Re: Conflicting effective permissions (DC ADUC & workstation/mbr s

Tech-Archive recommends: Fix windows errors by optimizing your registry

Ok I found something. Look for print operators, you will notice this group
is only available on DC's.

http://www.ss64.com/ntsyntax/security_groups.html

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"IT Guy" <ITGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D94D3361-A265-45DF-84C5-70E3BB6BF5C2@xxxxxxxxxxxxxxxx
> Do you have a link to additional info on lack of support for Print
> Operators
> under 2003 or configuring a print server...?
>
> "Paul Bergson" wrote:
>
>> We created two new print servers for our domain. We have a group of
>> support
>> specialists we wanted to provide the ability to manage documents. Since
>> under 2003 the default permission no longer provides print operators any
>> permissions on a print server, you have to manually add the permission.
>> We
>> had to go back and add this to 140+ printers. We also had add a second
>> print server to our domain.
>>
>> We chose to use a 2003 resource tool called setprinter.exe using the
>> level 3
>> option. This reset all permissions back to an initial set but we were
>> able
>> to provide manage documents.
>>
>> I can post my notes on this if you are looking for this info.
>>
>> --
>>
>>
>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "IT Guy" <ITGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:EF2E2A17-FD2A-4DD9-9174-9EB3BBB64739@xxxxxxxxxxxxxxxx
>> >I may have not made my problem clear or I'm misunderstanding your
>> >suggestion...
>> >
>> > Just to clarify, I've added a user to the builtin domain print
>> > operators
>> > group and that user is unable to administer printers within the domain
>> > (not
>> > printers attached to a dc).
>> >
>> > More over, if the user opens the properties window within a printer,
>> > the
>> > options (sharing, ports, color management, security, etc.) are read
>> > only.
>> > Because the user is a member of the print operators group, I would
>> > think
>> > the
>> > user would have full control.
>> >
>> > FWIW, I did try your suggestion and added the user to the server
>> > operators
>> > group. The user still only had read permissions to printer
>> > properties...
>> > :(
>> >
>> >
>> > "Don Wilwol" wrote:
>> >
>> >> That's the way it is. Printer Operators manage DC's. You need to add
>> >> the
>> >> users to the Server Operators group.
>> >>
>> >> --
>> >> Hope it helps
>> >>
>> >> dw
>> >>
>> >> _______________________________
>> >> Don Wilwol
>> >> donwilwol(DELETE)@yahoo.com
>> >> http://spaces.msn.com/members/wilwol/
>> >>
>> >>
>> >> "IT Guy" <ITGuy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:B8ABFCB2-8F52-45AD-8872-98890167ED65@xxxxxxxxxxxxxxxx
>> >> > We have a problem that's been nagging us for a few weeks now. A
>> >> > domain
>> >> > user
>> >> > has been assigned to the print operators group to administer
>> >> > printers
>> >> > for
>> >> > our
>> >> > domain. Unfortunately, the user can read but not modify printer
>> >> > properties.
>> >> >
>> >> > I discovered while reviewing effective permissions on individual
>> >> > printer
>> >> > objects that the user has read only privileges when viewed from
>> >> > either
>> >> > my
>> >> > local workstation ADUC or a member server ADUC but full control when
>> >> > viewed
>> >> > from ADUC on any of our DCs. The Print Operators group has full
>> >> > control
>> >> > under effective permissions when viewed either way.
>> >> >
>> >> > We are running a Windows 2003 domain with 3 domain controllers. I
>> >> > have
>> >> > run
>> >> > gpupdate /force but still see the conflicting effective permissions.
>> >> > I
>> >> > am
>> >> > able to add objects, modify permissions, etc. from both DC and
>> >> > non-DC
>> >> > ADUCs
>> >> > and have those changes replicate successfully.
>> >> >
>> >> > Presumably the TRUELY effective permissions are the ones that I am
>> >> > seeing
>> >> > from non-DC ADUCs because the user is not able to modify printers.
>> >> > Any
>> >> > ideas
>> >> > why the user's effective permissions would be different depending on
>> >> > where
>> >> > I
>> >> > view them from? Any ideas on why the effective permissions being
>> >> > shown
>> >> > on
>> >> > DC
>> >> > ADUCs are not working? Thanks!
>> >>
>> >>
>> >>
>>
>>
>>


.

Relevant Pages

  • Re: Print Operator permissions
    ... Services have permissions. ... a template or GPO ... > It is my understanding that the Print Operators are not able to stop\start ...
    (microsoft.public.security)
  • RE: Permissions required to delegate printer management
    ... permissions to load and unload device drivers, ... load and unload device drivers permissions to Print Operators, to do this, ...
    (microsoft.public.windows.server.general)
  • Print Operators Group Doesnt Work on DC
    ... I have a group of help desk people I'm trying to delegate permission to manage printers on the domain. ... Putting them in the built in "print operators" group seems to be the ticket for the "member" print server I have, but they keep getting access denied when they try to purge jobs of print servers that are also domain controllers. ... If I go in and assign rights to to print operators on the individual printers, ...
    (microsoft.public.win2000.printing)
  • Re: fax managing
    ... can you make the user a power user? ... What permissions does the user have under the security tab of the fax ... printers - managing documents ... administrators and print operators: the same of above ...
    (microsoft.public.windows.server.sbs)
  • Management of printer permissions
    ... We are trying to set up special management roles in our ... implement a group with similar permissions on member servers, ... Is there any way to implement the permissions of "Print Operators" ... Is it possible to change the default permissions on new printers? ...
    (microsoft.public.win2000.security)