Plug and Play Printer issue for Power Users?

[manning]

Hello,

I have been setting up a bunch of notebooks for our associates the past week or so. I have been setting them up so that our consultants can log on as Power Users and have allowed all Power Users to have the ability to load and unload drivers. This seemed to be working great and I had no issues logging on as a Power User and connecting a plug an dplay device, specifically a printer.

Well, then one of our consultants e-mailed that he couldn't get an HP Designjet 450C to install, that he was warned that it required administrator rights. How odd I thought as he should be able to install the plotter just fine. Then another user made the same comment, though this time about a home printer of some sort. Again, he was warned that he had to be an admin to install the printer.

Why is this happening?

Regarding the DesignJet, the user clicked cancel and was warned the plotter would not work properly, but he was actually still able to plot, although any time he reconnect that plotter he has to go through that whole routine again

[stimpy99]

[graycat]

we still have a similar issue with our HP printers but the solution i ended up implementing was to host them on a server and get the users to install them from there. the old right click - connect works a treat even as restricted users, but obviously that only works for networked printers.

[manning]

Hey,

Thanks for the replies. The problem is complicated by the fact that our users are not in our office nor connected to our network when they encounter this. The first guy to let me know about this was connecting to a customer's HP DesignJet plotter when he got the error regarding admin rights. However, when he connects to an old LaserJet 5si at their facility he can PnP just fine.

Long and short is that I have no control over how they are connecting to the printers on the jobs site. I was wondering if there is a way around having to grant admin rights to them. We made that mistake in the past and the jerks took advantage of it and installed junk like limewire,etc.

On the other hand, while they are in our offices I have all of the printers they need pushed to them at logon via their logon script and they never have an issue connecting.

Oh, one other newly descovered detail. The guy who was connecting to the plotter said he was able to connect without issue earlier, then he cancelled a plot job and the next time he tried to connect to the plotter it started giving him trouble about admin rights. Post hoc ergo propter hoc?

EDIT
Anyway, is there no way around this? I looked on Microsoft's site about this and found that for various reasons (unsigned drivers, etc.) the device may require intervention to install and if it does the user MUST use/have admin credentials. I don't want to allow users to be admins, we've made that mistake too many times. Can I modify a security policy to get around this? I don't care if users install devices liek barcode readers (required for our business) printers, etc, I just do not want them installing programs.

[manning]

Sorry if this is considered double posting or whatever, but I'm not sure if people read past the first page of posts or not. I really need to find a workable solution to this issue. I just cannot see granting my associates administrator rights just so they can use our customers printers from time to time. And if they are half way across the country when they need to do this there is no way for me to easily install the printer for them.

They all have rights to load and unload drivers and I set the system policy to silently succeed when unsigned drivers are encountered but this did not help.

Please help.

[stimpy99]

[manning]

Darn. That is really a PITA. Considering just about every admin you talk to says do not give regular joe users local admin rights, it amazes me that Microsoft would tweak XP SP2 in such a way that only admins can install printers. That really makes it inconvenient when half your users are in the field with laptops and half of them are inclined to install garbage like limewire, etc.

[graycat]

hhhmm, not an idea position to be in at all.

if you're really really stuck how about granting local admin rights but locking things down with your AV or something? banning limewire etc via GPO and / or AV could help you cover some things. possibly have the laptops report back on a weekly basis what they've got installed etc. anything "bad" turns up and you fire the user for misuse of company property.

just a few ideas.

[manning]

Yes, not ideal at all. ever since I announce I wouldn't be giving admin rights to everybody like we did in the past I have had a couple user just trying to find issues with this because they were mad about loosing that freedom. Now this printer issue pops up.

I was thinking about locking down via GPO, but don't really know where to start. I mean you block on peice of garbage and they find something else. McAfee does offer a maximum protection setting that blocks most installs, so maybe I'll experiment with that. As long as it doesn't keep our consultants from telnetting into our customers systems, or block printer installs that might be the way to go.

The other thing I was thinking about was setting up a secret local user with admin rights on pain in the behind users computers. If they get into a bind and can't install something I can tell them to 'run as' the secret user for that install. Then next time they are in the office I can change the secret admin accounts password and audit the users computer. How does that sound?

[graycat]

McAfee and GPO would be the way I'd go.

The run as local with your secret user could be tricky though as once you've told / shown them how to do it, they'll be able to run whatever they want as that user thus completely sidestepping all the restrictions you've put in.

[manning]

True. As soon as they got the secret accounts password they may run amuck.

Any chance there is a good template of junk programs like limewire and itunes to block?

[graycat]

i'd grab a test PC and just install them and see what they look like. Then i'd look to add the rules to McAfee and your GPO as banned exe's. Are you running the ePolicy server along with McAfee?

[manning]

No, not yet. Only server side McAfee admin program I am running right now is auto update architect. I haven't had a moment to play with ePolicy yet.

[graycat]

work with ePolicy and really get o know it. It has some built in rules for banning certain catergories of apps such as filesharing, spyware, games etc etc. You can then create cutom rules to add on to the pretty good base already in there. I like the way you can put PC's into groups and apply the policies based on that. Therefore you can have really restrictive policies for laptop users who are at most danger and more lax ones for desktop users etc.
Epolicy will also enforce the policies at a regular interval so even if they uninstall the software it'll just roll right back on.

don't get me wrong though: this is a bodge fix and not a solution that I would like to implement personally. I'd beat the all over the head with some serious policies etc before rolling out this kind of thing as you've got to be able to back up the threat of "don't install anything on these laptops that isn't approved, or else!"

[manning]

Tim,

I really appreciate your help yet again. Any concerns with where ePolicy resides? I have a DC that isn't doing to much else, is it OK to run it there?

[Grubbish]

You could possibly lock the laptops down with a program like comp u guard which you could allow them full access admin rights. Only problem with compuguard is that the user's wouldn't be able to save anything to the hard drive:-\. If you allowed them a little bit of server hard drive space to save their work though it would eliminate that problem. Just an idea.