Login script problems

From Install Network printers without Local admin rights in windows 7


There are TWO "Point and Print Restrictions" settings

• Computer Configuration/Policies/Administrative Templates/Printers/Point and Print Restrictions
• User Configuration/Policies/Administrative Templates/Control Panel/Printers/Point and Print Restrictions

Of these two, the one under Computer Configuration seems to be the important one. But guess what? The original Server 2008 doesn't include this setting in the list -- you need Server 2008R2 for this setting to show up. If you download the administrative templates from Server 2008 R2, extract, and copy the PolicyDefinitions folder to C:\Windows\sysvol\domain\Policies\PolicyDefinitions, this missing policy will show up magically in Group Policy Management Editor. Of course, the ADMX files from Server 2008 R2 causes Group Policy Management Editor from Server 2008 tocomplain about parse errors, but it works just fine to click "OK".




Once you've installed the proper ADMX files, for this to work in Windows 7, configure bothof these "Point and Print Restrictions" settings to:

• Enabled
• Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt
• Security Prompts, When Installing Drivers for a new connection = Do not show warning or elevation prompt

Also, don't forget to make sure the users have permission to install printer drivers, since you're not even going to try to use Admin privileges any more:

• Computer Configuration\Policies\Administrative Templates\System\Driver Installation
• The setting is called "Allow non-administrators to install drivers for these devices setup classes".
• You will need to add thedevice class GUID of printers: {4d36e979-e325-11ce-bfc1-08002be10318}

Don't forget to update the computer policy on the workstation by running "gpupdate /force". Then log on as a non-admin user, and test! It worked for me with an annoying Konica Minolta bizhub C550 fax driver that was prompting my Win7 non-admin users for privileges when the logon script tried to install the driver for them. YMMV.




Good luck!

Login script won't map printers on Windows 7

Scroll all the way to bottom to see solution.. same domain policy mentioned.

I'm about to add the template to a 2003 domain and test printer logon scripts on a 7 machine.

Let'cha know soon!

The golden KB article:

The Point and Print User configuration policy is ignored by Windows 7, Windows Server 2008 R2 and Service Pack 2 release of Windows Vista, Windows Server 2008.

EXCERPT:

NOTE: Alternatively you can disable the driver installation warning messages and elevation prompts on computers that are running Windows 7, Windows Server 2008 R2 and Service Pack 2 release of Windows Vista and Windows Server 2008 by completely disabling the Point and Print Restrictions Policy. This setting disables the enhanced printer driver installation security of Windows 7 and Windows Server 2008 R2:

Computer Configuration -> Policies -> Administrative Templates -> Printers : Point and Print Restrictions
Setting: Disable

Success!

Windows 7 machines are now mapping printers (and transparently installing their drivers) via user logon scripts in a Server 2003/2000 only domain environment (no 2008) without prompting the user or ignoring the scripts! :)

So basically, the solution was to copy the PolicyDefinitions folder from a local Windows 7 machine to the SysVol on the domain. Then use RSAT from the Windows 7 machine to connect to and manage the domain's newly "genetically engineered" GP.

Now I just need to figure out how to add 64-bit printer drivers to print shares on 2000 servers. Har har. NOT! (The servers are actually being taken out back with a baseball bat (couldn't find a sledge hammer)).

Btw, nice try HaxciD. It's not as simple a solution as your fail post suggested. But thank you for playing!

Hey there djkc909,
congrats on getting that sorted.
I've seen a number of different solutions to UAC-related issues using W7 in W2K3 domains; here is the technet link with an explanation of what happens with logon scripts as a result of the use of limited / elevated tokens - Deploying Group Policy Using Windows Vista

I've found several resolutions

i. use launchapp.wsf to postpone the execution of a logon script (see the link above) - some users have reported difficulties with this implementation
ii. registry hack - After you turn on User Account Control in Windows Vista, programs may be unable to access some network locations
iii. your solution - which I've seen mentioned elsewhere.

I'm new to RSAT, & although I have read your resolution, I don't have enough experience to 'fill in the gaps'...

If you have the time & inclination, I'd really appreciate a dig out here - what are the steps needed to implement this solution?

Thanks

GLKS

There is a conflict with Windows VISTA and later OS's for UAC. Basically, the OS gets confused as to what token to use, especially if a user has local administrative rights on the system.

Below is an example on how to force the User token to be used in mapping drives.

USE G: "\\server\path" $user $persistent

Note 1: I have only been able to utilize KiXtart 2010 to do this effectively.

Note 2: You must create or update this registry key as well.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
EnableLinkedConnections (RegDWORD) 1

Hope this helps.