Description of the Point and Print Restrictions policy setting in Windows Server 2003 and Windows XP (319939)
The information in this article applies to:
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP 64-Bit Edition SP1
- Microsoft Windows Small Business Server 2003, Premium Edition
- Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q319939 SUMMARY If you are using Windows XP, you can use the Point and
Print functionality to print to shared printers that are hosted on computers
that are running Microsoft Windows NT 4.0, Microsoft Windows 2000, Windows XP,
and Windows Server 2003. If you use the Point and Print functionality to
connect to a shared printer, the print driver for that shared printer is
automatically downloaded to your workstation. This article describes how to use
the Point and Print Restrictions policy setting.
Note It is possible for malicious users to embed viruses or other
malicious code into a print driver. If you receive a damaged driver from a
shared printer, your computer may be compromised. MORE INFORMATION Windows Server 2003 and Windows XP Service Pack 1 (SP1)
include the Point and Print Restrictions policy setting. If you are an
administrator, you can use this policy setting to control the servers that
users can connect to for printing. This policy setting does not affect users
who are members of the Administrators group.
Additionally, this policy setting does not affect users who use the Point and
Print functionality with shared printers that are hosted by computers that are
running either Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98
Second Edition, or Microsoft Windows Millennium Edition (Me) (these platforms
cannot supply drivers). In this scenario, you must have Administrator rights to create connections. The Point and Print
Restrictions policy is located in the following location in Group Policy Object
Editor:
User Configuration\Administrative Templates\Control Panel\Printers
You can configure the Point and Print Restrictions Group Policy
setting in any of the following ways:
- If you set the policy setting to Enabled and you select the Users can only Point and Print to
machines in their Forest check box, users can use the Point and Print
functionality to select only computers that have active computer accounts in
the same forest as the user.
Note Cross-forest trust relationships are not supported by this policy
setting. This is so that this policy setting can be effective for shared
printers in Windows NT 4.0 and later environments. - If you set the policy setting to Enabled and you select the Users can only Point and Print to
these servers check box, users can use the Point and Print
functionality to select only the servers that are listed. When you add servers
to this list, you must use their fully qualified domain names (FQDNs) and use a
semi-colon (;) to separate the FQDNs, for example:
server1.domain1.microsoft.com;server2.domain1.microsoft.com To locate the FQDN of a server, click the Computer Name tab in System Properties. - If you set the policy to Enabled and you select both the Users can only Point and Print to
machines in their Forest check box and the Users can only
Point and Print to these servers check box, users can use the Point
and Print functionality to select any server in their forest and any servers
that are explicitly listed. You can use this configuration to grant the user
the ability to use the Point and Print functionality to select any server in
their forest and specific servers that are outside the forest.
- If you set the policy to Disabled, users can use the Point and Print functionality to select any
shared printer they have access to.
- By default, this policy setting is not configured. If you do not configure this policy setting, users cannot download Point and Print drivers from computers that are not in their Active Directory forest. The result of not configuring the setting is the same as enabling the policy and setting it to Users can only Point and Print to machines in their Forest.
- The policy can also be set under the following registry subkey:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value: InForest Type: REG_DWORD Data: 0 or 1 A setting of 0 disables this entry. A setting of 1 restricts printer access to printers in the forest.
Value: Restricted Type: REG_DWORD Data: 0 or 1 A setting of 0 disables this entry. A setting of 1 restricts all printers.
Value: TrustedServers Type: REG_DWORD Data: 0 or 1 A setting of 0 disables this entry. A setting of 1 allows printers from the servers in Server List.
Value: ServerList Type: String Data: Trusted server list separated by semicolons
If you try to connect to a shared printer that is running on a
computer that this policy setting does not permit you to access, Windows tries
to find and install the appropriate driver and the Driver.cab file on the your
local computer. If Windows cannot find a suitable driver, you receive the
following error message, which indicates that a policy setting is preventing
this action: A policy is in effect on your computer
which prevents you from connecting to this print queue. Please contact your
system administrator. Similarly, if you are using a computer that is not a member
of a domain, the computer is not subject to any of the
configurations of this policy setting. You receive the following
informational message:
You are about to connect to a printer on -SERVERNAME-, which will automatically install a print driver on your machine. Printer drivers may contain viruses or scripts that can be harmful to your computer. It is important to be certain that the computer sharing this printer is trustworthy. Would you like to continue?
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
314073
How to troubleshoot network printing problems in Windows XP
If you are a mobile user and you travel with your laptop
computer, Microsoft recommends that you either set this policy to Disabled or that you ask your administrator to give you administrative rights
on your computer so that you can connect to shared printers while you are
traveling. The following policy settings are related to the Point and
Print Restrictions policy setting:
- Policy setting: Add Workstations to Domain
Location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignment - Policy setting: Prevent Users from Installing Printer
Drivers
Location: Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options
Modification Type: | Major | Last Reviewed: | 6/7/2004 |
---|
Keywords: | kbinfo kbprint KB319939 |
---|
|