1

I have three servers.

  • Server 1 - Print Server, Windows Server 2008 Standard
  • Server 2 - Domain Controller, Windows Server 2008 R2 Standard
  • Server 3 - Terminal Services Server, Windows Server 2008 R2 Standard

On Server 1 I have 5 printers installed. All printers are TCP/IP printers. One printer should be restricted so that only members of a specified AD group are able to print to it. Therefore, in Print Management, in the Security tab for the restricted printer the AD Security Group RESTRICTED Printers - Authorized Domain Users is given the Print Allow permission. The default Everyone group which has the Print Allow permission has been removed.

The only member of the RESTRICTED Printers - Authorized Domain Users is Domain\TestAllowed.

All 5 printers are installed on Server 3 through a GPO on Server 2 which automatically adds the printers. This works correctly.

I then login to Server 3 as Domain\TestProhibited and try to print to the restricted printer and the page prints.

Why does the page print and what do I need to do to ensure that only members of RESTRICTED Printers - Authorized Domain Users are able to print to the restricted printer?

I have already read (and confirmed that I configured the ACL correctly) Microsoft's TechNet page on setting permissions for print servers.

I went so far as to explicitly deny the Print permission for Domain\TestProhibited on the restricted printer on Server 1. I logged out of Server 3, logged back in, and Domain\TestProhibited was still able to print to the restricted printer.

user5870571
  • 3,094
  • 2
  • 12
  • 35
  • Sound like it's configured properly. Have you tried the security tab for the RESTRICTED Printers, and check the effective access of the test "Domain\TestProhibited" account? – Lex Feb 10 '16 at 19:30
  • Effective Permissions for the restricted printer shows Domain\TestProhibited has no permissions (print, manage, read, change, take ownership). – user5870571 Feb 10 '16 at 19:33
  • That seems fine. So, just going back to the basic if you don't mind. 1) What other membership does TestProhibited has 2) Based on the assumption that the above user is connect through terminal server, how is it printing the test page (Right-click print test page)... Can you try an alternative method by opening applications like notepad/word to print, and just to try more alternative methods – Lex Feb 10 '16 at 19:42
  • Sure, Domain\TestProhibited is a member of the domain security groups RDP and Domain Users. Members of the domain security group RDP are authorized to login to Server 3. Domain\TestProhibited is able to print from any application (Word, Notepad, WordPad, Excel, etc.) to the restricted printer. – user5870571 Feb 10 '16 at 19:44
  • I am wondering if the terminal server/session has something to do with this. Do you think the print is redirected to the original machine where you initiate the RDP sessions with another account? "http://searchvirtualdesktop.techtarget.com/tip/Five-reasons-printer-redirection-causes-Windows-printing-problems-in-RDS". (Enabling the "Do not allow client printer redirection" policy) – Lex Feb 10 '16 at 20:07
  • In this case the original machine used to initiate the RDP session is a remote machine which connects to the network using VPN and then connects to the terminal server session via RDP. The restricted printer is connected to the same network as the terminal server and therefore there is no printer redirection from the original machine to the restricted printer occurring. – user5870571 Feb 10 '16 at 20:25

2 Answers2

0

It seems that it is not enough to change the security permissions for the printer on the print server even though the printer is installed on the Terminal Services Server by shared printer name.

If I log into the Terminal Services Server I see that the security permissions for the printer do not get transferred when the printer is installed using group policy. After I logged into the Terminal Services Server and changed the security permissions for the printer, I logged out and logged back in and now the printer is correctly restricted.

user5870571
  • 3,094
  • 2
  • 12
  • 35
0

The important point about network printing in Windows is there are two objects for them: the port and the queue.

For your setup, on Server1 you're creating both a port and a queue, and you're setting the ACL for the queue. Then, on Server3 (through the GPO), for some reason, you're apparently creating a new queue using the port for Server1, instead of pointing the the queue on Server1. And as the queue is new, it's not getting the ACL from the queue on Server1!

curropar
  • 631
  • 3
  • 18