By default, everyone with access to the network can print to a shared printer. This means any user with a domain account or any user logged on as a guest can print to any available printer. Because this isn't always what is wanted, you might want to consider whether you need to restrict access to a printer. Restricting access to printers ensures that only those users with appropriate permissions can use a printer.
With specialty printers, such as those used for color or large-format printing, you'll find that restricting access to specific groups or individuals makes the most sense. But you might also want to restrict access to other types of printers as well. For example, you might not want everyone with network access to be able to print. Instead, you might want only users with valid domain accounts to be able to print. While you are configuring printer security, you might also want to configure printer auditing to track who is using printers and what they are doing.
Printer permissions set the maximum allowed access level for a printer. These permissions are applied whenever someone tries to print, whether the person is connected locally or remotely, and include both special and standard permissions.
Special permissions are assigned individually and include the following:
Read Permissions Allows users to view permissions
Change Permissions Allows users to change permissions
Take Ownership Allows users to take ownership of a printer, its print jobs, or both
The standard printer permissions available are the following:
Print With this permission, users can connect to a printer and submit documents for printing. They can also manage their own print jobs. If a user or group has print permission, it also has the special permission called Read Permissions for any documents it prints.
Manage Printers With this permission, users have complete control over a printer and can set printer permissions. This means they can share printers, change permissions, assign ownership, pause and restart printing, and change printer properties. If a user or group has the Manage Printers permission, it also has the special permissions called Read Permissions, Change Permissions, and Take Ownership for any documents on the printer.
Manage Documents With this permission, users can manage individual print jobs. This allows them to pause, restart, resume, or cancel documents. It also allows them to change the order of documents in the queue. It doesn't, however, allow them to print, because this permission is assigned separately. If a user or group has Manage Documents permission, it also has the special permissions called Read Permissions, Change Permissions, and Take Ownership for the printer.
By default, the permissions on printers are assigned as shown in Table 29-1.
Table 29-1. Default Printer Permissions
Group | Manage Documents | Manage Printers | |
|---|---|---|---|
Creator Owner | Yes | ||
Everyone | Yes | ||
Administrators | Yes | Yes | Yes |
Power Users | Yes | Yes | Yes |
Print Operators | Yes | Yes | Yes |
Server Operators | Yes | Yes | Yes |
As you examine printer permissions, keep in mind that if a user is a member of a group that is granted printer permissions, the user also has those permissions and the permissions are cumulative. This means that if one group of which the user is a member has Print permission and another has Manage Printers permission, the user has both permissions. To override this behavior, you must specifically deny a permission.
Troubleshooting: Check permissions on the spool folder
By default, the spool folder is located on the system drive. The default permissions give Full Control to Administrators, Print Operators, Server Operators, and the System user. System is the account under which the Print Spooler service runs, and this account needs Full Control to be able to create and manage spool files. Administrators, Print Operators, and Server Operators are given full control so that they can spool documents and clear out the spool folder if necessary. Creator Owner has special permissions that grant Full Control so that anyone that prints a document can manage it. Authenticated Users are given Read & Execute permissions so that an authenticated user can access the spool folder and to create files and folders. If these permissions get changed, print spooling might fail.
To view or manage the permissions of a printer, right-click the printer in the Printers And Faxes folder, and then select Properties. In the Properties dialog box, select the Security tab, shown in Figure 29-22. You can now view the users and groups that have printer permissions and the type of permissions they have.
You can grant or deny printer permissions by following these steps:
In Printers And Faxes, right-click the printer, and then select Properties. In the printer Properties dialog box, select the Security tab.
In the Security tab, choose Add. This opens the Select Users, Computers, Or Groups dialog box, as shown in Figure 29-23.
The default location is the current domain. Click Locations to see a list of the available domains and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest.
Type the name of a user or group account in the selected or default domain, and then click Check Names. The options available depend on the number of matches found as follows:
When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.
When no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name and try again, or click Locations to select a new location.
If multiple matches are found, select the name(s) you want to use, and then click OK.
To add additional users or groups, type a semicolon (;), and then repeat this process.
When you click OK, the users and groups are added to the Name list for the printer.
Configure access permissions for each user and group added by selecting an account name and then allowing or denying access permissions. If a user or group should be granted access permissions, select the permission in the Allow column. If a user or group should be denied access permissions, select the permission in the Deny column.
When you're finished, click OK.
The owner of a printer has permission to manage its documents. By default, the Administrators group is listed as the current owner of a printer and the printer's actual creator is listed as a person who can take ownership. Ownership can be taken or transferred in several ways. Any administrator can take ownership. Any user or group with the Take Ownership permission can take ownership. You can take ownership using the printer's Properties dialog box. Right-click the printer, and then select Properties. In the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by clicking Advanced. Next, select the Owner tab, as shown in Figure 29-24.
If you are an administrator or a current owner of a file or folder, you can grant permission to take ownership of the printer. Click Other Users Or Groups to display the Select User, Computer, Or Group dialog box. Type the name of a user or group, and click Check Names. If multiple names match the value you entered, you'll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be filled in for you, and you can click OK.
Auditing printer access can help you track who is accessing printers and what they are doing. You configure auditing policies on a per-printer basis. In Printers And Faxes, right-click the printer to be audited, and then select Properties. In the Properties dialog box, select the Security tab, and then click Advanced. In the Advanced Security Settings dialog box, select the Auditing tab, shown in Figure 29-25.
Now use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit. When you click OK, you'll see the Auditing Entry For dialog box, shown in Figure 29-26.
The Apply Onto drop-down list box allows you to specify whether the actions should be audited for
This Printer Only
Documents Only
This Printer And Documents
After you make a selection, under Access, select the Successful or Failed options, or both, for each of the events you want to audit. The events you can audit are the same as the printer permissions discussed previously. Choose OK when you're finished. Repeat this process to audit other users, groups, or computers. Any time printers for which you've configured for auditing are accessed, the action is written to the system's security log, where it's stored for your review. The security log is accessible from Event Viewer.