none
Access denied creating local port (Server 2012 only) RRS feed

  • Question

  • This is a domain network. All computers are domain members.

    Windows 7 pro workstations currently have local ports connected to shared printers on a windows 2003 R2 server

    I am replacing the 2003R2 server with a 2012 server.

    when I try to create local ports mapped to the new server I get access denied error unless I am logged onto the workstation as a domain administrator

    I need regular domain users to be able to access these ports. (they are local administrators on their workstations, but no admin rights at the server level)

    This only seems to be a problem with server 2012, as I have no problem connecting to server 2008r2 either. 

    Is there something different I need to do for server 2012?

    Friday, April 12, 2013 4:39 PM

Answers

  • I worked on it some over the weekend from home, and I think I've found a workable solution.  I found that adding the users to the print operators group did the trick. The server is a DC so I had to do it thru AD.  Not exactly what I wanted, but an acceptable fix. Thanks for the help. --Mike
    Monday, April 15, 2013 12:11 PM

All replies

  • Suggest using a GPO (with policy preferences) to deploy the printers instead of creating local ports on each workstation.  If you have to do it manually on a workstation, suggest using the Standard TCP/IP port instead of a local port when pointing the workstations to the print server.
    Friday, April 12, 2013 5:20 PM
  • Thanks for the reply.

    Ubfortunately, I have to use local ports.

    For one, not all of the printers I connect to are use IP

    Second, and more importantly, I have the same issue when I try to map LPT ports to them using "net use". We have a LOB application central to our operations that requires using LPT ports, bypassing windows printer drivers. (Generic/Text don't even work)  The net use command succeeds, but there is an access denied error if I actually send anything to the mapped LPT.

    I am assuming (yeah I know about assuming) that the LPT mapping problem and the local port problem have the same root cause.  I posted about the local port problem mainly because I thought it would be a more common issue that someone might have seen before.

    Thanks again for the advice. Any further thoughts?

    Regards,

    Mike

    Saturday, April 13, 2013 3:16 PM
  • LPT mapping typically will not work unless the command session is running with elevated privledge.  Use LPT2: or LPT3: for mapping when the OS is greater than XP.  There were some security changes after Vista where a standard user could no longer map to real device ports.

    Most likely this is an authentication issue when using SMB2/3 rather than SMB1.  Is there a way to force only SMB1 to the 2012 machine? 

    It may have something to do with kerberos authentication as well. 


    Alan Morris Windows Printing Team

    Sunday, April 14, 2013 11:41 PM
    Answerer
  • I worked on it some over the weekend from home, and I think I've found a workable solution.  I found that adding the users to the print operators group did the trick. The server is a DC so I had to do it thru AD.  Not exactly what I wanted, but an acceptable fix. Thanks for the help. --Mike
    Monday, April 15, 2013 12:11 PM
  • The security policy on DCs is different than a standard server installation.  You will also find printing to shares using Type 4 drivers will fail with access denied.  You need to reset the ACLs on the spool directory back to the defaults.  DCPROMO makes several security modifications.


    Alan Morris Windows Printing Team

    Monday, April 15, 2013 8:24 PM
    Answerer