Description of the Point and Print Restrictions policy setting in Windows Server 2003 and Windows XP

Article translations Article translations
Article ID: 319939 - View products that this article applies to.
This article was previously published under Q319939
Expand all | Collapse all

SUMMARY

If you are using Windows XP, you can use the Point and Print functionality to print to shared printers that are hosted on computers that are running Microsoft Windows NT 4.0, Microsoft Windows 2000, Windows XP, and Windows Server 2003. If you use the Point and Print functionality to connect to a shared printer, the print driver for that shared printer is automatically downloaded to your workstation. This article describes how to use the Point and Print Restrictions policy setting.

Note It is possible for malicious users to embed viruses or other malicious code into a print driver. If you receive a damaged driver from a shared printer, your computer may be compromised.

MORE INFORMATION

Windows Server 2003 and Windows XP Service Pack 1 (SP1) include the Point and Print Restrictions policy setting. If you are an administrator, you can use this policy setting to control the servers that users can connect to for printing. This policy setting does not affect users who are members of the Administrators group. Additionally, this policy setting does not affect users who use the Point and Print functionality with shared printers that are hosted by computers that are running either Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows Millennium Edition (Me) (these platforms cannot supply drivers). In this scenario, you must have Administrator rights to create connections.

The Point and Print Restrictions policy is located in the following location in Group Policy Object Editor:
User Configuration\Administrative Templates\Control Panel\Printers
You can configure the Point and Print Restrictions Group Policy setting in any of the following ways:
  • If you set the policy setting to Enabled and you select the Users can only Point and Print to machines in their Forest check box, users can use the Point and Print functionality to select only computers that have active computer accounts in the same forest as the user.

    Note Cross-forest trust relationships are not supported by this policy setting. This is so that this policy setting can be effective for shared printers in Windows NT 4.0 and later environments.
  • If you set the policy setting to Enabled and you select the Users can only Point and Print to these servers check box, users can use the Point and Print functionality to select only the servers that are listed. When you add servers to this list, you must use their fully qualified domain names (FQDNs) and use a semi-colon (;) to separate the FQDNs. Also, you cannot put any spaces between the FQDNs and the semicolon (;). For example:
    server1.domain1.microsoft.com;server2.domain1.microsoft.com
    To locate the FQDN of a server, click the Computer Name tab in System Properties.
  • If you set the policy to Enabled and you select both the Users can only Point and Print to machines in their Forest check box and the Users can only Point and Print to these servers check box, users can use the Point and Print functionality to select any server in their forest and any servers that are explicitly listed. You can use this configuration to grant the user the ability to use the Point and Print functionality to select any server in their forest and specific servers that are outside the forest.
  • If you set the policy to Disabled, users can use the Point and Print functionality to select any shared printer they have access to.
  • By default, this policy setting is not configured. If you do not configure this policy setting, users cannot download Point and Print drivers from computers that are not in their Active Directory forest. The result of not configuring the setting is the same as enabling the policy and setting it to Users can only Point and Print to machines in their Forest.
  • The policy can also be set under the following registry subkey:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint


    Value: InForest
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 restricts printer access to printers in the forest.

    Value: Restricted
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 restricts all printers.

    Value: TrustedServers
    Type: REG_DWORD
    Data: 0 or 1
    A setting of 0 disables this entry. A setting of 1 allows printers from the servers in Server List.

    Value: ServerList
    Type: String
    Data: Trusted server list separated by semicolons
If you try to connect to a shared printer that is running on a computer that this policy setting does not permit you to access, Windows tries to find and install the appropriate driver and the Driver.cab file on the your local computer. If Windows cannot find a suitable driver, you receive the following error message, which indicates that a policy setting is preventing this action:
A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator.
Note This message also occurs when you use OEM print drivers if the reverse lookup zone for the print server is not working correctly, and if the client cannot resolve the IP address of the print server to the fully qualified domain name (FQDN). If the NSLOOKUP <IP_Address_Of_Printserver> command does not resolve a server name, the client cannot resolve the IP address of the print server to the FQDN.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
323445 How to create a new zone on a DNS Server in Windows Server 2003
Similarly, if you are using a computer that is not a member of a domain, the computer is not subject to any of the configurations of this policy setting. You receive the following informational message:
You are about to connect to a printer on -SERVERNAME-, which will automatically install a print driver on your machine. Printer drivers may contain viruses or scripts that can be harmful to your computer. It is important to be certain that the computer sharing this printer is trustworthy. Would you like to continue?
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
314073 How to troubleshoot network printing problems in Windows XP
If you are a mobile user and you travel with your laptop computer, Microsoft recommends that you either set this policy to Disabled or that you ask your administrator to give you administrative rights on your computer so that you can connect to shared printers while you are traveling.

The following policy settings are related to the Point and Print Restrictions policy setting:
  • Policy setting: Add Workstations to Domain
    Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  • Policy setting: Prevent Users from Installing Printer Drivers
    Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Properties

Article ID: 319939 - Last Review: April 1, 2010 - Revision: 11.0
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP 64-Bit Edition SP1
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Keywords: 
kbproductlink kbinfo kbprint KB319939

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com