Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] Granting Full Control to Printers
Prev Next
You are not authorized to post a reply.

AuthorMessages
danholmeUser is Offline

Posts:134

05/03/2008 4:49 PM  
This thread seems to have gone stale without an answer... sorry if I
missed something, but here's a take on it.



The ACL of the printer (printQueue) object in AD has ZERO NADA NOTHING
to do with the management of printer (queue) that is created on the
Windows system that sends a job to a print device (hardware).



The relationship is as follows:

Permissions on printQueue (printer) object in AD
determine who can modify its attributes. printQueue attributes are used
primarily to help clients locate printers using the Find Printers (in
Directory) features (e.g. in the Add New Printer Wizard or Search
functions).

The computer on which the printer (queue) is created
will, by default, create the printQueue object as a child object of the
computer object in AD, and by doing so will get permissions to update
its attributes. That's how the printer gets "published" and attributes
get propagated to the printQueue object from the Win32_Printer
attributes. It's a one way "push" of attributes from the computer
(print server) to AD.

You can redelegate permissions in AD to determine who
can create child Printer objects and who can update the attributes of
the object.



>From a "printer management" perspective, what you are typically needing
to manage is the MANAGE PRINTER permission of the printer (queue) itself
on the computer (print server). That's what will allow admins to clear
queues, etc.

The MANAGE PRINTER permission is given to Print Operators and similar
built-in administrative groups by default (open a printer ACL to see).
Just create a custom (domain, preferably) group and assign that
permission to them.

Yes, it means you'll have to tweak the printer ACL of each printer you
add to a computer. PROVISION IT with a script.



HTH



Dan





From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Wednesday, April 30, 2008 2:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting Full Control to Printers



I've been working on naming standards recently and have been browsing
the MSDN Library to narrow down the correct attribute names for various
things.

In examing the AD printer-queue class I came to the assumption that some
of the attributes must be simply inherited from the W32_Printer class.



So to throw in another on topic question . . . . . . . . :-)



Do I take from the Update Privilage listed in
http://msdn.microsoft.com/en-us/library/ms683911(VS.85).aspx that anyone
can overwrite the attributes as inherited from the printer object?



I ask not because I'm worried about tampering but I need to mandate what
and where things are named.





________________________________

From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, 1 May 2008 5:33 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Granting Full Control to Printers

AFAIK the ACL on printQueue objects in AD has nothing to do with control
over the actual print queue on the server. You'd need to ACL the
printers on the servers accordingly.



--brian

On Wed, Apr 30, 2008 at 1:01 PM, Mike Tharp
<Mike_Tharp@hermanmiller.com> wrote:


I have a geographically large infrastructure to manage with multiple
locations that have printers. Those locations are split into OUs and the
printers are in the OU for that location. The problem I am having is
that I granted the IT admins in those sites Full Control for Descendent
printer objects in AD so they could clear the print queues and manage
the printer however they get an error that says they are not authorized
when they try.
I don't want to use the Print Operators group for the remote locations
because that would give them access to all the printers. Does anyone
know if there is another permission I have to assign to give them access
to the printers in the OU they manage?




--
Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

________________________________

This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal

________________________________

________________________________

Please Note:

The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.

________________________________


You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] Granting Full Control to Printers



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:cthart
New TodayNew Today:1
New YesterdayNew Yesterday:4
User CountOverall:4285
People OnlinePeople Online:
VisitorsVisitors:83
MembersMembers:0
TotalTotal:83
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use