Add Printer Wizard can create non-functioning printer when user is not an Administrators member.

  • 3745571
  • 05-Dec-2006
  • 27-Apr-2012

Environment

Novell Client for Windows 2000/XP/2003 4.91
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 1
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 2
Novell Distributed Print Services (NDPS)

Situation

In some cases, when a user that is only a Windows "Users" group member uses the Add Printer Wizard to install an NDPS printer, the printer creation appears to succeed but the resulting printer does not work and/or causes the spooler service to crash.

Resolution

Resolved in updated NDPPNT.DLL dated 01Dec2006 or later. The change made to resolve this issue was to not elevate the rights of the user running the Add Printer Wizard by default. As such, by default only users who actually have the permissions required to add a Windows printer to the workstation will be able to install an NDPS printer using the Add Printer Wizard.

In addition, updated NDPPNT.DLL is querying for a new registry-based policy when the Add Printer Wizard is used. The name and default value of which are as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Print\NDPS\Use User's Rights]
"Use User's Rights"=dword:00000001

If this registry key does not exist at the time the Add Printer Wizard is executed, it will be created with the default value data shown above. The value is re-read each time the Add Printer Wizard is executed, which allows it to be changed "on the fly" without having to shut down or restart the print spooler or Windows machine.

When "Use User's Rights" has a value of 0x00000001, NDPPNT.DLL will call the NDPS library in a manner that will use the interactive user's Windows permissions when trying to copy the printer driver in the appropriate SYSTEM32 subdirectories and registry locations. If the interactive user has only limited rights to the Windows machine, the attempt to install the Windows printer driver will fail and the Add Printer Wizard will fail according to the "access denied" condition.

When "Use User's Rights" has a value of 0x00000000, NDPPNT.DLL will utilize the SPOOLSV/SPOOLSS service's rights when installing the downloaded printer driver. This allows regular "Users"-group members to potentially install printers even though they don't have rights to install drivers themselves. (This scenario is also referred to in Windows as a "user printer connection", and results in a printer that is defined only in HKEY_CURRENT_USER.)

So the new policy & its default value are intended to prevent non-Administrators users from being able to successfully use the Add Printer Wizard, which in turn prevents any chance of the Add Printer Wizard creating a non-functioning "user printer connection" entry by default. Environments that actually know "user printer connections" were working in their particular configuration can still override this policy to revert to allowing these attempts.

The NDPS printer support in the Novell Client for Windows does not fully support Windows "user printer connections", and depending upon the specific printer driver and workstation configuration involved, "user printer connections" can result in symptoms like those cited at the beginning of this document. For other printer drivers and configurations, "user printer connections" may happen to work successfully, even though NDPS does not fully support them.

A non-Add Printer Wizard-based method of distributing NDPS printers to users who do not have full permissions to the Windows machine would be to use NDPS Remote Printer Management (RPM). NDPS RPM does not create "user printer connections", even when the interactive user does not have full permissions to the Windowsmachine. RPM creates regular workstation installed printer entries, which are not subject to any issues that may occur with"user printer connections".

Novell does support Windows "user printer connections" in the Novell iPrint client. The full support of "user printer connections" was just never present in the NDPS client support that is part of the Novell Client for Windows. If its imperative that Windows "user printer connections" are possible, Novell recommends using the Novell iPrint client.

Additional Information

Prior to Novell Client 4.91 SP1, the Add Printer Wizard code in NDPPNT.DLL was preventing non-Administrators users from being able to create a Windows "user printer connection".

In response to customer requests, this default was changed in 4.91 SP1 in order to allow the attempt to create a "user printer connection", in preference to those customer environments where such printer installations actually happened to be working successfully. (Due to the specific printer drivers involved and other workstation configuration factors.)

The change documented in this TID (and implemented in NDPPNT.DLL dated 01Dec2006 or later) effectively reverses the changes made to the 4.91 SP1 client. Again in response to customer requests, Novell is returning NDPPNT.DLL to the default of"don't attempt to create user printer connections".

However, the registry-based policy has now been added which permits those customer environments where "user printer connections" are working satisfactorily to change the default according to their own site preference. (By setting "Use User's Rights"=dword:00000000 on each machine where non-Administrators users are expected to be able to still attempt installing an NDPS printer using the Add Printer Wizard.)

So environments that are not yet ready to move to iPrint (where Windows "user printer connections" are supported) can still attempt to utilize "user printer connections" with NDPS, by overriding the default of the new policy added to NDPPNT.DLL. But the default behavior of this policy, as of the NDPPNT.DLL dated 01Dec2006, will be to not allow non-Administrators users to attempt creating "user printer connections".