Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Description of the Point and Print Restrictions policy setting in Windows Server 2003 and Windows XP

Description of the Point and Print Restrictions policy setting in Windows Server 2003 and Windows XP

Summary

If you are using Windows XP, you can use the Point and Print functionality to print to shared printers that are hosted on computers that are running Microsoft Windows NT 4.0, Microsoft Windows 2000, Windows XP, and Windows Server 2003. If you use the Point and Print functionality to connect to a shared printer, the print driver for that shared printer is automatically downloaded to your workstation. This article describes how to use the Point and Print Restrictions policy setting.

Note It is possible for malicious users to embed viruses or other malicious code into a print driver. If you receive a damaged driver from a shared printer, your computer may be compromised.

↑ Back to the top

More Information

Windows Server 2003 and Windows XP Service Pack 1 (SP1) include the Point and Print Restrictions policy setting. If you are an administrator, you can use this policy setting to control the servers that users can connect to for printing. This policy setting does not affect users who are members of the Administrators group. Additionally, this policy setting does not affect users who use the Point and Print functionality with shared printers that are hosted by computers that are running either Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows Millennium Edition (Me) (these platforms cannot supply drivers). In this scenario, you must have Administrator rights to create connections.

The Point and Print Restrictions policy is located in the following location in Group Policy Object Editor:
User Configuration\Administrative Templates\Control Panel\Printers
You can configure the Point and Print Restrictions Group Policy setting in any of the following ways:
  • If you set the policy setting to Enabled and you select the Users can only Point and Print to machines in their Forest check box, users can use the Point and Print functionality to select only computers that have active computer accounts in the same forest as the user.

    Note Cross-forest trust relationships are not supported by this policy setting. This is so that this policy setting can be effective for shared printers in Windows NT 4.0 and later environments.
  • If you set the policy setting to Enabled and you select the Users can only Point and Print to these servers check box, users can use the Point and Print functionality to select only the servers that are listed. When you add servers to this list, you must use their fully qualified domain names (FQDNs) and use a semi-colon (;) to separate the FQDNs. Also, you cannot put any spaces between the FQDNs and the semicolon (;). For example:
    server1.domain1.microsoft.com;server2.domain1.microsoft.com
    To locate the FQDN of a server, click the Computer Name tab in System Properties.
  • If you set the policy to Enabled and you select both the Users can only Point and Print to machines in their Forest check box and the Users can only Point and Print to these servers check box, users can use the Point and Print functionality to select any server in their forest and any servers that are explicitly listed. You can use this configuration to grant the user the ability to use the Point and Print functionality to select any server in their forest and specific servers that are outside the forest.
  • If you set the policy to Disabled, users can use the Point and Print functionality to select any shared printer they have access to.
  • By default, this policy setting is not configured. If you do not configure this policy setting, users cannot download Point and Print drivers from computers that are not in their Active Directory forest. The result of not configuring the setting is the same as enabling the policy and setting it to Users can only Point and Print to machines in their Forest.
  • The policy can also be set under the following registry subkey:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

    Value: InForest
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 restricts printer access to printers in the forest.

    Value: Restricted
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 restricts all printers.

    Value: TrustedServers
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 allows printers from the servers in Server List.

    Value: ServerList
    Type: String
    Data: Trusted server list separated by semicolons
If you try to connect to a shared printer that is running on a computer that this policy setting does not permit you to access, Windows tries to find and install the appropriate driver and the Driver.cab file on the your local computer. If Windows cannot find a suitable driver, you receive the following error message, which indicates that a policy setting is preventing this action:
A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator.
Note This message also occurs when you use OEM print drivers if the reverse lookup zone for the print server is not working correctly, and if the client cannot resolve the IP address of the print server to the fully qualified domain name (FQDN). If the NSLOOKUP <IP_Address_Of_Printserver> command does not resolve a server name, the client cannot resolve the IP address of the print server to the FQDN.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

323445 How to create a new zone on a DNS Server in Windows Server 2003

↑ Back to the top

Similarly, if you are using a computer that is not a member of a domain, the computer is not subject to any of the configurations of this policy setting. You receive the following informational message:
You are about to connect to a printer on -SERVERNAME-, which will automatically install a print driver on your machine. Printer drivers may contain viruses or scripts that can be harmful to your computer. It is important to be certain that the computer sharing this printer is trustworthy. Would you like to continue?
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

314073 How to troubleshoot network printing problems in Windows XP

 If you are a mobile user and you travel with your laptop computer, Microsoft recommends that you either set this policy to Disabled or that you ask your administrator to give you administrative rights on your computer so that you can connect to shared printers while you are traveling.

The following policy settings are related to the Point and Print Restrictions policy setting:
  • Policy setting: Add Workstations to Domain
    Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  • Policy setting: Prevent Users from Installing Printer Drivers
    Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

↑ Back to the top

Keywords: kb, kbprint, kbinfo, kbbillprodsweep, kbproductlink

↑ Back to the top

Article Info
Article ID : 319939
Revision : 6
Created on : 8/20/2020
Published on : 8/20/2020
Exists online : False
Views : 120