAE032-5A81-49f0-BC3D-A4FF138216D6}
I found in our environment we also had to mess with the point and print restrictions. http://support.microsoft.com/kb/2307161/en-us
Could this be an issue locally as opposed to GPO? I've ran into an issue like this before with a domain user trying to install a print device, software, or anything in general.
I didn't resolve this through GPO but instead through user account management locally in Control Panel. Under Manage User Accounts in the User Accounts tab in Control Panel, after adding both the users domain account and their corresponding local account in the list of users granted access to the machines (in their respective group), and then rebooting, I was able to eliminate the prompts for admin privileges for these processes.
From my experience with printers I have noticed that the user requires admin rights to install the printer and to change its settings.
Are your users local admins on their machines?
I allow all device drivers to be installed (using a GPO).
To avoid needing admin rights, I had to set the driver GPO to NOT look for updated drivers on Windows update. Without that change, my users weren't to get any farther than a UAC prompt on the domain or off.