Whenever you are getting this error, prepare for some headaches as it is not really something easy to fix due to a few additional modifications you have to make, especially if you can’t provide some administrative rights. The thing is that it could be very simple to fix by adding a user to the power users/administrators group, even if for a temporary period until you can add the printer but this depends on the type of computer you are running and if you are a simple user or a system/network administrator.
The message “A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator“ appears when you are accessing a shared network printer that is installed on a Microsoft Windows 2000 Server running operating system print server or when you are trying to install the shared network printer on a computer from within a Windows domain and sometimes even when installing such a shared network printer on a computer running an operating system like Windows XP SP1 or Windows Server 2003.
The message is a bit different but with a similar reference to policy based restriction when trying to install a printer using “add printer wizard” on a Windows 2003 Server: “Unable to Install Printer. The printer driver is not compatible with a policy enabled on your computer that blocks Windows NT 4.0 drivers. If you want to use this driver, contact your system administrator about disabling this policy”.
To make it more simple about the actual security measure behind this and why you cannot install it, I will tell you that this is happening due to a restriction in Windows (XP and Server 2003) which blocks the installation of printer drivers, to be more specific third-party printer drivers to non-administrator accounts. All users, including power users are restricted from such actions and the result of this is the above error which is the focus of this article too.
In order to overcome this, you will have to add the printer as an administrator, add the user with whom you are trying to install the printer to the administrators group list or add the user to the Power Users group list BUT also at the same time provide rights to the “Load and unload device drivers” policy permissions.
All this can easily be done from a “compmgmt.msc” without the quotes, except for the last part with the “Load and unload device drivers” which I will cover a bit later, being done from Local Computer Policy .
The only hard part in here will be to decide if this is good or accepted in your company (assuming that you are a network or a system administrator – else you will have to contact one of them), even if for a temporary period like 5 minutes until you add the printer. There is no other way if this is the true culprit, as there are other possible situations but very less likely and not worth mentioning.
First to know, this error will never happen if you install the printer from an administrator account, but it is not the case, if you are reading this.
The best and less risky method to deal with this while avoiding the pass of such important credentials, like administrator rights to a user, is to simply add the user facing this problem to the Power Users group. As soon as you did this, we have to add permissions to the “Load and unload device drivers” policy for the same user or even better: add the whole Power Users group so you won’t have to change it again if another user will ever login on the same computer. This can also be done with the help of a GPO on the domain, from the Active Directory Users and Computers but for that you can consult the link provided by the official documentation for such cases, that I will add at the end of this article. What I can recommend is that if you can, change the policies locally only on the computer needed, unless you have multiple requests.
All that follows from here further will be done on the computer of the user having the problem, where you cannot install the printer.
Use a runas command prompt window as an administrator to open a mmc console – you can also find how to do this by checking this article where we had to open “compmgmt.msc” instead of “mmc” with administrator rights: http://compinfopro.com/the-security-log-on-this-system-is-full/ or simply open the “gpedit.msc” without the quotes with administrator rights on the computer where you face the main problem presented in this article.
After you have opened the cmd with administrator rights, type in mmc and press enter. In the console window opened use the File – Add/Remove Snap in. In the Standalone tab, use the Add button and select “Group Policy Object Editor” and confirm with OK, as you can see below:
One last step before using it, confirm with Finish, and let the default settings:
A new instance will be added to the MMC Console called Local Computer Policy. After you press OK, you will have to expand it.
At this step, we are exactly the same as if you would have used “gpedit.msc” from a run or command prompt window running as administrator and even a shortcut of gpedit.msc on which you right clicked and selected the runas and gave credentials to an administrator. This is a more “on the book” approach comparing to all the shortcuts.
Navigate to Windows Settings – Security Settings – Local Policies – User Rights Assignment and find this key: Load and unload device drivers.
Double click Load and unload device drivers, select “Add user or group” and add either the username of the user with the main problem presented in this article, which you also added to the Power Users group, or simply add the Power Users group so you won’t have to do this again for any future user on this computer, as long as you will add future users to Power Users, even if just for the duration of the installation.
You will have to modify Object type from Users to also contain Groups (click Object Types and check the checkbox for Groups, by default is only User and Built-in security principals) if you want to add Power Users group, and also change from domain at “From this location” to the local computer name.
To add the Power Users, click on Locations and scroll up max until you skip all domain available, first one should be your computer name, select it and confirm with OK, then one more OK to confirm the menu in above screen. As you can see, due to security risks I had to remove my computer name and no other timely way to add a computer so you can actually see it in my print screen.
Confirm with Apply and OK. Now you should have this in your local group policies window:
You will need to reboot your computer, usually it doesn’t work without a log off/login at least but to be sure, reboot it to update the permissions and then try to add the printer. As long as the user is still added to the Power Users group and either the Power Users group or the user name is added to the Load and unload device drivers permissions in the Local Group Policy on the computer, you should be able to add the shared network printer now.
Do not forget after you have added the printer, to remove the user from the Power Users group.
One more thing to add, when you will close the MMC Console, a question will pop up, if you say no there will be no saving, if you say yes, the Local Computer Policy will be saved as a Snap In to the MMC Console, so you won’t have to do those steps next time, with the File and Add/Remove Snap In. Saving it is usually a better alternative. You never know when you will be back. There is no need to save it for the settings to be applied in case this is what you had in mind and you never used MMC before. Your permissions on “Load and unload device drivers” will be SAVED no matter what you select in below console question when you will be closing it:
I suggest you to use this way, instead of the risky one to add them to the administrators group, which would also work without any other need to add them to the Load and unload device drivers permissions. That is not recommended unless you want to pay with a part of your salary or maybe even worse if something bad happens and security protocols are instated, like no user should be able to install/configure software on their computers, only system/network administrators, this being only the case for companies and worst scenarios when they actually do something bad with the rights after they get it, with or without intention. Never underestimate your users, nor trust them too much.
I won’t cover the changes you need to do to the Windows 2003 Server as they are included in the official documentation available here http://support.microsoft.com/kb/888046 – and also I see no need as the focus of the article was if the error happens when you are trying to add a network shared printer to a user, and users mostly use Windows XP or higher version, but I will help you if you encounter any problems in applying them, just contact me.