Windows 2003 R2 server, Deploy printers with group policy

pts.
Tags:
DataCenter
Management
Microsoft Windows
OS
Security
Servers
SQL Server
I have a windows domain using 2003 R2 server. The network printers are setup through the printer server role and the gateway for the printers was setup as the ip address of the printer server so only printing jobs coming from the printer server will print. I am deploying printers to xp clients using a per-machine connection. I would like for visitors that logon to some of those computers using local credentials (they are not members of the domain) to be able to use the deployed printers. If the local account has the same username and password as an account in the domain the printers are available. If the local account has the same username but different password than an account in the domain the printers are not available. And of course local accounts that do not match any account in the domain do not have access to the printers. By no access or not available I mean that the printers are visible in the printer control panel, but the status is access denied, I cannot even open the properties dialog box let alone print. My question is, am I forgetting to configure something? or is not possible to give to local users access to the deployed printers despite the fact that they were deployed to the computer not to a particular user? Thank you

Answer Wiki

Thanks. We'll let you know when a new response is added.

Maybe I misunderstand your question. So for clarification, why do you want your visitors to logon locally to the computer? Why not create a user?s account for your visitors on your domain and restrict what access they have? Is that not why you have a domain, to control access to your resources?

If you make a visitor?s user account, you can then have them in a security group that only has access to the printers and nothing else. Use security groups to control what you want to restrict or give access to.

Let us know how it goes. Good luck
dmw

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Gshughes
    This is standard AD stuff. You should configue a GPO, set all authenticated users to have access to print, but not manage printers, and voila. I am not sure why you would want any users to ever log in locally to any machine, the purpose for AD is to grant access to resources, and this would be the way to do it. Good luck. Cordially, Geoff http://www.virtualserver-resources.com http://www.digisoconsulting.com
    0 pointsBadges:
    report
  • Mortree
    Agreed. Barring details or reasons you haven't stated, your local account scheme doesn't make much sense. However -- configured printers (the software icons-user interface) belong to individual user profiles, NOT to computers. I guess you could alter the Default User Profile to contain certain configured printers by default. http://support.microsoft.com/kb/319974 But yes actual login to use domain printers is generally a "trick" of matching account names and passwords. However, to skip this trick you could enable the Guest account and grant rights to these printers to that Guest account. WARNING! Will Robinson! Enabling the Guest account is a huge risk to the domain security. For instance a user logged to a local XP account can now flood the print server print queue until no space is left on that disk. Crash printers for sure and if on C: likely making normal logon "difficult". Another approach is to set up Internet Printers. Some of the same problems here with the printer server itself but at least the GUest account isn't wandering the rest of the network looking for an opening. Finally what were you trying to accomplish with the pritner gateways? Isolation of print devices from remotely accessed XP machines? Setting the gateway of a printer to the print server IP is not really exclusive unless that network segment or VLAN is dedicated to print devices and a printer server interface. Gateways are only important when routing would be required, different VLANs or subnets. So basically any machine on that network segment should still be able to directly address traffic to the network printers. If this is where your XP machines are at you could still just send printer jobs to the printer IPs. Also if a worm gets on one printer it can still jump from printer to printer unless they are separated by routers or VLANs.
    0 pointsBadges:
    report
  • Mortree
    If you use domain accounts you may have an excuse to set up mandatory profiles on those XP machines.
    0 pointsBadges:
    report
  • Mortree
    If the networked printers, XP machines, and LAN segment are dedicated to visitors -- you can probably save yourself the use of the print server. Most networked printers have sufficient "hardware based" print server abilities to handle a workgroup environment in the absence of old MacIntosh OSes (might refuse to release TCP connection). Heck most built-in network printer servers have web-based interefaces that allow remote management of the printer and queue. It is the use of Group Policy and Active Directory features that make it worth having a Windows 2003 server perform print services. Without that you can't automatically give priority to certain user accounts or hold their jobs for printing later.
    0 pointsBadges:
    report
  • Mortree
    If the networked printers, XP machines, and LAN segment are dedicated to visitors -- you can probably save yourself the use of the print server. Most networked printers have sufficient "hardware based" print server abilities to handle a workgroup environment in the absence of old MacIntosh OSes (might refuse to release TCP connection). Heck most built-in network printer servers have web-based interefaces that allow remote management of the printer and queue. It is the use of Group Policy and Active Directory features that make it worth having a Windows 2003 server perform print services. Without that you can't automatically give priority to certain user accounts or hold their jobs for printing later.
    0 pointsBadges:
    report
  • Bocha1
    Thank you all for your suggestions. I will try to explain a little bit better what I was trying to do being a newbie to Windows domains and active directory. Our group is a small research group in an academic environment. We setup this windows domain to serve our research group members only. The members of our research group have domain accounts and with the use of group policy we granted access to network resources such as file and printer servers as needed. They do not use local accounts, just the domain accounts. There is also other academic researchers that use some of our equipment and software. I do not want to make them users in our domain and I would prefer not to activate the domain guest account, I just want to give them the ability to print to our printers. I know that I could set up local printer drivers on those computers used by the guest researchers, but then our group members would see two "versions" of the same printer, the printer server and local printer versions. I would like to avaoid that if possible. For that reason when I learnt that with W2003 server and WinXP clients we could deploy printers per-machine using group policy I decided to try this method. The printers are actually deployed to the computers, but as I explained in my original message if the local account does not match an account in the domain then the printer is visible but not available for printing in the printer control panel. The explanation by Microsoft for per-machine deployment is that give access to anybody logging on to that machine. So, anybody, in this context, means any domain account only?, or means anyone logging on including local accounts? If the former, then there is no way for me to accomplished the deployment of printers to users logged on locally and would need to take a different approach like the ones suggested in your responses, mainly making those guest researchers members of the domain with access only to the printers. Alternatively, I could get rid of the printer server and install the printer drivers locally for everyone but I rather do not do that so I will not loose the capability of centrally managing and deploying the printers. I would appreciate any other suggestion that you might have and I thank you all for your assistance. Best regards
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following