question

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 asked AndrewAronoff-4978 answered

Erratic operation of Print Server

I volunteer for a small non-profit that has a domain under Windows 2019 Standard server. Print Server has been added as a role. Group Policy has been configured to allow domain users to add and remove printers.

Server 2019 was preceded by Server 2008, under which printers on the print server could be added and removed by any domain user -- the print server thus worked splendidly under Server 2008.

Under Server 2019, it simply doesn't work.

All of our workstations are under Windows 10, either 32 or 64 bit, either version 20H2 or 21H2. The anti-virus is Windows Defender. All of our domain users are in the same OU. All of the workstations are Dells of various vintages.

I attempted installation of 3 print server printers, which I'll call HP1, HP2 and B1, on 4 workstations, which I'll call A, B, C and D. On A, all 3 printers could be installed by a domain user. On B, only HP1 could be installed. On C, only B1 could be installed. On D, only HP1 and B2 could be installed.

When installation failed, it was always due to the same error:

Error #740

Pressing the details buttons revealed error 0x000002e4, the requested operation requires elevation.

There were no distinctive differences between the workstations.

I researched error 740 and found this article, which did not include a solution:

Windows: Shared Printer Cannot Be Added (Error 740)

I am unable to get the Print Server to operate as designed on all the workstations.

Does anyone have a suggestion?

best regards, Andy


windows-server-2019windows-server-print
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 answered

FOA, thanks for your reply.

Yes, all roles are on a single physical machine. I don't need to run as admin to install all the printers on all the workstations, just certain printers on certain workstations. It's not clear to me why the workstations behave so differently. If one workstation can permit all three printers to be installed from the Print Server, why not every workstation? What should I monitor to figure out what the problem is?

best regards, Andy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @AndrewAronoff-4978

You can control this with 2 different policies:

1st: You need to "unlock" the regular users: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Find the policy Devices: Prevent users from installing printer drivers. (set to Disable)

2nd: Allow non-administrators to install drivers for these device setup classes in the GPO section Computer Configuration > Policies > Administrative Templates > System > Driver Installation.

Enable the policy and specify the device classes that users should be allowed to install. Click the Show button and in the appeared window add two lines with device class GUID corresponding to printers:

Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7};
Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}.

Reference to the full list of classes: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors?redirectedfrom=MSDN

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 answered

Thanks for your reply.

As I stated in my first message, "Group Policy has been configured to allow domain users to add and remove printers." Later in the message, it was stated that on one workstation, "all 3 printers could be installed by a domain user." On other workstations, either one or two printers could be installed by a domain user.

So, domain users are able to install one, two or all three printers on a given workstation due to the changes that were made to Group Policy. (The two changes you listed and a third involving the disabling of Point and Print restrictions.) If a domain user cannot install a particular printer on that workstation, no other domain user can, either.

I'm trying to find out why all of the printers on the print server cannot be installed by any domain user on any workstation. Of course, that's how the print server should work.

regards, Andy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TheAlanMorris avatar image
0 Votes"
TheAlanMorris answered

Do you mean adding printers to the server or adding connections to the shared printers ?

The new Windows requirement is that client systems require administrative rigtts to install the software from the server. The software is the print driver.

If the clients are not admin, the default Windows behavior is to prevent the connection creation.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 answered

Hi, TheAlanMorris,

Adding printers to the print server is done with a domain admin account on the server. Once the printers are listed in active directory, those printers can be installed and uninstalled by any domain user, not just admins, provided the appropriate changes have been made to Group Policy. This works in Server 2008 and, for now, it works for some printers on each workstation in Server 2019. (As I've already posted, on one workstation it works for all 3 of our printers, on another it works for 1 printer and on a third it works for 2 printers. I stopped my trials at that point.) I'm trying to find out how to get it to work for all printers listed in active directory on all workstations joined to the domain.

regards, Andy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 answered

Here's the best article I've found to allow non-administrators to install printer drivers listed in active directory on the print server.

Note that the article refers to a registry change mandated after the PrintNightmare hotfix from August 2021. I haven't tried that yet, but it doesn't explain why some printers are able to install on some workstations.

If MS has explained this behavior, I'd certainly like to read about it.

regards, Andy



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TheAlanMorris avatar image
0 Votes"
TheAlanMorris answered TheAlanMorris edited

If you have not added the registry setting, the admin access is a requirement on the clients when Type 3 drivers are used for the shared printer.

When Type 4 drivers are used for the share, no software is copied to the client so admin access is not required for software installation. You know this software as the print driver.

Are you using Type 4 drivers for all shared printers? Type 3 for all or a mix?

If a mix, then the Type 4 connections can be added to the all clients.

The Type 3 connections will require admin access unless you have preinstalled the driver on the client system.

If the driver exists on the client then the client spooler will create the connection to the share using the preinstalled software.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 answered

If the driver exists on the client then the client spooler will create the connection to the share using the preinstalled software.

So, a couple of things I need to do is add the registry setting to HKLM and install all the drivers to each workstation. Then I'll be able to install the printers from the print server without elevation, since that's my objective.

Do you agree?

regards, Andy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 answered

Yeah, I know, we don't like talking about ways to put our domains at risk, but MS really needs to fix the PrintNightmare problem and not simply patch it.

Here's what I learned:

Domain users can install printers from the Windows Server 2019 print server without elevated privileges provided Group Policy is properly configured:

  1. Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Devices: Prevent users from installing printer drivers | DISABLED

  2. Computer Configuration | Policies | Administrative Templates | System | Driver Installation | ENABLED with the following two classes added: {4658ee7e-f050-11d1-b6bd-00c04fa372a7} and {4d36e979-e325-11ce-bfc1-08002be10318}

  3. Computer Configuration | Policies | Administrative Templates | Printers | Point and Print Restrictions | DISABLED

  4. User Configuration | Policies | Administrative Templates | Control Panel | Printers | DISABLED

Also, the driver type installed on the print server must be type 4. The driver type is visible in Print Management.

If the driver type is type 3, an additional change must be made that leaves the workstation unprotected from the PrintNightmare threat.

The following registry change must be pushed to the workstations:

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000

IMHO, there are far too many changes to allow domain users to install printers without elevated privileges. I could certainly understand a simple enable/disable with a type 4 driver requirement. Type 3 printers could simply not be installed without elevated privileges.

But the changes listed above appear to work for all domain user accounts on all workstations. It does not explain why we initially had so many differences between workstations, but I'll ascribe it to Type 3 drivers on the server. That'll have to do.

best regards, Andy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewAronoff-4978 avatar image
0 Votes"
AndrewAronoff-4978 answered

Here's the last piece of this puzzle – how to minimize use of the "RestrictDriverInstallationToAdministrators" (RDITA) value.

This has been reported elsewhere (though I can't find a link) that once the RDITA value has been added, the workstation rebooted, and a type 3 driver for a particular printer has been installed in one account, the RDITA value is no longer needed on that workstation for that printer to be installed or removed in any account.

For our domain, this simplifies things. We'll push the RDITA value to the workstations, install the single type 3 driver that we use to one account, and then push removal of the RDITA value to the workstations.

We now understand the principles of allowing domain users to install and uninstall printers: modify Group Policy with the 4 changes listed above and ensure that any printer added to the printer server has a Type 4 driver.

regards, Andy

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.