Wednesday, February 27, 2013 10:12 PM
I am unable to restrict access to shared printers based on AD groups. Here is what I am doing:
- Create shared printer on Windows Server. (Yes, I have x32 and x64 drivers installed)
- For security reasons, enable print permissions for ONLY PrGroup1.
- Add UserA to PrGroup1.
- On client PC, Map printer as UserA.
When I attempt to map the printer as the above user, I get "Access Denied" errors. However, when I add UserA directly to the security permissions of the printer (outside of group), UserA's PC can map the printer without issue.
Some more information about our setup:
- There are several DCs on the network--1 at each site.
- The primary DC is Microsoft Windows Server 2003 R2 Standard Edition (x32)
- Most of the (6) slave DCs are Microsoft Windows Server 2008 R2 Standard (x64)
- The primary DC does NOT host any printers, only slave DCs host printers
- We will eventually be pushing these printers by Group Policy, but must have Security restrictions setup first (mandated by upper-mgmt)
- There are a large number of users to setup, so access needs to be Group-specific, not User-specific
Any help would be appreciated. Thanks.
Wednesday, February 27, 2013 10:55 PM
Hello Cypheros,There is a trick. Get klist.exe from Resource Kit and do:
you need to re-login before group membership has been applied. Or take a look at this Petri Forum post Refresh group membership without user relogin:
(delete all user tickets)
After that try to access some network resource using FQDN and make sure the TGT has been refreshed using:
This will trigger TGT refresh (as apposed to renew), resulting in a new TGT being issued to the user and PAC portion of it containing the updated group membership.
After that do "gpupdate /force
Give it a try.
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
Thursday, February 28, 2013 4:46 PM
Thank you, sir.