Microsoft KB Archive/319939

From BetaArchive Wiki
Knowledge Base


Description of the Point and Print Restrictions policy setting in Windows Server 2003 and Windows XP

Article ID: 319939

Article Last Modified on 10/29/2007


APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP 64-Bit Edition SP1
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition


This article was previously published under Q319939

SUMMARY

If you are using Windows XP, you can use the Point and Print functionality to print to shared printers that are hosted on computers that are running Microsoft Windows NT 4.0, Microsoft Windows 2000, Windows XP, and Windows Server 2003. If you use the Point and Print functionality to connect to a shared printer, the print driver for that shared printer is automatically downloaded to your workstation. This article describes how to use the Point and Print Restrictions policy setting.

Note It is possible for malicious users to embed viruses or other malicious code into a print driver. If you receive a damaged driver from a shared printer, your computer may be compromised.

MORE INFORMATION

Windows Server 2003 and Windows XP Service Pack 1 (SP1) include the Point and Print Restrictions policy setting. If you are an administrator, you can use this policy setting to control the servers that users can connect to for printing. This policy setting does not affect users who are members of the Administrators group. Additionally, this policy setting does not affect users who use the Point and Print functionality with shared printers that are hosted by computers that are running either Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows Millennium Edition (Me) (these platforms cannot supply drivers). In this scenario, you must have Administrator rights to create connections.

The Point and Print Restrictions policy is located in the following location in Group Policy Object Editor:

User Configuration\Administrative Templates\Control Panel\Printers


You can configure the Point and Print Restrictions Group Policy setting in any of the following ways:

  • If you set the policy setting to Enabled and you select the Users can only Point and Print to machines in their Forest check box, users can use the Point and Print functionality to select only computers that have active computer accounts in the same forest as the user.

    Note Cross-forest trust relationships are not supported by this policy setting. This is so that this policy setting can be effective for shared printers in Windows NT 4.0 and later environments.
  • If you set the policy setting to Enabled and you select the Users can only Point and Print to these servers check box, users can use the Point and Print functionality to select only the servers that are listed. When you add servers to this list, you must use their fully qualified domain names (FQDNs) and use a semi-colon (;) to separate the FQDNs, for example:

    server1.domain1.microsoft.com;server2.domain1.microsoft.com

    To locate the FQDN of a server, click the Computer Name tab in System Properties.
  • If you set the policy to Enabled and you select both the Users can only Point and Print to machines in their Forest check box and the Users can only Point and Print to these servers check box, users can use the Point and Print functionality to select any server in their forest and any servers that are explicitly listed. You can use this configuration to grant the user the ability to use the Point and Print functionality to select any server in their forest and specific servers that are outside the forest.
  • If you set the policy to Disabled, users can use the Point and Print functionality to select any shared printer they have access to.
  • By default, this policy setting is not configured. If you do not configure this policy setting, users cannot download Point and Print drivers from computers that are not in their Active Directory forest. The result of not configuring the setting is the same as enabling the policy and setting it to Users can only Point and Print to machines in their Forest.
  • The policy can also be set under the following registry subkey:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

    Value: InForest
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 restricts printer access to printers in the forest.

    Value: Restricted
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 restricts all printers.

    Value: TrustedServers
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 allows printers from the servers in Server List.

    Value: ServerList
    Type: String
    Data: Trusted server list separated by semicolons

If you try to connect to a shared printer that is running on a computer that this policy setting does not permit you to access, Windows tries to find and install the appropriate driver and the Driver.cab file on the your local computer. If Windows cannot find a suitable driver, you receive the following error message, which indicates that a policy setting is preventing this action:

A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator.

Similarly, if you are using a computer that is not a member of a domain, the computer is not subject to any of the configurations of this policy setting. You receive the following informational message:

You are about to connect to a printer on -SERVERNAME-, which will automatically install a print driver on your machine. Printer drivers may contain viruses or scripts that can be harmful to your computer. It is important to be certain that the computer sharing this printer is trustworthy. Would you like to continue?


For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

314073 How to troubleshoot network printing problems in Windows XP


If you are a mobile user and you travel with your laptop computer, Microsoft recommends that you either set this policy to Disabled or that you ask your administrator to give you administrative rights on your computer so that you can connect to shared printers while you are traveling.

The following policy settings are related to the Point and Print Restrictions policy setting:

  • Policy setting: Add Workstations to Domain

Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

  • Policy setting: Prevent Users from Installing Printer Drivers

Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options


Keywords: kbinfo kbprint kbproductlink KB319939



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/319939&oldid=176278
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki