Linking printers as an unprivileged user (without administrator rights) no longer works since the summer of 2021, updates from Microsoft, due to changes due to CVE-2021-1675, commonly known as Printer Nightmare.
The behavior of Click and Print in Windows has changed. Linking printer shares is therefore no longer possible without further ado. An adjustment of the group policy is therefore necessary.
Administrator rights are normally required to install drivers. In order to enable unprivileged users to link printers, Windows made an exception here. When linking printers from print servers, a driver installation was performed in the background. When the CVE-2021-1675 vulnerability was discovered, it was determined that this behavior can be used to install malicious drivers. The check whether a driver is a regular printer driver or a malicious driver that can be used to compromise was insufficient. As a result, Microsoft has made several attempts to improve this behavior. The first approach was that only signed printer drivers could be used. However, it didn't take long to find a workaround. The number of signed printer drivers in Windows is huge and to compromise it is enough to find a security hole in an existing printer driver. Corresponding gaps were quickly found and Microsoft was forced to completely change the behavior.
The automatic installation of drives when linking now requires administrative rights by default. If you want to change this behavior, you have to create a corresponding group policy.
The following has proven to be a feasible path between convenience (printer assignment for normal users) and security:
It is a good practice to moderately deactivate the Print Spooler by default on all servers that do not require a printer.
This GPO should be assigned to everybody (whole domain + domain controllers). Via Delegation you have to remove your print servers from this GPO.
This GPO contains following Policies for Computers
NOTE: If you forget to add your print servers to both policies (Allowed Servers and Restrictions), the default behavior, any server, will be applied. All security is therefore switched off!
NOTE: The value 0 in the registry key RestrictDriverInstallationToAdministrators enables the Point and Print feature. The default value for the key (=if the key doesn't exists) is 1 which means disable the whole feature.