| Author | Messages | |
neilruston
Posts:155
 | | 04/22/2008 10:20 AM |
| A colleague has asked me if we can lockdown the ability for user to
publish printers in AD.
Given that the printers exist as child printQueue objects beneath the
corresponding computer object, I'm assuming we'd need to control who has
access to manipulate the computer object.
What permissions are required on a computer object in order that a user
may publish a printer attached to that computer?
Any ideas?
Thanks,
neil
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| bsonposh
Posts:171
| | 04/22/2008 10:20 AM |
| There is a "Create/Delete Printer Object" I would start by denying that.
Unknown Guy w/ Dean
On Tue, Apr 22, 2008 at 10:16 AM, <neil.ruston@barclayswealth.com> wrote:
> A colleague has asked me if we can lockdown the ability for user to
> publish printers in AD.
>
> Given that the printers exist as child printQueue objects beneath the
> corresponding computer object, I'm assuming we'd need to control who has
> access to manipulate the computer object.
>
> What permissions are required on a computer object in order that a user
> may publish a printer attached to that computer?
>
> Any ideas?
>
> Thanks,
> neil
>
> ------------------------------
> Barclays Wealth is the wealth management division of Barclays Bank PLC.
> This email may relate to or be sent from other members of the Barclays
> Group.
>
> The availability of products and services may be limited by the applicable
> laws and regulations in certain jurisdictions. The Barclays Group does not
> normally accept or offer business instructions via internet email. Any
> action that you might take upon this message might be at your own risk.
>
> This email and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this email in
> error, please notify the sender immediately, delete it from your system and
> do not copy, disclose or otherwise act upon any part of this email or its
> attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications by
> any third party, or from the transmission of any viruses. Replies to this
> email may be monitored by the Barclays Group for operational or business
> reasons.
>
> Any opinion or other information in this email or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
> Barclays Bank PLC is authorised and regulated by the Financial Services
> Authority.
>
| | | |
| neilruston
Posts:155
| | 04/22/2008 10:35 AM |
| LOL.
I didn't look too hard I guess. Thanks.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: 22 April 2008 15:20
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
There is a "Create/Delete Printer Object" I would start by denying that.
Unknown Guy w/ Dean
On Tue, Apr 22, 2008 at 10:16 AM, <neil.ruston@barclayswealth.com>
wrote:
A colleague has asked me if we can lockdown the ability for user
to publish printers in AD.
Given that the printers exist as child printQueue objects
beneath the corresponding computer object, I'm assuming we'd need to
control who has access to manipulate the computer object.
What permissions are required on a computer object in order that
a user may publish a printer attached to that computer?
Any ideas?
Thanks,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays
Bank PLC. This email may relate to or be sent from other members of the
Barclays Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended
solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have
received this email in error, please notify the sender immediately,
delete it from your system and do not copy, disclose or otherwise act
upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or
virus-free. The Barclays Group does not accept responsibility for any
loss arising from unauthorised access to, or interference with, any
Internet communications by any third party, or from the transmission of
any viruses. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.
Any opinion or other information in this email or its
attachments that does not relate to the business of the Barclays Group
is personal to the sender and is not given or endorsed by the Barclays
Group.
Barclays Bank PLC. Registered in England and Wales (registered
no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United
Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial
Services Authority.
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| msad
Posts:1
| | 04/22/2008 2:04 PM |
| But who are you going to deny? That would depend on who is doing the actual
publishing. My guess that would be the server, not the user. And denying the
server is probably not what you want.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 22, 2008 4:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rights required to publish printer in AD
LOL.
I didn't look too hard I guess. Thanks.
neil
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: 22 April 2008 15:20
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
There is a "Create/Delete Printer Object" I would start by denying that.
Unknown Guy w/ Dean
On Tue, Apr 22, 2008 at 10:16 AM, <neil.ruston@barclayswealth.com> wrote:
A colleague has asked me if we can lockdown the ability for user to publish
printers in AD.
Given that the printers exist as child printQueue objects beneath the
corresponding computer object, I'm assuming we'd need to control who has
access to manipulate the computer object.
What permissions are required on a computer object in order that a user may
publish a printer attached to that computer?
Any ideas?
Thanks,
neil
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or virus-free. The
Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or virus-free. The
Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| danholme
Posts:133
| | 04/22/2008 2:14 PM |
| Don't deny. Just control who is allowed.
Keep in mind that (I'm 99% sure) it is the COMPUTER that publishes the printer when automatic publishing is enabled. So what you REALLY want to do is
1) Control who can SHARE printers (sharing à publishing by default)
2) OR turn off automatic printer publishing (Group Policy) and create printQueue objects manually (I recommend in a SEPARATE OU for manageability & delegation)
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com
Sent: Tuesday, April 22, 2008 4:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rights required to publish printer in AD
LOL.
I didn't look too hard I guess. Thanks.
neil
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: 22 April 2008 15:20
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
There is a "Create/Delete Printer Object" I would start by denying that.
Unknown Guy w/ Dean
On Tue, Apr 22, 2008 at 10:16 AM, <neil.ruston@barclayswealth.com> wrote:
A colleague has asked me if we can lockdown the ability for user to publish printers in AD.
Given that the printers exist as child printQueue objects beneath the corresponding computer object, I'm assuming we'd need to control who has access to manipulate the computer object.
What permissions are required on a computer object in order that a user may publish a printer attached to that computer?
Any ideas?
Thanks,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| bsonposh
Posts:171
| | 04/22/2008 2:44 PM |
| The OP question was "lockdown the ability for user to publish printers in
AD" in this case you want to use Deny as you don't want other permissions
overriding it. (You do NOT however want to deny a group that would contain
your Admins.)
I would deny the user(s) not the Computers and disable Auto Publish.
I don't believe the act of publishing is done in the context of the machine,
but in is in the context of the user(s). Unless of course the Auto Print
Publishing is enabled. Haven't tested it.
Recommendations would be
- Disable Auto Printer Publishing (as per Dan)
- Explicitly (setting Deny) specific user(s) for the Create Printer Object.
Or
- Implicitly (remove any rights) deny the specific users for the Create
Printer Object. (IMO... This is less precise in intent, but effectively the
same result)
Unknown Guy w/ Dean
On Tue, Apr 22, 2008 at 2:05 PM, Dan Holme <dan.holme@intelliem.com> wrote:
> Don't deny. Just control who is allowed.
>
> Keep in mind that (I'm 99% sure) it is the COMPUTER that publishes the
> printer when automatic publishing is enabled. So what you REALLY want to do
> is
>
> 1) Control who can SHARE printers (sharing à publishing by default)
>
> 2) OR turn off automatic printer publishing (Group Policy) and create
> printQueue objects manually (I recommend in a SEPARATE OU for manageability
> & delegation)
>
> Dan
>
>
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *
> neil.ruston@barclayswealth.com
> *Sent:* Tuesday, April 22, 2008 4:33 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Rights required to publish printer in AD
>
>
>
> LOL.
>
>
>
> I didn't look too hard I guess. Thanks.
>
>
>
> neil
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brandon Shell
> *Sent:* 22 April 2008 15:20
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Rights required to publish printer in AD
>
> There is a "Create/Delete Printer Object" I would start by denying that.
>
>
>
> Unknown Guy w/ Dean
>
> On Tue, Apr 22, 2008 at 10:16 AM, <neil.ruston@barclayswealth.com> wrote:
>
> A colleague has asked me if we can lockdown the ability for user to
> publish printers in AD.
>
> Given that the printers exist as child printQueue objects beneath the
> corresponding computer object, I'm assuming we'd need to control who has
> access to manipulate the computer object.
>
> What permissions are required on a computer object in order that a user
> may publish a printer attached to that computer?
>
> Any ideas?
>
> Thanks,
> neil
> ------------------------------
>
> Barclays Wealth is the wealth management division of Barclays Bank PLC.
> This email may relate to or be sent from other members of the Barclays
> Group.
>
> The availability of products and services may be limited by the applicable
> laws and regulations in certain jurisdictions. The Barclays Group does not
> normally accept or offer business instructions via internet email. Any
> action that you might take upon this message might be at your own risk.
>
> This email and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this email in
> error, please notify the sender immediately, delete it from your system and
> do not copy, disclose or otherwise act upon any part of this email or its
> attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications by
> any third party, or from the transmission of any viruses. Replies to this
> email may be monitored by the Barclays Group for operational or business
> reasons.
>
> Any opinion or other information in this email or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
> Barclays Bank PLC is authorised and regulated by the Financial Services
> Authority.
>
>
> ------------------------------
>
> Barclays Wealth is the wealth management division of Barclays Bank PLC.
> This email may relate to or be sent from other members of the Barclays
> Group.
>
> The availability of products and services may be limited by the applicable
> laws and regulations in certain jurisdictions. The Barclays Group does not
> normally accept or offer business instructions via internet email. Any
> action that you might take upon this message might be at your own risk.
>
> This email and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this email in
> error, please notify the sender immediately, delete it from your system and
> do not copy, disclose or otherwise act upon any part of this email or its
> attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications by
> any third party, or from the transmission of any viruses. Replies to this
> email may be monitored by the Barclays Group for operational or business
> reasons.
>
> Any opinion or other information in this email or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
> Barclays Bank PLC is authorised and regulated by the Financial Services
> Authority.
>
| | | |
| bsonposh
Posts:171
| | 04/22/2008 2:54 PM |
| Perhaps I over thought this a bit... There is a GPO to stop this
Allow Printers to be Published.
This will remove the ability from the computer side... I suppose you could
still do via script which the mod'ing the permissions would resolve.
On Tue, Apr 22, 2008 at 2:44 PM, Brandon Shell <tshell@gmail.com> wrote:
> The OP question was "lockdown the ability for user to publish printers in
> AD" in this case you want to use Deny as you don't want other permissions
> overriding it. (You do NOT however want to deny a group that would contain
> your Admins.)
>
> I would deny the user(s) not the Computers and disable Auto Publish.
> I don't believe the act of publishing is done in the context of the
> machine, but in is in the context of the user(s). Unless of course the Auto
> Print Publishing is enabled. Haven't tested it.
> Recommendations would be
> - Disable Auto Printer Publishing (as per Dan)
> - Explicitly (setting Deny) specific user(s) for the Create Printer
> Object.
> Or
> - Implicitly (remove any rights) deny the specific users for the Create
> Printer Object. (IMO... This is less precise in intent, but effectively the
> same result)
>
> Unknown Guy w/ Dean
> On Tue, Apr 22, 2008 at 2:05 PM, Dan Holme <dan.holme@intelliem.com>
> wrote:
>
> > Don't deny. Just control who is allowed.
> >
> > Keep in mind that (I'm 99% sure) it is the COMPUTER that publishes the
> > printer when automatic publishing is enabled. So what you REALLY want to do
> > is
> >
> > 1) Control who can SHARE printers (sharing à publishing by default)
> >
> > 2) OR turn off automatic printer publishing (Group Policy) and
> > create printQueue objects manually (I recommend in a SEPARATE OU for
> > manageability & delegation)
> >
> > Dan
> >
> >
> >
> >
> >
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *
> > neil.ruston@barclayswealth.com
> > *Sent:* Tuesday, April 22, 2008 4:33 AM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Rights required to publish printer in AD
> >
> >
> >
> > LOL.
> >
> >
> >
> > I didn't look too hard I guess. Thanks.
> >
> >
> >
> > neil
> >
> >
> >
> >
> > ------------------------------
> >
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brandon Shell
> > *Sent:* 22 April 2008 15:20
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [ActiveDir] Rights required to publish printer in AD
> >
> > There is a "Create/Delete Printer Object" I would start by denying that.
> >
> >
> >
> > Unknown Guy w/ Dean
> >
> > On Tue, Apr 22, 2008 at 10:16 AM, <neil.ruston@barclayswealth.com>
> > wrote:
> >
> > A colleague has asked me if we can lockdown the ability for user to
> > publish printers in AD.
> >
> > Given that the printers exist as child printQueue objects beneath the
> > corresponding computer object, I'm assuming we'd need to control who has
> > access to manipulate the computer object.
> >
> > What permissions are required on a computer object in order that a user
> > may publish a printer attached to that computer?
> >
> > Any ideas?
> >
> > Thanks,
> > neil
> > ------------------------------
> >
> > Barclays Wealth is the wealth management division of Barclays Bank PLC.
> > This email may relate to or be sent from other members of the Barclays
> > Group.
> >
> > The availability of products and services may be limited by the
> > applicable laws and regulations in certain jurisdictions. The Barclays Group
> > does not normally accept or offer business instructions via internet email.
> > Any action that you might take upon this message might be at your own risk.
> >
> > This email and any attachments are confidential and intended solely for
> > the addressee and may also be privileged or exempt from disclosure under
> > applicable law. If you are not the addressee, or have received this email in
> > error, please notify the sender immediately, delete it from your system and
> > do not copy, disclose or otherwise act upon any part of this email or its
> > attachments.
> >
> > Internet communications are not guaranteed to be secure or virus-free.
> > The Barclays Group does not accept responsibility for any loss arising from
> > unauthorised access to, or interference with, any Internet communications by
> > any third party, or from the transmission of any viruses. Replies to this
> > email may be monitored by the Barclays Group for operational or business
> > reasons.
> >
> > Any opinion or other information in this email or its attachments that
> > does not relate to the business of the Barclays Group is personal to the
> > sender and is not given or endorsed by the Barclays Group.
> >
> > Barclays Bank PLC. Registered in England and Wales (registered no.
> > 1026167).
> > Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
> >
> > Barclays Bank PLC is authorised and regulated by the Financial Services
> > Authority.
> >
> >
> > ------------------------------
> >
> > Barclays Wealth is the wealth management division of Barclays Bank PLC.
> > This email may relate to or be sent from other members of the Barclays
> > Group.
> >
> > The availability of products and services may be limited by the
> > applicable laws and regulations in certain jurisdictions. The Barclays Group
> > does not normally accept or offer business instructions via internet email.
> > Any action that you might take upon this message might be at your own risk.
> >
> > This email and any attachments are confidential and intended solely for
> > the addressee and may also be privileged or exempt from disclosure under
> > applicable law. If you are not the addressee, or have received this email in
> > error, please notify the sender immediately, delete it from your system and
> > do not copy, disclose or otherwise act upon any part of this email or its
> > attachments.
> >
> > Internet communications are not guaranteed to be secure or virus-free.
> > The Barclays Group does not accept responsibility for any loss arising from
> > unauthorised access to, or interference with, any Internet communications by
> > any third party, or from the transmission of any viruses. Replies to this
> > email may be monitored by the Barclays Group for operational or business
> > reasons.
> >
> > Any opinion or other information in this email or its attachments that
> > does not relate to the business of the Barclays Group is personal to the
> > sender and is not given or endorsed by the Barclays Group.
> >
> > Barclays Bank PLC. Registered in England and Wales (registered no.
> > 1026167).
> > Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
> >
> > Barclays Bank PLC is authorised and regulated by the Financial Services
> > Authority.
> >
>
>
| | | |
| listmail
Posts:463
| | 04/22/2008 3:14 PM |
| In several companies I have seen this only as a problem with client OS
machines... I.E. Bob with his XP machine publishes a printer. No one had an
issue with servers publishing printers, it was workstations. So the solution
there is to have server machine accounts segregated from client computer
accounts and lock down creation of printer objects entirely in the client
branches. Yes this has to be taken away from the computer itself because
that is what does the publishing, not the user.
If your problem is more some printers can be published on some clients and
some on some servers, then your issue is entirely more complicated with
fewer solutions available.
joe
The known guy that allowed Dean to be with him.  Ώ]
Ώ] Little MVP summit humour here...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 22, 2008 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights required to publish printer in AD
A colleague has asked me if we can lockdown the ability for user to publish
printers in AD.
Given that the printers exist as child printQueue objects beneath the
corresponding computer object, I'm assuming we'd need to control who has
access to manipulate the computer object.
What permissions are required on a computer object in order that a user may
publish a printer attached to that computer?
Any ideas?
Thanks,
neil
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or virus-free. The
Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| bsonposh
Posts:171
| | 04/22/2008 3:30 PM |
| Agree w/ Joe
Unknown Guy w/ Dean Ώ] (and temporarily allowed to be with joe ΐ])
Ώ] Cost Money
ΐ] Charity
On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
> In several companies I have seen this only as a problem with client OS
> machines... I.E. Bob with his XP machine publishes a printer. No one had an
> issue with servers publishing printers, it was workstations. So the solution
> there is to have server machine accounts segregated from client computer
> accounts and lock down creation of printer objects entirely in the client
> branches. Yes this has to be taken away from the computer itself because
> that is what does the publishing, not the user.
>
> If your problem is more some printers can be published on some clients and
> some on some servers, then your issue is entirely more complicated with
> fewer solutions available.
>
> joe
>
> The known guy that allowed Dean to be with him. Ώ]
>
>
>
>
> Ώ] Little MVP summit humour here...
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *
> neil.ruston@barclayswealth.com
> *Sent:* Tuesday, April 22, 2008 10:16 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Rights required to publish printer in AD
>
> A colleague has asked me if we can lockdown the ability for user to
> publish printers in AD.
>
> Given that the printers exist as child printQueue objects beneath the
> corresponding computer object, I'm assuming we'd need to control who has
> access to manipulate the computer object.
>
> What permissions are required on a computer object in order that a user
> may publish a printer attached to that computer?
>
> Any ideas?
>
> Thanks,
> neil
>
> ------------------------------
> Barclays Wealth is the wealth management division of Barclays Bank PLC.
> This email may relate to or be sent from other members of the Barclays
> Group.
>
> The availability of products and services may be limited by the applicable
> laws and regulations in certain jurisdictions. The Barclays Group does not
> normally accept or offer business instructions via internet email. Any
> action that you might take upon this message might be at your own risk.
>
> This email and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this email in
> error, please notify the sender immediately, delete it from your system and
> do not copy, disclose or otherwise act upon any part of this email or its
> attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications by
> any third party, or from the transmission of any viruses. Replies to this
> email may be monitored by the Barclays Group for operational or business
> reasons.
>
> Any opinion or other information in this email or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
> Barclays Bank PLC is authorised and regulated by the Financial Services
> Authority.
>
>
| | | |
| danholme
Posts:133
| | 04/22/2008 3:35 PM |
| It's not that complicated! Turn off auto printer publishing on a GPO
scoped to the machines you are concerned about (i.e. the workstations).
I'm *VERY* confident it's done in the security context of the system b/c
it's "refreshed" automatically - not just at initial sharing - so it has
nothing to do with the user (except that the user has admin privileges
on their machine L allowing them to share a printer in the first place).
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Tuesday, April 22, 2008 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
Agree w/ Joe
Unknown Guy w/ Dean Ώ] (and temporarily allowed to be with joe ΐ])
Ώ] Cost Money
ΐ] Charity
On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
In several companies I have seen this only as a problem with client OS
machines... I.E. Bob with his XP machine publishes a printer. No one had
an issue with servers publishing printers, it was workstations. So the
solution there is to have server machine accounts segregated from client
computer accounts and lock down creation of printer objects entirely in
the client branches. Yes this has to be taken away from the computer
itself because that is what does the publishing, not the user.
If your problem is more some printers can be published on some clients
and some on some servers, then your issue is entirely more complicated
with fewer solutions available.
joe
The known guy that allowed Dean to be with him. Ώ]
Ώ] Little MVP summit humour here...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 22, 2008 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights required to publish printer in AD
A colleague has asked me if we can lockdown the ability for user to
publish printers in AD.
Given that the printers exist as child printQueue objects beneath the
corresponding computer object, I'm assuming we'd need to control who has
access to manipulate the computer object.
What permissions are required on a computer object in order that a user
may publish a printer attached to that computer?
Any ideas?
Thanks,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC.
This email may relate to or be sent from other members of the Barclays
Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended solely for
the addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this
email in error, please notify the sender immediately, delete it from
your system and do not copy, disclose or otherwise act upon any part of
this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free.
The Barclays Group does not accept responsibility for any loss arising
from unauthorised access to, or interference with, any Internet
communications by any third party, or from the transmission of any
viruses. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.
Any opinion or other information in this email or its attachments that
does not relate to the business of the Barclays Group is personal to the
sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| bdesmond
Posts:374
| | 04/22/2008 3:40 PM |
| The publishing runs in the context of the spooler service so I would expect
it's the machine account doing it.
--brian
On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
> In several companies I have seen this only as a problem with client OS
> machines... I.E. Bob with his XP machine publishes a printer. No one had an
> issue with servers publishing printers, it was workstations. So the solution
> there is to have server machine accounts segregated from client computer
> accounts and lock down creation of printer objects entirely in the client
> branches. Yes this has to be taken away from the computer itself because
> that is what does the publishing, not the user.
>
> If your problem is more some printers can be published on some clients and
> some on some servers, then your issue is entirely more complicated with
> fewer solutions available.
>
> joe
>
> The known guy that allowed Dean to be with him. Ώ]
>
>
>
>
> Ώ] Little MVP summit humour here...
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *
> neil.ruston@barclayswealth.com
> *Sent:* Tuesday, April 22, 2008 10:16 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Rights required to publish printer in AD
>
> A colleague has asked me if we can lockdown the ability for user to
> publish printers in AD.
>
> Given that the printers exist as child printQueue objects beneath the
> corresponding computer object, I'm assuming we'd need to control who has
> access to manipulate the computer object.
>
> What permissions are required on a computer object in order that a user
> may publish a printer attached to that computer?
>
> Any ideas?
>
> Thanks,
> neil
>
> ------------------------------
> Barclays Wealth is the wealth management division of Barclays Bank PLC.
> This email may relate to or be sent from other members of the Barclays
> Group.
>
> The availability of products and services may be limited by the applicable
> laws and regulations in certain jurisdictions. The Barclays Group does not
> normally accept or offer business instructions via internet email. Any
> action that you might take upon this message might be at your own risk.
>
> This email and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this email in
> error, please notify the sender immediately, delete it from your system and
> do not copy, disclose or otherwise act upon any part of this email or its
> attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications by
> any third party, or from the transmission of any viruses. Replies to this
> email may be monitored by the Barclays Group for operational or business
> reasons.
>
> Any opinion or other information in this email or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
> Barclays Bank PLC is authorised and regulated by the Financial Services
> Authority.
>
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| bsonposh
Posts:171
| | 04/22/2008 3:45 PM |
| Dan, Not sure anyone disagrees with you. I was a little unclear as to the
context when spawned by a user (meaning the auto was turned OFF) but that
has been clarified.
Deranged PowerShell Zealot Ώ](formally known as "Unknown Guy w/ Dean")
Ώ] Compliments of Laura
On Tue, Apr 22, 2008 at 3:33 PM, Dan Holme <dan.holme@intelliem.com> wrote:
> It's not that complicated! Turn off auto printer publishing on a GPO
> scoped to the machines you are concerned about (i.e. the workstations). I'm
> **VERY** confident it's done in the security context of the system b/c
> it's "refreshed" automatically – not just at initial sharing – so it has
> nothing to do with the user (except that the user has admin privileges on
> their machine L allowing them to share a printer in the first place).
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brandon Shell
> *Sent:* Tuesday, April 22, 2008 9:26 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Rights required to publish printer in AD
>
>
>
> Agree w/ Joe
>
>
>
> Unknown Guy w/ Dean Ώ] (and temporarily allowed to be with joe ΐ])
>
>
>
> Ώ] Cost Money
>
> ΐ] Charity
>
> On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
>
> In several companies I have seen this only as a problem with client OS
> machines... I.E. Bob with his XP machine publishes a printer. No one had an
> issue with servers publishing printers, it was workstations. So the solution
> there is to have server machine accounts segregated from client computer
> accounts and lock down creation of printer objects entirely in the client
> branches. Yes this has to be taken away from the computer itself because
> that is what does the publishing, not the user.
>
>
>
> If your problem is more some printers can be published on some clients and
> some on some servers, then your issue is entirely more complicated with
> fewer solutions available.
>
>
>
> joe
>
>
>
> The known guy that allowed Dean to be with him. Ώ]
>
>
>
>
>
>
>
>
>
> Ώ] Little MVP summit humour here...
>
>
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *
> neil.ruston@barclayswealth.com
>
> *Sent:* Tuesday, April 22, 2008 10:16 AM
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* [ActiveDir] Rights required to publish printer in AD
>
> A colleague has asked me if we can lockdown the ability for user to
> publish printers in AD.
>
> Given that the printers exist as child printQueue objects beneath the
> corresponding computer object, I'm assuming we'd need to control who has
> access to manipulate the computer object.
>
> What permissions are required on a computer object in order that a user
> may publish a printer attached to that computer?
>
> Any ideas?
>
> Thanks,
> neil
> ------------------------------
>
> Barclays Wealth is the wealth management division of Barclays Bank PLC.
> This email may relate to or be sent from other members of the Barclays
> Group.
>
> The availability of products and services may be limited by the applicable
> laws and regulations in certain jurisdictions. The Barclays Group does not
> normally accept or offer business instructions via internet email. Any
> action that you might take upon this message might be at your own risk.
>
> This email and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this email in
> error, please notify the sender immediately, delete it from your system and
> do not copy, disclose or otherwise act upon any part of this email or its
> attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications by
> any third party, or from the transmission of any viruses. Replies to this
> email may be monitored by the Barclays Group for operational or business
> reasons.
>
> Any opinion or other information in this email or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
> Barclays Bank PLC is authorised and regulated by the Financial Services
> Authority.
>
>
>
| | | |
| neilruston
Posts:155
| | 04/23/2008 3:52 AM |
| Many thanks for the (as usual) great feedback!
I like the idea of stopping the auto publish of shared printers. I guess
we can then manually publish those that need to be published.
Food for thought.
Thanks again,
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: 22 April 2008 20:35
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
The publishing runs in the context of the spooler service so I would
expect it's the machine account doing it.
--brian
On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
In several companies I have seen this only as a problem with
client OS machines... I.E. Bob with his XP machine publishes a printer.
No one had an issue with servers publishing printers, it was
workstations. So the solution there is to have server machine accounts
segregated from client computer accounts and lock down creation of
printer objects entirely in the client branches. Yes this has to be
taken away from the computer itself because that is what does the
publishing, not the user.
If your problem is more some printers can be published on some
clients and some on some servers, then your issue is entirely more
complicated with fewer solutions available.
joe
The known guy that allowed Dean to be with him. Ώ]
Ώ] Little MVP summit humour here...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 22, 2008 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights required to publish printer in AD
A colleague has asked me if we can lockdown the ability for user
to publish printers in AD.
Given that the printers exist as child printQueue objects
beneath the corresponding computer object, I'm assuming we'd need to
control who has access to manipulate the computer object.
What permissions are required on a computer object in order that
a user may publish a printer attached to that computer?
Any ideas?
Thanks,
neil
________________________________
Barclays Wealth is the wealth management division of Barclays
Bank PLC. This email may relate to or be sent from other members of the
Barclays Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This email and any attachments are confidential and intended
solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have
received this email in error, please notify the sender immediately,
delete it from your system and do not copy, disclose or otherwise act
upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or
virus-free. The Barclays Group does not accept responsibility for any
loss arising from unauthorised access to, or interference with, any
Internet communications by any third party, or from the transmission of
any viruses. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.
Any opinion or other information in this email or its
attachments that does not relate to the business of the Barclays Group
is personal to the sender and is not given or endorsed by the Barclays
Group.
Barclays Bank PLC. Registered in England and Wales (registered
no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United
Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial
Services Authority.
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this email in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this email or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this email may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this email or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| listmail
Posts:463
| | 04/23/2008 10:10 AM |
| Turning that off doesn't "lockdown the ability for user to publish printers
in AD".
It just stops the automatic occurance of that happening.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Tuesday, April 22, 2008 3:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rights required to publish printer in AD
It's not that complicated! Turn off auto printer publishing on a GPO scoped
to the machines you are concerned about (i.e. the workstations). I'm *VERY*
confident it's done in the security context of the system b/c it's
"refreshed" automatically - not just at initial sharing - so it has nothing
to do with the user (except that the user has admin privileges on their
machine L allowing them to share a printer in the first place).
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Tuesday, April 22, 2008 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
Agree w/ Joe
Unknown Guy w/ Dean Ώ] (and temporarily allowed to be with joe ΐ])
Ώ] Cost Money
ΐ] Charity
On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
In several companies I have seen this only as a problem with client OS
machines... I.E. Bob with his XP machine publishes a printer. No one had an
issue with servers publishing printers, it was workstations. So the solution
there is to have server machine accounts segregated from client computer
accounts and lock down creation of printer objects entirely in the client
branches. Yes this has to be taken away from the computer itself because
that is what does the publishing, not the user.
If your problem is more some printers can be published on some clients and
some on some servers, then your issue is entirely more complicated with
fewer solutions available.
joe
The known guy that allowed Dean to be with him. Ώ]
Ώ] Little MVP summit humour here...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 22, 2008 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights required to publish printer in AD
A colleague has asked me if we can lockdown the ability for user to publish
printers in AD.
Given that the printers exist as child printQueue objects beneath the
corresponding computer object, I'm assuming we'd need to control who has
access to manipulate the computer object.
What permissions are required on a computer object in order that a user may
publish a printer attached to that computer?
Any ideas?
Thanks,
neil
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or virus-free. The
Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| bsonposh
Posts:171
| | 04/23/2008 10:20 AM |
| If mod'ing the AD permission is not a good solution wouldn't using "Allow
Printers to be Published" set to disabled be the next best thing?
On Wed, Apr 23, 2008 at 10:08 AM, joe <listmail@joeware.net> wrote:
> Turning that off doesn't "lockdown the ability for user to publish
> printers in AD".
>
> It just stops the automatic occurance of that happening.
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Dan Holme
> *Sent:* Tuesday, April 22, 2008 3:34 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Rights required to publish printer in AD
>
> It's not that complicated! Turn off auto printer publishing on a GPO
> scoped to the machines you are concerned about (i.e. the workstations). I'm
> **VERY** confident it's done in the security context of the system b/c
> it's "refreshed" automatically – not just at initial sharing – so it has
> nothing to do with the user (except that the user has admin privileges on
> their machine L allowing them to share a printer in the first place).
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brandon Shell
> *Sent:* Tuesday, April 22, 2008 9:26 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Rights required to publish printer in AD
>
>
>
> Agree w/ Joe
>
>
>
> Unknown Guy w/ Dean Ώ] (and temporarily allowed to be with joe ΐ])
>
>
>
> Ώ] Cost Money
>
> ΐ] Charity
>
> On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
>
> In several companies I have seen this only as a problem with client OS
> machines... I.E. Bob with his XP machine publishes a printer. No one had an
> issue with servers publishing printers, it was workstations. So the solution
> there is to have server machine accounts segregated from client computer
> accounts and lock down creation of printer objects entirely in the client
> branches. Yes this has to be taken away from the computer itself because
> that is what does the publishing, not the user.
>
>
>
> If your problem is more some printers can be published on some clients and
> some on some servers, then your issue is entirely more complicated with
> fewer solutions available.
>
>
>
> joe
>
>
>
> The known guy that allowed Dean to be with him. Ώ]
>
>
>
>
>
>
>
>
>
> Ώ] Little MVP summit humour here...
>
>
>
>
>
> --
>
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *
> neil.ruston@barclayswealth.com
>
> *Sent:* Tuesday, April 22, 2008 10:16 AM
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* [ActiveDir] Rights required to publish printer in AD
>
> A colleague has asked me if we can lockdown the ability for user to
> publish printers in AD.
>
> Given that the printers exist as child printQueue objects beneath the
> corresponding computer object, I'm assuming we'd need to control who has
> access to manipulate the computer object.
>
> What permissions are required on a computer object in order that a user
> may publish a printer attached to that computer?
>
> Any ideas?
>
> Thanks,
> neil
> ------------------------------
>
> Barclays Wealth is the wealth management division of Barclays Bank PLC.
> This email may relate to or be sent from other members of the Barclays
> Group.
>
> The availability of products and services may be limited by the applicable
> laws and regulations in certain jurisdictions. The Barclays Group does not
> normally accept or offer business instructions via internet email. Any
> action that you might take upon this message might be at your own risk.
>
> This email and any attachments are confidential and intended solely for
> the addressee and may also be privileged or exempt from disclosure under
> applicable law. If you are not the addressee, or have received this email in
> error, please notify the sender immediately, delete it from your system and
> do not copy, disclose or otherwise act upon any part of this email or its
> attachments.
>
> Internet communications are not guaranteed to be secure or virus-free. The
> Barclays Group does not accept responsibility for any loss arising from
> unauthorised access to, or interference with, any Internet communications by
> any third party, or from the transmission of any viruses. Replies to this
> email may be monitored by the Barclays Group for operational or business
> reasons.
>
> Any opinion or other information in this email or its attachments that
> does not relate to the business of the Barclays Group is personal to the
> sender and is not given or endorsed by the Barclays Group.
>
> Barclays Bank PLC. Registered in England and Wales (registered no.
> 1026167).
> Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
> Barclays Bank PLC is authorised and regulated by the Financial Services
> Authority.
>
>
>
| | | |
| listmail
Posts:463
| | 04/23/2008 11:31 AM |
| Depends on what the real goal is.
If the goal is actually "lockdown the ability for user to publish printers
in AD" then the answer is no. If the goal is to make it so printers don't
automatically pop up in the directory, then yes.
Disabling auto publishing isn't locking anything down, it is preventing a
certain automatic function from occurring sort of like the reg key you can
set to prevent computers from changing their passwords. Lockdown has a very
specific meaning in the context of security. It doesn't mean prevent this
one method, it means prevent period.
For example, say you don't want people creating users. Is it enough to
prevent ADUC from displaying user as an object type they can instantiate?
Strictly speaking no, there are an unlimited number of other ways to go
about the work. If the idea is simply I don't want people creating users in
ADUC, sure it is enough.
Microsoft is actually semi-famous for doing security like that. Go back to
UMfD and look at the administrators group as a normal user. You couldn't do
it, but if you knew how to use net localgroup or had some other tool that
used the API for displaying local groups you could totally see the
membership. They did it again with hidden computer accounts or if you were
bright hidden user accounts in NT4, you append a $, the GUI won't display.
We saw that in Exchange 2000+ as well, everyone was running around thinking
you needed at least Exchange View rights to mailbox enable a user when in
fact all you needed was the ability to write two attributes on a user
object. You could drop me in an environment where I have no Exchange rights
but have rights to edit or create users and I expect I can make your
Exchange system run very poorly.
If the goal is to truly stop users from creating printer objects, unchecking
that check box does nothing to prevent that. I could sit down at a
workstation and create hundreds of thousands of printer objects unless there
was something else put into place to stop me.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Wednesday, April 23, 2008 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
If mod'ing the AD permission is not a good solution wouldn't using "Allow
Printers to be Published" set to disabled be the next best thing?
On Wed, Apr 23, 2008 at 10:08 AM, joe <listmail@joeware.net> wrote:
Turning that off doesn't "lockdown the ability for user to publish printers
in AD".
It just stops the automatic occurance of that happening.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Tuesday, April 22, 2008 3:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rights required to publish printer in AD
It's not that complicated! Turn off auto printer publishing on a GPO scoped
to the machines you are concerned about (i.e. the workstations). I'm *VERY*
confident it's done in the security context of the system b/c it's
"refreshed" automatically - not just at initial sharing - so it has nothing
to do with the user (except that the user has admin privileges on their
machine L allowing them to share a printer in the first place).
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Tuesday, April 22, 2008 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Rights required to publish printer in AD
Agree w/ Joe
Unknown Guy w/ Dean Ώ] (and temporarily allowed to be with joe ΐ])
Ώ] Cost Money
ΐ] Charity
On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
In several companies I have seen this only as a problem with client OS
machines... I.E. Bob with his XP machine publishes a printer. No one had an
issue with servers publishing printers, it was workstations. So the solution
there is to have server machine accounts segregated from client computer
accounts and lock down creation of printer objects entirely in the client
branches. Yes this has to be taken away from the computer itself because
that is what does the publishing, not the user.
If your problem is more some printers can be published on some clients and
some on some servers, then your issue is entirely more complicated with
fewer solutions available.
joe
The known guy that allowed Dean to be with him. Ώ]
Ώ] Little MVP summit humour here...
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: Tuesday, April 22, 2008 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rights required to publish printer in AD
A colleague has asked me if we can lockdown the ability for user to publish
printers in AD.
Given that the printers exist as child printQueue objects beneath the
corresponding computer object, I'm assuming we'd need to control who has
access to manipulate the computer object.
What permissions are required on a computer object in order that a user may
publish a printer attached to that computer?
Any ideas?
Thanks,
neil
_____
Barclays Wealth is the wealth management division of Barclays Bank PLC. This
email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable
laws and regulations in certain jurisdictions. The Barclays Group does not
normally accept or offer business instructions via internet email. Any
action that you might take upon this message might be at your own risk.
This email and any attachments are confidential and intended solely for the
addressee and may also be privileged or exempt from disclosure under
applicable law. If you are not the addressee, or have received this email in
error, please notify the sender immediately, delete it from your system and
do not copy, disclose or otherwise act upon any part of this email or its
attachments.
Internet communications are not guaranteed to be secure or virus-free. The
Barclays Group does not accept responsibility for any loss arising from
unauthorised access to, or interference with, any Internet communications by
any third party, or from the transmission of any viruses. Replies to this
email may be monitored by the Barclays Group for operational or business
reasons.
Any opinion or other information in this email or its attachments that does
not relate to the business of the Barclays Group is personal to the sender
and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services
Authority.
| | | |
| bsonposh
Posts:171
| | 04/23/2008 11:41 AM |
| I am not talking about the auto creation... I am talking about the "Allow
Printers to be Published"
"Determines whether the computer's shared printers can be published in
Active Directory.
If you enable this setting or do not configure it, users can use the "List
in directory" option in the Printer's Properties' Sharing tab to publish
shared printers in Active Directory.
If you disable this setting, this computer's shared printers cannot be
published in Active Directory, and the "List in directory" option is not
available.
Note: This settings takes priority over the setting "Automatically publish
new printers in the Active Directory"."
But... I do agree with you. If the goal is TRULY lockdown then mod'ing AD
Permission is the only solution.
If security by obscurity is acceptable then setting "Allow Printers to be
Published" to Disabled would be effective.
On Wed, Apr 23, 2008 at 11:26 AM, joe <listmail@joeware.net> wrote:
> Depends on what the real goal is.
>
> If the goal is actually "lockdown the ability for user to publish printers
> in AD" then the answer is no. If the goal is to make it so printers don't
> automatically pop up in the directory, then yes.
>
> Disabling auto publishing isn't locking anything down, it is preventing a
> certain automatic function from occurring sort of like the reg key you can
> set to prevent computers from changing their passwords. Lockdown has a very
> specific meaning in the context of security. It doesn't mean prevent this
> one method, it means prevent period.
>
> For example, say you don't want people creating users. Is it enough to
> prevent ADUC from displaying user as an object type they can instantiate?
> Strictly speaking no, there are an unlimited number of other ways to go
> about the work. If the idea is simply I don't want people creating users in
> ADUC, sure it is enough.
>
> Microsoft is actually semi-famous for doing security like that. Go back to
> UMfD and look at the administrators group as a normal user. You couldn't do
> it, but if you knew how to use net localgroup or had some other tool that
> used the API for displaying local groups you could totally see the
> membership. They did it again with hidden computer accounts or if you were
> bright hidden user accounts in NT4, you append a $, the GUI won't display.
> We saw that in Exchange 2000+ as well, everyone was running around thinking
> you needed at least Exchange View rights to mailbox enable a user when in
> fact all you needed was the ability to write two attributes on a user
> object. You could drop me in an environment where I have no Exchange rights
> but have rights to edit or create users and I expect I can make your
> Exchange system run very poorly.
>
> If the goal is to truly stop users from creating printer objects,
> unchecking that check box does nothing to prevent that. I could sit down at
> a workstation and create hundreds of thousands of printer objects unless
> there was something else put into place to stop me.
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brandon Shell
> *Sent:* Wednesday, April 23, 2008 10:19 AM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Rights required to publish printer in AD
>
> If mod'ing the AD permission is not a good solution wouldn't using
> "Allow Printers to be Published" set to disabled be the next best thing?
>
> On Wed, Apr 23, 2008 at 10:08 AM, joe <listmail@joeware.net> wrote:
>
> > Turning that off doesn't "lockdown the ability for user to publish
> > printers in AD".
> >
> > It just stops the automatic occurance of that happening.
> >
> > --
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> > ------------------------------
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *Dan Holme
> > *Sent:* Tuesday, April 22, 2008 3:34 PM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* RE: [ActiveDir] Rights required to publish printer in AD
> >
> > It's not that complicated! Turn off auto printer publishing on a GPO
> > scoped to the machines you are concerned about (i.e. the workstations). I'm
> > **VERY** confident it's done in the security context of the system b/c
> > it's "refreshed" automatically – not just at initial sharing – so it has
> > nothing to do with the user (except that the user has admin privileges on
> > their machine L allowing them to share a printer in the first place).
> >
> >
> >
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brandon Shell
> > *Sent:* Tuesday, April 22, 2008 9:26 AM
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [ActiveDir] Rights required to publish printer in AD
> >
> >
> >
> > Agree w/ Joe
> >
> >
> >
> > Unknown Guy w/ Dean Ώ] (and temporarily allowed to be with joe ΐ])
> >
> >
> >
> > Ώ] Cost Money
> >
> > ΐ] Charity
> >
> > On Tue, Apr 22, 2008 at 3:10 PM, joe <listmail@joeware.net> wrote:
> >
> > In several companies I have seen this only as a problem with client OS
> > machines... I.E. Bob with his XP machine publishes a printer. No one had an
> > issue with servers publishing printers, it was workstations. So the solution
> > there is to have server machine accounts segregated from client computer
> > accounts and lock down creation of printer objects entirely in the client
> > branches. Yes this has to be taken away from the computer itself because
> > that is what does the publishing, not the user.
> >
> >
> >
> > If your problem is more some printers can be published on some clients
> > and some on some servers, then your issue is entirely more complicated with
> > fewer solutions available.
> >
> >
> >
> > joe
> >
> >
> >
> > The known guy that allowed Dean to be with him. Ώ]
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Ώ] Little MVP summit humour here...
> >
> >
> >
> >
> >
> > --
> >
> > O'Reilly Active Directory Third Edition -
> > http://www.joeware.net/win/ad3e.htm
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *
> > neil.ruston@barclayswealth.com
> >
> > *Sent:* Tuesday, April 22, 2008 10:16 AM
> >
> >
> > *To:* ActiveDir@mail.activedir.org
> >
> > *Subject:* [ActiveDir] Rights required to publish printer in AD
> >
> > A colleague has asked me if we can lockdown the ability for user to
> > publish printers in AD.
> >
> > Given that the printers exist as child printQueue objects beneath the
> > corresponding computer object, I'm assuming we'd need to control who has
> > access to manipulate the computer object.
> >
> > What permissions are required on a computer object in order that a user
> > may publish a printer attached to that computer?
> >
> > Any ideas?
> >
> > Thanks,
> > neil
> > ------------------------------
> >
> > Barclays Wealth is the wealth management division of Barclays Bank PLC.
> > This email may relate to or be sent from other members of the Barclays
> > Group.
> >
> > The availability of products and services may be limited by the
> > applicable laws and regulations in certain jurisdictions. The Barclays Group
> > does not normally accept or offer business instructions via internet email.
> > Any action that you might take upon this message might be at your own risk.
> >
> > This email and any attachments are confidential and intended solely for
> > the addressee and may also be privileged or exempt from disclosure under
> > applicable law. If you are not the addressee, or have received this email in
> > error, please notify the sender immediately, delete it from your system and
> > do not copy, disclose or otherwise act upon any part of this email or its
> > attachments.
> >
> > Internet communications are not guaranteed to be secure or virus-free.
> > The Barclays Group does not accept responsibility for any loss arising from
> > unauthorised access to, or interference with, any Internet communications by
> > any third party, or from the transmission of any viruses. Replies to this
> > email may be monitored by the Barclays Group for operational or business
> > reasons.
> >
> > Any opinion or other information in this email or its attachments that
> > does not relate to the business of the Barclays Group is personal to the
> > sender and is not given or endorsed by the Barclays Group.
> >
> > Barclays Bank PLC. Registered in England and Wales (registered no.
> > 1026167).
> > Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
> >
> > Barclays Bank PLC is authorised and regulated by the Financial Services
> > Authority.
> >
> >
> >
>
>
| | | |
| listmail
Posts:463
| |
|