Re: Inherited Permissions for Printers

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Chriss3 [MVP] (noSpamHere_at_chrisse.se)
Date: 01/11/05 

Date: Tue, 11 Jan 2005 16:41:37 +0100

What I see this works, at least for Add/Remove Printers right. All objects
are possible containers from my view. Local printers are by default
published in the directory. Have you tried this solution? 

-- 
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"Herb Martin" <news@LearnQuick.com> skrev i meddelandet 
news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
> "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
> news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
>> Hello Paul,
>> Good question. Yes it's possible to inheritance the Security (ACL) from
> the
>> computer object in the Active Directory, since all printers published in
>> active directory is child objects to it's host/computer/server.
>
> I don't think so.  The Printer's so published are not
> "children" of the computer object for several reasons
> but the most important is that Computer objects are
> NOT containers.
>
> Also note, the Computer object in AD will not get
> you permissions to the actual PRINTER (queue)
> anyway.
>
> Also, since these are local printers they may not
> even be published in AD.
>
>> You can give the "IT Helpdesk Staff" Full Control of child objects of 
>> type
>> PrinterObjects or just Add / Remove Printer Objects. You should see an
> entry
>> for the Printer Operators group with rights Add / Remove Printer Objects
> in
>> the ACL list on the computer/host/server object in AD.
>
> Unless I am totally wrong about this, there is no
> place to "inherit permissions" on the PRINTER
> (queue) share objects themselves since they have
> no parent.
>
> I.E., you still won't be able to print.
>
> A Restricted Group MIGHT help but the group
> used will need to be one that is already assigned
> by default, or there must be another way to give
> this group the requisite permissions.
>
> A startup script might wrap this stuff up by
> enumerating Print shares etc.....
>
>
> -- 
> Herb Martin
>
>
>>
>> -- 
>> Regards
>> Christoffer Andersson
>> Microsoft MVP - Directory Services
>>
>> No email replies please - reply in the newsgroup
>> ------------------------------------------------
>> http://www.chrisse.se - Active Directory Tips
>>
>> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
>> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
>> > All,
>> >
>> > I realise this is a printing question, but I think it's probably more
>> > GPO/AD related too.
>> >
>> > Is there any way that permissions for locally installed printers on a
>> > Windows 2000 Advanced  server can be set to inherit in the same way 
>> > that
>> > files and folders can? E.g. when someone creates a new local printer, I
>> > want to be able to specify what the default security permissions will 
>> > be
>> > set to.
>> >
>> > We have a Windows 2000 domain with print queues set up locally on
> Windows
>> > 2000 Advanced Server member servers. I'm trying to set up our member
>> > servers so that when a member of the domain security group "IT Helpdesk
>> > Staff" creates a new local printer, the correct permissions are
>> > automatically assigned to it and all the IT staff needs to do is add 
>> > the
>> > relevant User groups with print access.
>> >
>> > The domain secirity group "IT Helpdesk Staff" has only domain user
> rights
>> > but is also a member of the local Power Users group on the Windows 2000
>> > member servers, and so has full permissions to create new printers
>> > locally.
>> >
>> > Thanks again,
>> > Paul.
>> >
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: Active Directory Only Displays Local Objects
    ... Even then, if I bring up the Active Directory search, it will list the ... a valid user in the Permissions list. ... I am running a small organization on Small Business Server 2000. ... Why can't the computer, which is a member of the domain, see Active ...
    (microsoft.public.windows.server.active_directory)
  • Re: Default permission on local printer objects (W2k WKST)
    ... Newsgroups: microsoft.public.win2000.printing ... users "Manage Documents" rights on the local printers (we do not know ... we need a way to script setting permissions on ... Bill Peele ...
    (microsoft.public.win2000.printing)
  • Re: RDP w/ Local Network Printer on Remote Client
    ... doing so I could list my printers in the active directory but no one could ... standard tcp/ip port along with a few other printers. ... client setup to allow the remote client to print to the local printers. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: RDP w/ Local Network Printer on Remote Client
    ... After doing so I could list my printers in the active directory but no one could install them or even view their properties. ... we have a network printer that is connected via a standard tcp/ip port along with a few other printers. ... We have the RDP client setup to allow the remote client to print to the local printers. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: W2K3 and workgroup shares
    ... appropriate groups with the needed permissions to the share. ... The logon name and password must be the same on all computers or access can ... > and local printers of others in the Engineer group. ...
    (microsoft.public.windows.server.security)