Hello Folks,
Hopefully this post will help many out there who may struggle to emulate a Point-and-Print solution but without compromising the security of the corporate network.
For those new to the topic, Microsoft tightened the security of the printing subsystem as a result of a number of critical vulnerabilities, commonly referred to as PrintNighmare - details here. The fix consists in limiting driver installation to administrators only. To clarify, before the PrintNightmare security measures, end users were allowed to install printer drivers.
Given that lots of administrators have implemented Point-and-Print, this security measure broke printing for lots of organizations. Microsoft provided a workaround, which effectively cancels the security measures, by means of a Registry setting. It is well documented in various places such as this. Basically by implementing the Registry hack, you'd revert back your printing subsystem to its pre-patch, vulnerable state by allowing end users to install printer drivers.
The core of the problem is to get the drivers onto the client computers without user interaction.
This post is meant to address the following issues:
- Install printer drivers on users' computers.
- Eliminate security prompts and user interaction.
- Automate the process and centralize administration.
- Maintain security (no need to undo Microsoft's security measures via the Registry hack).
- Use only built-in tools pre-canned with the operating system.
CAVEAT: I do not claim by any means that it is a perfect solutions. There is plenty of room for improvement. Likely you'll have to adapt it to your needs in case you run a large, multi-department and/or geographically distributed environment. Make it suit your needs.
In a nutshell the process is as follows:
- Set up the print server: install drivers, create ports, install, configure and share printers (ensure they are published in Active Directory).
- Create a new GPO or nominate an existing one to distribute printers to users. Create shared printer definitions in User Configuration / Preferences / Control Panel Settings / Printers. Link it to the OU holding your users.
- Use item-level targeting to define who gets what printer. Also make sure that the process runs in the logged-on user's security context.
- On the print server, export device drivers to a shared folder that client computers can access.
- Create a new GPO or nominate an existing one to distribute a computer startup script. Link it to the OU holding your client computer objects.
- Reboot the client computers to make them run the computer startup script. The script imports the drivers that have been exported at point 4 above. It runs in the System security context, administrator by definition, therefore no security prompt is displayed.
- Users will be connected to their printers as defined in the GPO at point 2 above.
- A server-side script running on the print server that exports drivers.
- A client-side script running on client computers that imports pre-filtered drivers of shared printers.
- Create a folder to store the exported drivers, e.g. C:\SharedPrinterDrivers.
- Share the folder, e.g. Drivers$ (I like to create hidden shares for such things).
- Grant the Domain Computers security group Read permission at share and NTFS level.
- Create the driver export script and save it to folder, e.g. C:\Scripts\ExportSharedPrinterDrivers.ps1
- Create a scheduled task to run the driver export script on a regular basis.