If you’re wondering why standard users can’t print (and only administrators can) especially after relocating your
TEMP folder on your Windows computer, this article has the explanation and a fix.
Moving your Temp folder can sometimes cause printing issues in Windows, depending upon how the Permissions are set in the destination folder or drive. After changing your TEMP or TMP user environment variables to move your Temp folder to a different drive, the new Temp folder inherits the permissions from the parent, often resulting in missing NTFS Permissions for your user account.
After moving the TEMP folder, running the command “
ICACLS %TEMP%” from Command Prompt typically shows the Permission entries as below, or slightly similar:
BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
There are two things here. Your user account is missing from the list. Also, Authenticated Users and Users have Modify and Read/Execute accesses for your TEMP folder, which are not required. With the above Permissions, the following problems occur:
- The test page doesn’t print from the standard user token, even if you’re an administrator. Elevated programs can print.
- Microsoft Print to PDF generates a 0-byte file or does nothing when printed as a standard user.
In short, the following are the Permission entries we really need.
NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) W10-PC\Ramesh:(OI)(CI)(F)
*where Ramesh, in this example, is the user name.
Fix: Printing Works Only for Administrators
Here is how to fix the Permissions for the TEMP folder so that even non-administrators/Users can print.
Fix the TEMP folder Permissions
Open an elevated or Admin Command Prompt.
Type the following commands exactly as given below, and press ENTER after each command:
icacls %temp% /inheritance:r icacls %temp% /grant %username%:(OI)(CI)F /T /C icacls %temp% /grant Administrators:(OI)(CI)F /T /C icacls %temp% /grant System:(OI)(CI)F /T /C md %temp%\Low icacls %temp%\Low /setintegritylevel (OI)(CI)low
The first command removes all inherited Permissions for the TEMP folder. The next three commands are to grant Administrators, SYSTEM, and your user account Full Control Permissions recursively (including sub-folders and files). And the last command sets the integrity level of “
%TEMP%\Low” folder to Low Mandatory Integrity Level so that the folder can be accessed by programs running in low IL, like Internet Explorer. This needs to be set in order to avoid printing issues in Web browsers, like Internet Explorer.
Now you get this result when running “
ICACLS %TEMP%“, which is exactly what we need.
That should fix printing issues related to incorrect NTFS Permissions. You can, of course, configure the same Permissions using Permissions dialog via Temp folder properties, but I personally prefer Icacls because it’s a quicker way to accomplish the task. If you’re doing it using the Permissions tab, it should eventually look like this.