Restricting Printing to Specific Workstations?

[Jolly Roger]

Dear Colleagues:



I have a Windows 2000 Active Directory enabled domain. We have a color
laser printer in one of our offices that is shared by default for everyone
in the domain. Although it is not listed in active directory, some
enterprising users have discovered that if they simply backslash into the
print server, they can install the printer.



My goal here is to be able to restrict this shared resource so that only
certain computers can print to it. I have tried to do this by removing the
"everyone" group and adding specific machine names, however, the results are
the same. If the machine is added or not, removing the everyone group
affects this.



Next I am going to try to have everyone added, but also add the machine
names to see if this has the desired effect. Once again, my goal is that
only certain workstations can print to this device.



Any advice would be greatly appreciated,



Regards,



Roger

 

[Andrew Mitchell]

Next I am going to try to have everyone added, but also add the machine
names to see if this has the desired effect. Once again, my goal is
that only certain workstations can print to this device.

You could try an IPSec policy so that it will only accept print packets from
particular IP addresses.

 

[Phillip Windell]

Create a Group for the printer.
Grant the Group permissions in the actual Share for the printer
Add users to the Group.

NTFS and Share-level permissions still exist for a reason. Active Directory
isn't the answer to everything.

 

[Ken B]

You need to keep in mind that the user is doing the printing, not the
machine. You would more likely want to restrict it (or enable) by user
(upper management, sales, etc.). If in your situation, I would create a
domain security group and add those users I want to be able to print to the
printer. Edit the security ACL on the printer (from the print server),
remove Everyone, and add in the "Printing Security Group" to Allow Print. I
would leave CREATOR OWNER checked with Manage Documents (this way user1
doesn't delete user2's documents from printing). Leave administrators,
print operators and server operators (were those there by default on mine?)
with their default permissions.

Good luck on securing your color printer... always fun to watch the users
try to print, and buzzzzzzzzzzzz nope! can't! Sorry Charlie!

Ken

 

[Jolly Roger]

Thanks all. SOme good ideas.

Yes, I know that AD is not the answer to everything, however, in this case,
the problem is that we have a group of computers that we want to designate
as being able to print to a particular color laser printer, not the users.

Actually, the users can print to their heart's desire if they are sitting at
certain computers, but when they are a quarter mile away and send a sixty
page color print job, people who are legitimately here in the area
designated as such get a wee bit pissed off. Also, in terms of the IP
address restrictions using IPSEC, the problem there is that the computers
have dynamically assigned IP addresses, not static ones.

Any other suggestions?

Roger

 

[Lee]

Use reservations in DHCP.

Thanks all. SOme good ideas.

Yes, I know that AD is not the answer to everything, however, in this case,
the problem is that we have a group of computers that we want to designate
as being able to print to a particular color laser printer, not the users.

Actually, the users can print to their heart's desire if they are sitting at
certain computers, but when they are a quarter mile away and send a sixty
page color print job, people who are legitimately here in the area
designated as such get a wee bit pissed off. Also, in terms of the IP
address restrictions using IPSEC, the problem there is that the computers
have dynamically assigned IP addresses, not static ones.

Any other suggestions?

Roger

Print.

 

[Andrew Mitchell]

"Jolly Roger" <[email protected]> said

Also, in terms of
the IP address restrictions using IPSEC, the problem there is that the
computers have dynamically assigned IP addresses, not static ones.

You can apply IPSec using either an IP Address or a DNS hostname. Just
specify the hostname of the computers you want to allow as the source.