Print Spooler is Anonymous user & Dual print servers

  • Thread starter Thread starter 'FoR ReaLz' E. Balansay
  • Start date Start date
F

'FoR ReaLz' E. Balansay

Hi there,

We would like to *temporarly* redirect print jobs from our current NT
print server to a 2k3 print server.

The 2k3 has been 'hardened' by removing everyone/anonymous access to the
server (NTFS permissions & restrictAnonymous settings). Creating a new
printer port on NT to point to 2k3 succeeds and we can print fine from the
NT server.

However when printing from client machines, the NT server passes the print
job to the 2k3 spooler with an anonymous user logon. Since 'everyone' and
anonymous settings are not allowed on the Win2k3 box, the print job does
not reach 2k3 and hangs (on NT box). The 'print directly to printer' also
passes jobs anonymously.

(if we allow anonymous logon to the print device on the 2k3 box, the job
reaches the 2k3 spooler but errors out in the print queue)

Is there a method to pass jobs w/ an actual user account - besides the
anonymous user? I tried starting the 'print spooler' service w/ a user
account (that also has run as service rights) thinking that print jobs
might be passed w/ the user account, but have been unsuccessful at getting
the service to start w/another account besides the default.

Suggestions?
Thanks!
Edgardo
 
--------------------
From: "'FoR ReaLz' E. Balansay" <[email protected]>
Newsgroups:
microsoft.public.win2000.printing,microsoft.public.win2000.networking
Subject: Print Spooler is Anonymous user & Dual print servers
Date: Tue, 18 May 2004 09:23:20 -0700

Hi there,

We would like to *temporarly* redirect print jobs from our current NT
print server to a 2k3 print server.

The 2k3 has been 'hardened' by removing everyone/anonymous access to the
server (NTFS permissions & restrictAnonymous settings). Creating a new
printer port on NT to point to 2k3 succeeds and we can print fine from the
NT server.

However when printing from client machines, the NT server passes the print
job to the 2k3 spooler with an anonymous user logon. Since 'everyone' and
anonymous settings are not allowed on the Win2k3 box, the print job does
not reach 2k3 and hangs (on NT box). The 'print directly to printer' also
passes jobs anonymously.

(if we allow anonymous logon to the print device on the 2k3 box, the job
reaches the 2k3 spooler but errors out in the print queue)

Is there a method to pass jobs w/ an actual user account - besides the
anonymous user? I tried starting the 'print spooler' service w/ a user
account (that also has run as service rights) thinking that print jobs
might be passed w/ the user account, but have been unsuccessful at getting
the service to start w/another account besides the default.

Suggestions?
Thanks!
Edgardo
----------------

I believe that if you give SPOOLSS permissions for null access you may get
around your problem:
Add it to the NullSessionPipes multi-string value in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- This value allows the accounts therein to connect with a null session if
the RestrictNullSessionAccess is present (which it looks like from your
description)

Also, you could give the computer accounts in your network permissions to
access the Win2K3. This setting is mentioned in the following article:
Q326110: "Access Denied when attempting to view Print Queue from Windows
client"
support.microsoft.com/?id=326110

I haven't come across your particular situation, so please let me know if
any of this helps with your issue. Thanks.

--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
To prevent the spooler from hanging and continue to occasionally print
ANONYMOUS LOGON print jobs, you can restore the permissions on the Spool
folder, or restore the default setting on the RestrictAnonymous setting to 0
or 1.
 
Back
Top