+ Post New Thread
Results 1 to 6 of 6
Windows Thread, [Answered] Using Authenticated Users on Printers, and stopping non domain users in Technical; Hey everyone. I've got a question about printer security permissions. I have printers configured on my Windows Server 2003 print ...
  1. #1
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15

    Thumbs up [Answered] Using Authenticated Users on Printers, and stopping non domain users

    Hey everyone. I've got a question about printer security permissions. I have printers configured on my Windows Server 2003 print server to allow Administrators [All 3 options], Authenticated [Print], Creator Owner [All 3 options], Print Operators and Server Operators with their default of all 3 options, and students to deny all 3 options [this if for a staff printer obviously]. The question I have is, will this successfully be enough to block a non domain user from printing to a printer? I'm using Authenticated Users instead of everyone. Here's the deal. I took out my MacBook Pro, connected over the wireless network [it's not a member of the domain, just my laptop from home], and tried to add a printer via Windows Network. I added the staff printer listed there, and successfully fired a test page to it no problem. Should I have been able to do this? Never once did I have to enter a password. Is it connecting via some other protocol I don't know about? Maybe Bonjour or something? Just want to make sure ONLY our systems can print and not a misc system. I just can picture a student plugging in their laptop, adding a staff printer, and firing off print jobs. I thought I had it locked down. It works within our domain, a student can't add a staff printer. But I want to make sure that an anonymous system can't access them either. My mac just made it look way too easy. Haven't tried yet with a Windows laptop.

    Thanks!
    Last edited by link470; 10th February 2009 at 09:05 PM.

  2. #2
    pagelad's Avatar
    Join Date
    Dec 2008
    Location
    Newcastle
    Posts
    181
    Thank Post
    4
    Thanked 15 Times in 13 Posts
    Rep Power
    14
    Did you connect to the printer using the server based share UNC

    \\server\printer or did you connect to the printer directly by its IP?

    If your doing it via IP you will need to check the security on the actual printers software, the security rules applied you mentioned only apply to connections being attempted via the server share

  3. #3
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    I think my mac just browsed the network and found some printers, and added it. I'm starting to wonder if there even IS a way to block direct connections to the printers. I can't seem to do that with the web based configuration panels on this printer [a Dell 1700n for example].

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    To make it a little more difficult, on your printer server right click a printer, choose Properties > Sharing and untick Listed in the Directory. Do this for every printer in turn on your print server. This means when users try to search for printers they'll get no results. They'd have to manually type in the full UNC path \\servername\print-share-name and then should be prompted to enter a username and password.

    As for permissions (as always), deny permissions take priority over allow permissions. Remove all existing groups under security and only add security groups you want to give permission to. So I'd recommend domain administrators; staff; students (for example). Domain administrators should have Print, Manage Printers and Manage Documents. Staff and students should have just Print or Print and Manage Documents only.

    Now click the Add button and type "anonymous". ANONYMOUS LOGON should appear. Tick deny for Print, Manage Printers and Manage Documents then apply changes. Do this for every printer and it should solve your problem.

    However - if someone brought in a computer, added a printer by typing in the UNC path and then authenticated using domain\username and password, they would still be able to print from the computer. Hope this helps.

  5. #5

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,174
    Thank Post
    868
    Thanked 2,703 Times in 2,289 Posts
    Blog Entries
    11
    Rep Power
    773
    Quote Originally Posted by link470 View Post
    I think my mac just browsed the network and found some printers, and added it. I'm starting to wonder if there even IS a way to block direct connections to the printers. I can't seem to do that with the web based configuration panels on this printer [a Dell 1700n for example].
    If you wanted to properly lock out direct connection to the printers you may need to setup a seporate VLAN for them that only the servers have access to. That way anything on the client network will be able to connecto to the authentication controlled print driver on the server but not to the printer directly.

  6. 3 Thanks to SYNACK:

    dhicks (10th February 2009), link470 (10th February 2009), _Bat_ (4th November 2009)

  7. #6
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    Might be hard in our setup, but I see exactly what you're saying. Thanks!

SHARE:
+ Post New Thread

Similar Threads

  1. Network printing - easy way for users to add printers
    By Kevin_Beaumont in forum How do you do....it?
    Replies: 14
    Last Post: 9th December 2008, 01:05 PM
  2. Only Domain users access to internet?
    By jmair in forum Windows
    Replies: 15
    Last Post: 18th March 2008, 12:58 AM
  3. Replies: 4
    Last Post: 15th August 2007, 05:36 PM
  4. Replies: 10
    Last Post: 21st November 2006, 02:47 PM
  5. 1 Domain + 1 domain + syncronised users = possible?
    By tarquel in forum Wireless Networks
    Replies: 52
    Last Post: 30th October 2006, 02:08 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •