Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Windows Server, Active Directory, and Printer Groups Not Working

Traitée Windows Server, Active Directory, and Printer Groups Not Working

  • Wednesday, February 27, 2013 10:12 PM
     
     
    Sign In to Vote
    0

    Greetings.

    I am unable to restrict access to shared printers based on AD groups.  Here is what I am doing:

    1. Create shared printer on Windows Server.  (Yes, I have x32 and x64 drivers installed)
    2. For security reasons, enable print permissions for ONLY PrGroup1.
    3. Add UserA to PrGroup1.
    4. On client PC, Map printer as UserA.

    When I attempt to map the printer as the above user, I get "Access Denied" errors.  However, when I add UserA directly to the security permissions of the printer (outside of group), UserA's PC can map the printer without issue.

    Some more information about our setup:

    • There are several DCs on the network--1 at each site.
    • The primary DC is Microsoft Windows Server 2003 R2 Standard Edition (x32)
    • Most of the (6) slave DCs are Microsoft Windows Server 2008 R2 Standard (x64)
    • The primary DC does NOT host any printers, only slave DCs host printers
    • We will eventually be pushing these printers by Group Policy, but must have Security restrictions setup first (mandated by upper-mgmt)
    • There are a large number of users to setup, so access needs to be Group-specific, not User-specific

    Any help would be appreciated.  Thanks.

     

All Replies

  • Wednesday, February 27, 2013 10:55 PM
     
     Answered
    Sign In to Vote
    1

    Hello Cypheros,
    you need to re-login before group membership has been applied. Or take a look at this Petri Forum post Refresh group membership without user relogin

    There is a trick. Get klist.exe from Resource Kit and do:
    klist purge
    (delete all user tickets)

    After that try to access some network resource using FQDN and make sure the TGT has been refreshed using:
    klist tgt

    This will trigger TGT refresh (as apposed to renew), resulting in a new TGT being issued to the user and PAC portion of it containing the updated group membership.

    After that do "gpupdate /force

    Give it a try.

    Bye,
    Luca

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    • Edited by Luca Fabbri Wednesday, February 27, 2013 10:56 PM
    • Marked As Answer by Cypheros Thursday, February 28, 2013 3:56 PM
    •  
     
  • Thursday, February 28, 2013 4:46 PM
     
     
    Sign In to Vote
    0

    Thank you, sir.