Written by Ian Matthews November 7, 2007

PREAMLE: Because it is theoretically possible to disguise a Trojan as a print driver, Microsoft has configured Vista to block domain users (or any standard, non-administrator users) from installing new or updated printer drivers.  After more than 11 hours of work with Microsoft techs and 6 hours on my own over the course of four months, I finally stumbled on the answer.

PROBLEM:  A non-administrator user attempts to install a print driver using Point and Print (i.e. Windows is supposed to load the driver from the server) but the user sees the following “Windows cannot connect to the printer.  Access is denied”. error:

Windows cannot connect to the printer.  Access is denied error

SOLUTION: As per page 8 of the white paper entitield “Vista Point and Print Security” which you can download HERE use Group Policy to set USER CONFIG, ADMIN TEMPLATES, CONTROL PANEL, PRINTERS, POINT AND PRINT RESTRICTIONS to DISABLED.  According to that document (but not according to the help text you can see in the screen shot below), this will set Vista to operate the same way Windows XP does (i.e. correctly!).

 Windows 2003 Server SP2 Group Policy for Point and Print Restrictions

If you are still having problems you should check the local security policy and domain Group Policy have the following setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer Drivers

Makre sure Devices: Prevent users from installing printer Drivers is DISABLED

The Group Policy default is NOT CONFIGURED and the local Vista machine default is DISABLED.  That is the way is should be.

The easiest way to check this setting is to click START, RUN, RSOP.MSC and press ENTER.  This will run the Resultant Set Of Policies report which will readily show the settings and where the came from.  The screen shot below show what the “solution” above should look like.

Windows Vista 32 RSOP Help

Note that the text help in Vista’s RSOP is substantially different and more correct than the text help from Group Policy Editor on Windows 2003.  Up until now I had wrongly beleived that XP’s and Vista’s RSOP help text came directly from the Domains Group Policy server.

You can also find the articles on the web and a few KBase notes about using the following procedure, but I find this useless because it still requires the Vista PC to have the printer driver already installed and there is no way I would have my users go through this process.  On the off chance it helps someone, I have included the process below:

1. Click Start and enter printers in the start search to open Printers window.
2. Right-click the blank field in this window to select Add Printer.
3. Select “Add a local printer”
4. Select the Port for the printer.
5. Click Have Disk to provide the correct printer driver to install it.
6. After completing the installation and reestablish Remote Desktop connection to test the issue.

I hope this helps!


Questions or Comments?