2

I'm working on overhauling how we manage printers in one environment. We have a print server where folks can hit \\servername and select the printer(s) desired. This works perfectly - no UAC prompts, trust prompts, etc.

I'd like to make use of the "Add Printer / Device" (DevicePairingWizard.exe) wizard so we can have multiple print servers display in the same window. It opens, but when a non admin attempts to add a printer it produces a UAC prompt. It only happens on printers that I don't already have a driver installed for.

This is specifically "Change Printing Settings" and references printui.exe \\servername\printer. If I cancel out it produces a 0x00000bcb for a missing driver.

The clients are Windows 10. Print server 2008r2, domain controllers 2012r2, domain level 2012r2, functional level the same.

I think the point and click restrictions are OK (based on the direct access to shares working) but the settings are as such, and defined under the computer object.

screenshot

What am I doing wrong here?

EDIT:

I have tried the "Disabled" point and print restrictions as @Ruscal and @yagmoth555 suggest without impact.

When I run the executable directly and without any arguments it still comes back with the UAC prompt. Looks like it's something embedded in the executable itself.

Looking at what this executable is supposed to do it should just pass through the command to the associated rundll command.

This fails with a UAC prompt. 

C:\windows\system32\printui.exe /gm /in /n "\\printserver.mydom.com\canon1"

This is the command (captured by sysinternals procmon) it executes when run with admin rights. This command will run correctly and install the printer even without elevated permissions. 

rundll32 printui.dll,PrintUIEntry /gm /in /n "\\printserver.mydom.com\canon1"
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • What operating systems/bit-level (server & client) are you working with? What is your domain level? Do you see the issue in the "Add Printer" wizard on the same machines where you could navigate to the UNC path and connect to the printer? Do you have any point-and-print changes in place (https://support.microsoft.com/en-us/help/2307161/point-and-print-restrictions-policies-are-ignored-in-windows-vista-sp2,-windows-server-2008-sp2,-and-later-windows-operating-systems) – Ruscal Apr 21 '17 at 19:44
  • @Ruscal I've added those details - just hadn't gotten to it yet. These errors are occurring within the add printer wizard. – Tim Brigham Apr 21 '17 at 19:47
  • Ohhh, shiny and new. I edited and asked one more Q about point-and-print (and threw a link bomb to MS Support that helped me with what is sounding like a similar issue). If point-print restrictions aren't the issue I'll have to dig a bit; but I'm certain I've run into this before (just have to guess how far back that was and find the notebook from then) – Ruscal Apr 21 '17 at 19:50
  • Did you setup point an click restriction to allow the driver installation ? (In computer's section, not user please, as in user the policy is ignored by newer's OS) – yagmoth555 Apr 21 '17 at 19:53
  • 1
    @yagmoth555 I think the restrictions are OK, but I've included a screenshot. – Tim Brigham Apr 21 '17 at 20:00
  • 1
    I think it must be disabled to disabled all prompt, as if I read that kb it seem that too; https://technet.microsoft.com/en-us/library/cc753269(v=ws.11).aspx – yagmoth555 Apr 21 '17 at 20:50
  • My notes show the same thing as @yagmoth555 - We were not intending for any restrictions, so we had to completely disable the Point-and-print GPO value (in the computers section specifically, but at that point make sure it's disabled for users as well). Once we disabled that value and GpUpdate /force (or rebooted) a couple times, it started acting right. – Ruscal Apr 21 '17 at 20:54
  • Thanks @yagmoth555 and Ruscal. Fix suggested doesn't resolve this particular issue. – Tim Brigham Apr 21 '17 at 21:17
  • 1
    Hi, a small follow up, can you test by removing KB3163912 from the Windows 10 to make a test ? I seen report that patch break the point and print restriction – yagmoth555 Apr 24 '17 at 13:55

1 Answers1

1

This is the key:

It only happens on printers that I don't already have a driver installed for.

If your print server already has drivers staged for all printers it is managing, your users won't actually have to 'install' anything, just instantiate a virtual printer thru the server. Thus, no UAC prompts.

This does mean you, as the printer server admin, have to "install" drivers for any new printers/print pools you set up. That's why they pay us the big money.

George Erhard
  • 804
  • 6
  • 12
  • 1
    Thank you George. I'm well aware the issue is from the drivers not being installed. The core question is why the printui executable is requiring admin rights when it shouldn't be. – Tim Brigham Apr 21 '17 at 21:19