Connecting to a 2000 print server without a username and password?

[L]

How can I set up security on a Windows 2000 Server print queue so that
users logged into local accounts at a workstation, not authenticated to an
active directory server, can add a printer without needing to use a
username and password? I've tried adding Anonymous Login to the security
tab but that didn't seem to work.

Thanks.

 

[Cari \(MS-MVP\)]

See Bruce Sanderson's article at:
http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm

 

[L]

See Bruce Sanderson's article at:
http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm

Thanks, but it's actually a different issue that I have. The printer queue
has a username and password but I want the printer queue to not have a
username and password.

 

[Loïc Delambre]

How can I set up security on a Windows 2000 Server print queue so that
users logged into local accounts at a workstation, not authenticated to an
active directory server, can add a printer without needing to use a
username and password? I've tried adding Anonymous Login to the security
tab but that didn't seem to work.

Thanks.

Did you had the anonymous user right on the printer too?

 

[jokes54321]

A while back I was trying to get SQL to backup to a remote share on another
server. The SQL service and the Agent was running as under the local system
account and kept getting an access denied when trying to access that share.
Someone in the SQL group sent me a KB article for changing a registry key to
enable true anonymous access to the share. I've searched through my notes
but can't seem to find that response. If I do, I'll post it up.

 

[jokes54321]

I found it.
http://support.microsoft.com/kb/q289655/

Perhaps this may not work. I'm not sure if this will apply to printer
sharing and I'm not sure user access will be counted as a Null session. It
may be worth a try..

 

[Bruce Sanderson]

Granting anonymous access to resources can be problematic and is not usually
recommended.

See if the information at
http://www.microsoft.com/technet/pr...Kit/2c82586e-bd58-42b7-9976-228a23721e35.mspx
or
http://www.microsoft.com/technet/pr...elp/1494bf2c-b596-4785-93bb-bc86f8e548d5.mspx
is any use.

If security (access management/control) on the computer sharing the printer
is not a concern, you could enable the Guest account on that computer; this
will allow anonymous authentication. Be careful what resources (shares,
folders etc.) that the Guest account has access to. If I recall correctly,
on Windows 2000, the Guest account is included in the Everyone group.

Another thing you can do that is sometimes useful is to put a command like
the one below in either a user's Start Menu\Programs\Startup or the All
User\Start Menu\Programs\Startup folder on the client computer or in a logon
script.

net use \\servername\ipc$ password /user:username

This will authenticate the Windows session running the command (on the
client computer) to the specified computer (servername) using the username
and password specified in the command. Then, the user can use a resource
(e.g. printer) to which that username has permissions. There are a couple
of downsides to this approach:

1. the username and password are in plain text in the command line, thus
exposing that user account to compromise
2. if there are other resources (e.g. file shares) on that server the user
needs to access with a different user account, that will most likely not be
possible becuase a given Windows session can only be authenticated on the
target server with one user account at at time; the net use command causes
authentication on the target computer, so the user can not use a different
user account to access a different resource on that computer.

 

[L]

Subject: Re: Connecting to a 2000 print server without a username and
password? From: "Bruce Sanderson" <[email protected]>
Date: Wed, 7 Sep 2005 23:29:49 -0700
Newsgroups:
microsoft.public.win2000.printing,microsoft.public.win2000.general
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670

Granting anonymous access to resources can be problematic and is not
usually recommended.

See if the information at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
DepKit/2c82586e-bd58-42b7-9976-228a23721e35.mspx or
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
ServerHelp/1494bf2c-b596-4785-93bb-bc86f8e548d5.mspx is any use.

If security (access management/control) on the computer sharing the
printer is not a concern, you could enable the Guest account on that
computer; this will allow anonymous authentication. Be careful what
resources (shares, folders etc.) that the Guest account has access to.
If I recall correctly, on Windows 2000, the Guest account is included
in the Everyone group.

Another thing you can do that is sometimes useful is to put a command
like the one below in either a user's Start Menu\Programs\Startup or
the All User\Start Menu\Programs\Startup folder on the client computer
or in a logon script.

net use \\servername\ipc$ password /user:username

This will authenticate the Windows session running the command (on the
client computer) to the specified computer (servername) using the
username and password specified in the command. Then, the user can
use a resource (e.g. printer) to which that username has permissions.
There are a couple of downsides to this approach:

1. the username and password are in plain text in the command line,
thus exposing that user account to compromise
2. if there are other resources (e.g. file shares) on that server the
user needs to access with a different user account, that will most
likely not be possible becuase a given Windows session can only be
authenticated on the target server with one user account at at time;
the net use command causes authentication on the target computer, so
the user can not use a different user account to access a different
resource on that computer.

Bruce, you are awesome! Thanks so much for writing such a detailed and
clear response. It answers all of my questions.