Re: Point and Print Restrictions policy
- From: "Alan Morris [MSFT]" <alanmo@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Dec 2005 09:05:01 -0800
Server side
You will need to enable DNS registration in order for the cluster name to
get a machine account. You might have to enable Kerberos but I think just
configuring DNS registration should do it. cluadmin.exe Group / Cluster
name / Properties / Parameters.
You will know you are successful when the cluster name shows up as a machine
account in the AD
Client side
Disable the policy in a domain GPO that applies to all users (the policy is
enabled since it's not configured by default) or add the server names to the
trusted list in a policy that applies to all users.
gpedit.msc.
User Configuration / Administrative templates / Control Panel / Printers /
Point and Print Restrictions
This policy setting restricts the servers that a client can connect to for
point and print. The policy setting applies only to non Print Administrators
clients, and only to machines that are members of a domain.
When the policy setting is enabled, the client can be restricted to only
point and print to a server within its own forest, and/or to a list of
explicitly trusted servers.
When the policy setting is not-configured, it defaults to allowing point and
print only within the client's forest.
When the policy setting is disabled, client machines can point and print to
any server.
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
"JB" <JB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:892A460F-041D-4983-8295-C1894615AFD7@xxxxxxxxxxxxxxxx
> Thank you for taking the time to suggest your response Alan.
>
> I'm not sure I know how to have a cluster's name show up as a computer
> account. I did a search of the computers in this domain (domain A in my
> example) and it did not show up. The computer names of the nodes show up
> of
> course.
>
> Our cluster is as follows.
>
> entserv01 (node1 computer name)
> entserv02 (node2 computer name)
> entserv (cluster name)
> entserver (printer virtual server name)
>
> Yes we can print to printers on this cluster (across domains) successfully
> if the driver is already present with a normal user.
>
> Thanks for your suggestion on making changes at the client level however,
> we
> are trying not to have to do this since we have many clients to touch.
>
> Can you elaborate on your suggestion given this new information?
>
> Please let me know if I can give you any more information that might be of
> help.
>
> Brandon
>
> "Alan Morris [MSFT]" wrote:
>
>> The cluster may not have a machine account on the domain thus the policy
>> cannot verify the machine is "trusted". What are the cluster name
>> parameters?
>>
>> This policy blocks the installation of the driver unless the driver is
>> inbox
>> on the XP client. Can you make a connection to a printer that is in the
>> list of XP print drivers?
>>
>> When disabling the policy there is nothing to do on the server. The
>> policy
>> must be disabled on all clients. You can also add the clustername and
>> the
>> node names to the trusted server list on each client.
>>
>> --
>> Alan Morris
>> Windows Printing Team
>> Search the Microsoft Knowledge Base here:
>> http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "JB" <JB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:471E3B3E-B83D-4342-92A7-0671DCAF746E@xxxxxxxxxxxxxxxx
>> > Hello,
>> >
>> > We have an issue with the Point and Print Restrictions policy. We are
>> > getting the following message when trying to connect to a printer:
>> >
>> > "A policy is in effect on your computer which prevents you from
>> > connecting
>> > to this print queue. Please contact your system administrator."
>> >
>> > We have found the following document that refers to this error
>> > message...
>> > http://support.microsoft.com/?kbid=319939
>> >
>> > Our configuration is as follows:
>> >
>> > A Windows XP SP2 user in Domain B is attempting to add a new printer
>> > from
>> > a
>> > Windows 2003 print cluster in Domain A. Both domains are in the same
>> > forest.
>> >
>> > Domain A is our Windows 2000 AD Forest root. Domain B is another
>> > domain
>> > in
>> > the forest.
>> >
>> > This is a new print cluster that has worked for months in testing with
>> > admin
>> > level users. However we didn't do much testing for normal (non local
>> > admin)
>> > users and now realize we have this issue.
>> >
>> > We've found that if an admin logs in and maps the drive first then the
>> > printer will then map and print correctly for the normal user. This
>> > implies
>> > that the issue is the normal (non-admin) user copying the printer
>> > drivers
>> > for
>> > the first time.
>> >
>> > We have verified the setting is disabled in reference to
>> > http://support.microsoft.com/?kbid=319939 at the domain level for
>> > Domain
>> > A,
>> > at the domain level of Domain B and locally for each Windows 2003 print
>> > cluster node.
>> >
>> > We have also verified there isn't any group policy print driver loading
>> > restrictions in either domain.
>> >
>> > In searching for other people experiencing this issue via google it
>> > appears
>> > others have solved their issue via the article's suggestions. We
>> > however
>> > have not and the way we read the article is that it applies to cross
>> > forest
>> > printing - which is not our case.
>> >
>> > Any suggestions on what else to look for in our situation is greatly
>> > appreciated.
>> >
>> > Brandon
>>
>>
>>
.
- References:
- Re: Point and Print Restrictions policy
- From: Alan Morris [MSFT]
- Re: Point and Print Restrictions policy
- From: JB
- Re: Point and Print Restrictions policy
- Prev by Date: Printing HTML
- Next by Date: Re: printing out a lot of documents, but the comes out in the worng or
- Previous by thread: Re: Point and Print Restrictions policy
- Next by thread: Re: Print Queues not responding
- Index(es):
Relevant Pages
|
Loading
