5

Context: Win7 64-bit client, Windows Server 2003

I log into the server using MSTSC. The server is running Windows Server 2003, 32bit.

I call up the list of Printers and Faxes from the Start menu. I right-click on a printer on the server. I get told that I don't have the relevant privileges and that I can access only the Security tab.

The list on that tab says that Domain Admins have full rights. I'm in the Domain Admins group. However, I don't seem to have full rights.

The printer is a RICOH Aficio SP 4210N. Print Management says that 32bit and 64bit drivers are present.

Any idea why the rights are there, but the outworking of them isn't?

bugmagnet
  • 236
  • 1
  • 3
  • 16
  • Can you print to this printer? If the server is running 32-bit Windows, does the printer have a 64-bit driver installed on the server? – Skyhawk Apr 28 '12 at 17:04
  • Is your actual DOMAIN\Administrator account able to check the tabs? – Robin Gill Apr 28 '12 at 17:24
  • 1
    If you click `advanced` in the `security` tab, can you verify the owner is set? This sounds possibly like a corrupt ACL. May need to re-take ownership, and reset the ACL. – jscott May 02 '12 at 23:56
  • Can you log onto the server using the local admin account and administer the printer fine? – TheCleaner May 03 '12 at 19:17
  • @jscott: I think it highly likely that the ACL is damaged. This printer isn't the only one with the problem. – bugmagnet May 04 '12 at 02:26
  • Ricoh Aficio? Possibly unrelated, but I have seen scenarios on these printers where PCL6 drivers failed miserably and PCL5c drivers worked. – Skyhawk May 04 '12 at 03:30
  • @MilesErickson yes, I've noticed that too. – bugmagnet May 04 '12 at 06:53
  • @jscott: Please make your comment an "Answer" so I can give you the bounty. – bugmagnet May 04 '12 at 06:54

3 Answers3

5

The description of your issue sounds like potential ACL corruption. In order to repair this, you would need take ownership and correct the ACL.

Click on the "Advanced" button within the "Security" tab. In the next window, select "Owner" and select the desired user. The default owner is the local group %COMPUTERNAME%\Administrators, click "OK".

This will correct the ownership, you will still need to correct the ACL to grant proper access for users.

We've had this issue following a BSOD on our print server. As we've hundreds of printer shares, correcting the owner/ACLs manually would have been... ...painful. The following batch file (sorry, our problem pre-dated PowerShell!) should help.

Dump a listing of the bare print share names into a file printers.txt, then run this. You'll need Helge Klien's excellent command line utility SetACL.

@ECHO OFF
SET PRNSRV=your_print_server_name    

FOR /F %%P in (printers.txt) DO (

    ECHO Processing: %%P

    ECHO Taking ownership
    setacl -on "\\%PRNSRV%\%%P" -ot prn -actn setowner -ownr "n:Administrators"

    ECHO Clear ACL
    setacl -on "\\%PRNSRV%\%%P" -ot prn -actn ace -actn clear -clr "dacl,sacl"

    ECHO Create default ACEs
    setacl -on "\\%PRNSRV%\%%P" -ot prn -actn ace -ace "n:Administrators;p:full"
    setacl -on "\\%PRNSRV%\%%P" -ot prn -actn ace -ace "n:CREATOR OWNER;p:man_docs"
    setacl -on "\\%PRNSRV%\%%P" -ot prn -actn ace -ace "n:Everyone;p:print"
    setacl -on "\\%PRNSRV%\%%P" -ot prn -actn ace -ace "n:Power Users;p:full"

)
Community
  • 1
jscott
  • 24,484
  • 8
  • 79
  • 100
2

Check whether the local Administrators group still includes Domain Admins. If it does not, log in as the local Administrator and re-add the group.

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
quux
  • 5,368
  • 1
  • 24
  • 36
1

The security on the printer has been changed, and your current account can't read the object. Try another account, or change the ownership to Administrators and then set the security the way you want it.

Garrett
  • 1,638
  • 4
  • 15
  • 25