Can I give printing rights without giving login rights?

  • Thread starter Thread starter Peter
  • Start date Start date
P

Peter

I have a PC (admin) with a printer attached, and some PCs (user)
networked to it which I want to access the printer.

I can make it work if I create a user account on the admin PC for
every user on the LAN.

But then it is possible for each of the users to login into the admin
PC. Obviously only under their user login, but I don't want them to be
able to login at all.

How can I create a user account but with login **on that machine**
blocked?


Peter.
 
Jetro said:
You can enable Guest account and lock down its desktop or purchase the
server.
Click to expand...

Doesn't enabling the Guest account create a big security hole?


Peter.
 
Jetro said:
Not related to the subject. As you see, the practical solution is a domain.
Click to expand...

Perhaps you could offer more than cryptic 1-line replies; I might then
have a chance of understanding them.


Peter.
 
Did I offend you somehow?
That's impossible to disable the logon on particular workstation in the
workgroup environment. You need the domain with domain controller (server).
Enabled Guest account is a breach in the security, you are right, but I
wouldn't bother about the workgroup security at all - nothing is secure.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299909
HOW TO: Join a Workgroup in Windows 2000 Server
 
Jetro said:
Did I offend you somehow?
That's impossible to disable the logon on particular workstation in the
workgroup environment. You need the domain with domain controller (server).
Enabled Guest account is a breach in the security, you are right, but I
wouldn't bother about the workgroup security at all - nothing is secure.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299909
HOW TO: Join a Workgroup in Windows 2000 Server
Click to expand...

OK, thank you, I understand that it cannot be done. In a workgroup
system, if you want rights to a printer attached to PC X then you also
have inevitable login rights into PC X console.

Perhaps if the printer in question was directly ethernet-attached
(rather difficult with a UBS-only inkjet pritner), or attached to a PC
which is only used as a print server, that would be a solution.

This raises an interesting question... if I did dedicate a PC to act
as a print server, that same PC could also run an email server and
filter out all the Swen spam... run Winfax, etc etc...


Peter.
 
The printer can be attached to any workstation, say, nearest to admin
computer, or you could buy hardware print server. WinFax could be run as
distributed shared application etc etc etc. As to the workstation acting as
an email server... It wouldn't be productive enough and limited by 10
simultaneous connections in the case of W2kPro, but dedicated Linux machine
would be sufficient for everything.
 
(e-mail address removed) (Peter) wrote
OK, thank you, I understand that it cannot be done. In a workgroup
system, if you want rights to a printer attached to PC X then you also
have inevitable login rights into PC X console.
Click to expand...

I have just proven the above is wrong!

I have created an account for my son on my own PC (the one which has
the printer attached to it) and tried to login using his login/pwd on
my PC and it says only an administrator can login.

That's good news. No idea how it was achieved :) There must be some
config on my PC which specifies that only administrators can login.


Peter.
 
Alright, here is the trick - I just forgot about it (don't remember when I
configured the workgroup last time - 10 years ago?! ;-)
Create special group and add restricted users to it. Run 'gpedit.msc' and
drill down to
ComputerConfiguration/WindowsSettings/SecuritySettings/LocalPolicies/UserRig
htsAssignment: DenyLogonLocally - add the group mentioned above.
If you locked down yourself (I did), you need 'ntrights.exe' from
ResourceKit. Run from any remote machine as administrator:
ntrights -u {user or group} -m \\lockedcomputer -r
SeDenyInteractiveLogonRight

Indeed, if you have ntrights.exe around already, you can lock interactive
logon directly.
 
Jetro said:
Alright, here is the trick - I just forgot about it (don't remember when I
configured the workgroup last time - 10 years ago?! ;-)
Create special group and add restricted users to it. Run 'gpedit.msc' and
drill down to
ComputerConfiguration/WindowsSettings/SecuritySettings/LocalPolicies/UserRig
htsAssignment: DenyLogonLocally - add the group mentioned above.
If you locked down yourself (I did), you need 'ntrights.exe' from
ResourceKit. Run from any remote machine as administrator:
ntrights -u {user or group} -m \\lockedcomputer -r
SeDenyInteractiveLogonRight

Indeed, if you have ntrights.exe around already, you can lock interactive
logon directly.
Click to expand...

Jetro - thank you! However I didn't do the above; it must have
happened somehow (win2kpro, sp4).


Peter.
 
Back
Top