+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Windows Server 2000/2003 Thread, Printer Permissions - denying access in Technical; Hi all, Have a query with regards to printer security permissions on our 2003 domain... I have a printer that ...
  1. #1
    Craggus2000's Avatar
    Join Date
    May 2008
    Location
    Chelmsford
    Posts
    63
    Thank Post
    1
    Thanked 8 Times in 5 Posts
    Rep Power
    14

    Printer Permissions - denying access

    Hi all,

    Have a query with regards to printer security permissions on our 2003 domain...

    I have a printer that I need to deny access to. Basically kids printing to it from other areas of the school (should only be the computers in that room that can print to it).

    This is what I've done: added computer accounts that shouldn't print to it to a security group. Added that security group to the printer, with a deny 'print' tick box. However, I was still able to add the printer and print to it from one of those PCs!

    Where am I going wrong?

    Thanks!

  2. #2
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67
    It's a hard one to do because as Allow takes presendence over Deny the user account has Allow so will overwrite the computer account which has Deny.

    D

  3. #3
    stevenwba's Avatar
    Join Date
    Aug 2009
    Location
    Dudley
    Posts
    323
    Thank Post
    110
    Thanked 16 Times in 11 Posts
    Rep Power
    12
    Wouldnt it be easier for you to add a gpo for all student users not to be able to add printers? only leaving them with the ones you allocate?

  4. #4
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67
    Yeah I think that is probably the way to go along side some print maangement software - We use PCounter I recommend it highly.


    See http://support.microsoft.com/kb/234270 for how to cinfigure your GPO to remove the Add Printer Wizrd.

    And see http://www.altman.co.uk/printmanagement/index.php for the print management software. Tell them I told you to ring ;-)

    D
    Last edited by danrhodes; 30th March 2010 at 10:27 AM.

  5. #5
    stevenwba's Avatar
    Join Date
    Aug 2009
    Location
    Dudley
    Posts
    323
    Thank Post
    110
    Thanked 16 Times in 11 Posts
    Rep Power
    12
    just wondered if you also using a script to map these printers every time or if you just add them manually?

  6. #6
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67
    Quote Originally Posted by stevenwba View Post
    just wondered if you also using a script to map these printers every time or if you just add them manually?
    We use this to add a permenant connection to a machine remotly:

    RUNDLL32 PRINTUI.DLL,PrintUIEntry /c \\ICT1-01 /ga /n "\\server2.curriculum.airedalehigh.com\ITC-1"

    Or this to do it on the machine:

    rundll32 printui.dll,PrintUIEntry /ga /n \\server2\itc-1

    D

  7. #7
    Craggus2000's Avatar
    Join Date
    May 2008
    Location
    Chelmsford
    Posts
    63
    Thank Post
    1
    Thanked 8 Times in 5 Posts
    Rep Power
    14
    Quote Originally Posted by danrhodes View Post
    It's a hard one to do because as Allow takes presendence over Deny the user account has Allow so will overwrite the computer account which has Deny.

    D
    Oh,

    I thought deny always took precedence?

  8. #8
    Craggus2000's Avatar
    Join Date
    May 2008
    Location
    Chelmsford
    Posts
    63
    Thank Post
    1
    Thanked 8 Times in 5 Posts
    Rep Power
    14
    Quote Originally Posted by stevenwba View Post
    Wouldnt it be easier for you to add a gpo for all student users not to be able to add printers? only leaving them with the ones you allocate?
    I did think about that, but then with our kids, restrictions present a challenge for them to overcome, which they inevitably will, with reg hacks etc...

  9. #9
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67
    Quote Originally Posted by Craggus2000 View Post
    Oh,

    I thought deny always took precedence?
    I suppose we're both correct from what I've read here?

    Because of the fact that users have can have many different rights settings and objects can have many different permission settings, it is possible that conflicting permission settings might apply to a particular object and access method. When this occurs, the system must engage in a process of resolving the various permissions to determine which ones should govern the access.

    Here are some rules for resolving permissions conflicts:

    "Deny" permissions generally take precedence over "allow" permissions.

    Permissions applied directly to an object (explicit permissions) take precedence over permissions inherited from a parent (for example from a group).

    Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on.

    Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course.

    Although Deny permissions generally take precedence over allow permissions, this is not always the case. An explicit “allow” permission can take precedence over an inherited “deny” permission.

    The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:

    Explicit Deny
    Explicit Allow
    Inherited Deny
    Inherited Allow
    Also true:

    File permissions override folder permissions, unless the Full Control permission has been granted to the folder.

  10. #10
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    We have many colour printers here, we do not deploy them to pupils because of the cost and the way they can waste ink/paper and so on. Instead we publish them via IIS and password protect the actual connection page for each printer. So each department has there own user and password for their colour printer. Staff get them deployed. Each dept is responsible for the password.
    Last edited by jsnetman; 30th March 2010 at 11:16 AM.

  11. #11
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67
    Quote Originally Posted by jsnetman View Post
    We have many colour printers here, we do not deploy them to pupuls because of the cost and the way they can waste ink/paper and so on. Instead we publish them via IIS and password protect the actual connection page for each printer. So each department has there own user and password for their colour printer. Staff get them deployed. Each dept is responsible for the password.
    Excellent idea! They used to do this at the school I attended as a wee child may years ago!

    D

  12. #12
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    We also create 2 shared drivers for each colour printer and set one to only print in greyscale and deploy them to pupils as their default printer per room. If they want colour they need the password from the teacher.

  13. #13

    Join Date
    Nov 2009
    Posts
    79
    Thank Post
    3
    Thanked 4 Times in 4 Posts
    Rep Power
    10
    a script i have cutdown.

    Messy yes!

    Public menutype, obj, WshNetwork, fs, adsDomainGroups
    Set obj = CreateObject("WScript.Shell")
    Set WshNetwork = CreateObject("WScript.Network")
    domain = WshNetwork.UserDomain
    Set adsDomainGroups = GetObject("WinNT://" & domain)
    Set fs = CreateObject("Scripting.FileSystemObject")
    regkey = "HKCU\Software\Microsoft\Windows\CurrentVersion\Ex plorer\"

    ' If an error occurs in the script, the script carries on to the next section. Comment out to Fault find.
    On Error Resume Next
    ' Reads the room registry key
    room = obj.regread("HKLM\SYSTEM\CurrentControlSet\Control \ComputerName\ComputerName\room")

    ' Reads the room key and if it = "SERVER" stops the script running. Put the word "SERVER" in all servers room keys
    If room = UCase ("SERVER") Then
    Msgbox "This is the " & room & "." & vbTab & "Stopping the script" & vbCr & "Right click the script and select edit"
    WScript.quit
    Else
    End If
    ' Sets / collects fixed setings
    UserName = UCase(WshNetwork.UserName)
    server = "\\wbnas01" 'Change to match the users server
    homeserver = "\\wbnas01"
    printserver = "\\Print-server"
    officeversion = "2003" 'Change to match the users office version
    home = "N:" ' Put the users home drive letter here.

    ' Enumerates printer connections and deletes them
    Set oPrinters = WshNetwork.EnumPrinterConnections
    For Counter = 0 to oPrinters.Count - 1
    IF mid(oPrinters.Item(Counter + 1), 1, 2) = "\\" Then
    PrinterPath = oPrinters.Item(Counter + 1)
    WshNetwork.RemovePrinterConnection PrinterPath, True, True
    End If
    Next

    'Match's rooms to printers

    If room = "ROOM 7" Then
    PrinterPath1 = printserver & "\suite 7 Multifunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\suite 7 Multifunctional"
    ElseIf room = "ROOM 8" Then
    PrinterPath1 = printserver & "\suite 8 Multifunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\suite 8 Multifunctional"
    ElseIf room = "ROOM 9" Then
    PrinterPath1 = printserver & "\suite 9 Multifunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\suite 9 Multifunctional"
    ElseIf room = "ROOMSB6" Then
    PrinterPath1 = printserver & "\6thForm MultiFunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\6thForm MultiFunctional"
    ElseIf room = "ROOMSM6" Then
    PrinterPath1 = printserver & "\6thForm MultiFunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\6thForm MultiFunctional"
    ElseIf room = "ROOMSR6" Then
    PrinterPath1 = printserver & "\6thForm MultiFunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\6thForm MultiFunctional"
    ElseIf room = "ROOMSF6" Then
    PrinterPath1 = printserver & "\6thForm MultiFunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\6thForm MultiFunctional"
    ElseIf room = "ROOM 10" Then
    PrinterPath1 = printserver & "\Suite 10 MultiFunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\Suite 10 MultiFunctional"
    ElseIf room = "ROOM D5" Then
    PrinterPath1 = printserver & "\Design BizHub 253"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\Design BizHub 253"
    ElseIf room = "Design04" Then
    PrinterPath1 = printserver & "\mfdkmc253design"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\mfdkmc253design"
    ElseIf room = "LAB 8" Then
    PrinterPath1 = printserver & "\Lab 8 Multifunctional"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter server & "\Lab 8 Multifunctional"
    ElseIf room = "LIBRARY" Then
    PrinterPath1 = printserver & "\Library Bizhub 250"
    Wshnetwork.addwindowsprinterconnection Printerpath1
    Wshnetwork.setdefaultprinter printserver & "\Library Bizhub 250"
    ElseIf room = "ROOM24F" Then
    PrinterPath1 = printserver & "\room24hp1015"
    PrinterDriver1 = "HP LaserJet 1200 Series PCL 6"
    Wshnetwork.addwindowsprinterconnection Printerpath1, Printerdriver1
    Wshnetwork.setdefaultprinter server & "\room24hp1015"
    Else
    End If

  14. #14
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67
    Long but looks good of what I scimmed over. I wrote one of these in batcha while ago.

    D

  15. #15

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by danrhodes View Post
    It's a hard one to do because as Allow takes presendence over Deny the user account has Allow so will overwrite the computer account which has Deny.
    In the first place this is false; in the second place, computer accounts aren't considered when calculating printer permissions so the deny isn't even applicable.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Printer Permissions
    By IanT in forum Windows Server 2000/2003
    Replies: 3
    Last Post: 17th March 2010, 06:53 PM
  2. Replies: 11
    Last Post: 12th September 2009, 02:27 PM
  3. File Access Permissions....
    By MyDejaVu in forum Windows
    Replies: 3
    Last Post: 15th July 2008, 05:45 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •