Allow Windows 7 Clients to Install Network Printer Drivers Without Providing Admin Credentials

Domain users on Windows 7 machines are normally prompted for administrator password when installing network print drivers. If you trust drivers on your own server and don't want to receive support calls every time user installs a network printer you can disable this behaviour using Group Policy:

Computer Configuration > Policies > Administrative Templates > Printers > Point and Print Restrictions
Set policy to Disabled.


Windows 7 displays "please wait" during group policy software installation

Windows XP workstations during GPO software installation normally displays "Installing managed software [Software-Name]"
Installing managed software

Windows 7, however, by default only shows "Please Wait"
Windows 7 - "Please Wait"
I prefer more informative Windows XP approach. Users are less likely to complain about slow boot times when they see that computer is actually doing something, e.g. installing software.
It also helps troubleshooting problems – It’s much easier to understand what’s gone wrong when user says "computer stuck Installing Adobe Rader X", rather than "computer stuck while displaying <<please wait>> message".

To return "Installing managed software" in Windows 7 use Group Policy:
Computer Configuration > Administrative Templates > System enable "Verbose vs normal status messages"

This will not only return "Installing managed software" message, but make both Windows XP and Windows 7 to display detailed information during each step in the process of starting, shutting down, logging on, or logging off the system.

Windows 7 machines fail to apply software installation group policy on startup

Background:

Windows Active Directory Domain
Windows Server 2003R2 and Server 2008R2 Domain Controllers
Windows XP SP3 and Windows 7 SP1 workstations


Problem:

Windows 7 workstations don’t process group policy software installation at all, or process intermittently. This doesn’t affect Windows XP machines.

Following Events are recorded Windows System Logs:

Event ID: 5719
Level: Error
Source: NetLogon
Description:
This computer was not able to set up a secure session with a domain controller in domain [domain-name] due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

Event ID: 1129
Level: Error
Source: GroupPolicy
Description:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Event ID: 101
Level: Warning
Source: Application Management Group Policy
Description:
The assignment of application [application name] from policy [policy name] failed.  The error was : %%1274

Event ID: 103
Level: Error
Source: Application Management Group Policy
Description:
The removal of the assignment of application [application name] from policy [policy name] failed.  The error was : %%2


Solution:

The problem seems to be caused by a delay in initializing network and locating domain controllers. To resolve the issue we need to give system more time to initiate network before proceeding with the logon process.

First of all try to enable "Always wait for the network at computer startup and logon" via group policy. This option is located in:
Computer Configuration > Administrative Templates > System > Logon
In our situation this option was already turned on.

Issue was fixed by enabling "Startup Policy Processing Wait Time" and setting wait time value to 10 seconds.
You may need to experiment with time-out values. Although in our situation 10 second was enough fix the problem, you may need to specify higher value.
Enabling this option will increase client’s login time by specified number of seconds only if computer is genuinely disconnected from the network. In normal circumstances Windows will constantly check the connection status and as soon as it detects that link is up will immediately proceed with the logon process.

There are two ways to enable this option:
  • Group Policy
    Computer Configuration > [Policies] > Administrative Templates > System >Group Policy > Startup Policy Processing Wait Time – Enable the option and set wait time to 10 - 60 seconds
    Note 1: This option is only supported by Windows Vista and later clients and may be not present on Server 2003 domain controllers
    Note 2: Group policy description tells that the default wait time is 30 seconds, which obviously raises the question how setting time-out to less than 30 seconds can fix the problem. It seems that default 30 seconds interval is not always used and Windows often employs its own algorithms to calculate the time-out (if it's not enforced by Group Policy or Registry)

  • Registry
    On Client Computer:
    1. Start > Regedit.exe
    2. Navigate to  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    3. Create New DWORD value with name GpNetworkStartTimeoutPolicyValue and set Value data (decimal) to the required timeout interval in seconds
    4. Restart the computer


Install / Enable Group Policy Management Console (GPMC) on Windows Server 2008 R2

  1. Start > All Programs > Administrative Tools > Server Manager
    Open Server Manager
  2. Select Features. Then click on Add Features
    Select FeaturesAdd Features
  3. Select Group Policy Management > Next > Install
    Inatall Group Policy Management

Newsletter

Subscribe to receive occasional updates on new posts.
Your email will not be used for any other purpose and you can unsubscribe at any time.
Please wait