In setting up a print server (Microsoft Windows Server 2008 R2) I found that a Domain User is able to create a standard TCP/IP port when adding a "local" printer, the local printer being on the network but connected to using the IP address of the printer.
I thought that a user had to be in the domain administrators group to add a standard TCP/IP port. Has this changed? Is there a policy setting that can be modified?
I want domain users to print to my network printers via my print server. I don't want them printing directly to my network printers.
Client machines are Windows 7.
Typically, the way this is handled is by having a GPO or GPP install printers from the print server for the user, and then creating a GPO that prevents users from installing printers.
Alternately, you could have your printers on a different VLAN from your clients, and block access to that VLAN from the client VLAN at the switch, so the only way for the clients to access the printers is by going through the print server (which would have access to the printer VLAN, naturally).
What HopelessN00b said.
Speaking as someone who's had the opposite problem--"How do we let non-admins install printers?"--no, you do not have to be a domain admin to install a printer.
As of Windows XP at least, and perhaps before, Power Users were able to create TCP/IP printer ports. They could not, however, install drivers unless they were local administrators or were granted "Load and Unload Device Drivers" through domain or local security policy (under User Rights Assignment).
They cannot install the software that comes with their printer unless they are local (not domain) administrators.
You should use HopelessN00b's GPO solution.