Comodo and PrintNightmare / Deploying printers with GPO or similar

Help & Support Contact Xcitium
1

Hello there,

Microsoft made the change to printer in July, 2021 and locked down printers / gpo and installing them

!!! As of September 2021, Microsoft’s requirement to download the print driver software from the server is administrative access on the client system. When the logged on user is not in the local Administrators group, the connection to the shared printer is not added.!!!

I am new to Python Procedures and did not know if Comodo had a solution here?

I need to deploy 25 networked printers across 100 systems in a large production facility. You used to be able to just setup a GPO to do this but now it is very complex. It all comes down to
the active user not able to install the printer unless the Admin does it. Since Comodo already has our Admin credentials, has anyone come up with a way to do this through your software?

I currently have all my printers accessible from the print server but they need to be manually loaded per user per printer. This will be a huge messy time sink.

What I wanted to do was create a GPO per department (which ties them to specific printers) and when the user logs in, the GPO fires off for them and verifies and adds/updates their printer list accordingly.
As of right now the stopping criteria

When deploying printers via GPO, the Solution was this -

Windows 2000, XP and 2003 all have the capability to install a printer and have it globally available to all users (Similar to the way printers worked in the old Windows 95/98 days). Unfortunately the Add Printer wizard does not expose this functionality and only adds the printer for the current user. The command-line needs to be used to install and expose a printer globally. The process is as follows:

  • Log on to the workstation as an Administrator
  • Start→Run and enter “cmd” then press OK
  • Type rundll32 printui.dll,PrintUIEntry /ga /n\\server\printer where server and printer make up the correct UNC path to the printer.
  • Restart the spooler service with the commands:
    • net stop spooler
    • net start spooler
  • The printer should now be listed and available to all users that log onto the workstation.
Users with local admin rights run gpudpate successfully, normal users run gpupdate get an error "windows could not apply deployed printer..."

If there was a way to run a script to

set RestrictDriverInstallationToAdministrators to 0
Look at GPO for deprtment / printers install as needed
set RestrictDriverInstallationToAdministrators to 1

Thanks,
EH