none
Managing local printer user permissions via GP RRS feed

  • Question

  • Hello there,

    Hopefully I have the right forum.  I have created a policy to create printers on a number of remote workstations based on ip address of the workstation.  The policy creates a local TCP/IP port for the computer and then pulls the driver for the printer off a print server, all print jobs are sent across the TCP/IP port.

    That part works very well.  The problem I have is that the printer object itself on the target computer has very limited rights as far as the users are concerned.  The have the ability to print and that is all.  Is there a way to set permissions via GP so they have the Manage Documents and Manage This Printer Role on the local printer?  I have no concern if they change drivers (etc) as any issues they cause would be erased by the next logon and GP is reapplied, however they need the ability to control print jobs and set printer preferences.

    I had posted in other forums and was pushed towards using server based print queue printing and set the permissions on the printer object.  The way this is set up is to automatically install a printer in a remote office based on the subnet.  A local port is created on the computer in order to transfer the print jobs across the LAN rather than having them transfer the data across the WAN to a remote print server.

    The clients are a mix of Win7 and WinXP, however we will be migrating to a pure 7 environment before the end of the year.

    Thanks in advance,

    John

    Wednesday, March 21, 2012 1:27 PM

Answers

  •  
    > That part works very well.  The problem I have is that the printer
    > object itself on the target computer has very limited rights as far as
    > the users are concerned.  The have the ability to print and that is
    > all.  Is there a way to set permissions via GP so they have the Manage
    > Documents and Manage This Printer Role on the local printer?  I have
    > no concern if they change drivers (etc) as any issues they cause would
    > be erased by the next logon and GP is reapplied, however they need the
    > ability to control print jobs and set printer preferences.
     
    Your idea is ok, but the Printers GPP is very limitet. Unfortunately,
    the answer is "no". I'm unaware of a non-scripting solution to this.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, March 21, 2012 8:40 PM

All replies

  •  
    > That part works very well.  The problem I have is that the printer
    > object itself on the target computer has very limited rights as far as
    > the users are concerned.  The have the ability to print and that is
    > all.  Is there a way to set permissions via GP so they have the Manage
    > Documents and Manage This Printer Role on the local printer?  I have
    > no concern if they change drivers (etc) as any issues they cause would
    > be erased by the next logon and GP is reapplied, however they need the
    > ability to control print jobs and set printer preferences.
     
    Your idea is ok, but the Printers GPP is very limitet. Unfortunately,
    the answer is "no". I'm unaware of a non-scripting solution to this.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, March 21, 2012 8:40 PM
  • I was looking for a way to change permissions on a local printer via GPO and found your post. The way I have finally done it is to set the desired permissions on the printer on one client. You can then get the Security value for this printer from the registry which then be pushed out using group policy preferences. The value you need is:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\<PRINTER NAME>\Security

    Hope this helps,

    Scott.

    Wednesday, August 8, 2012 1:14 AM
  • John,

    Did you ever find a solution to this? I am working with the same issue.

    Thanks,
    Mike

    Friday, July 10, 2015 7:02 PM
  • Nope - gave up.
    Friday, July 10, 2015 8:39 PM
  • So mr knights solution does work. I thought it wasnt working but i needed to restart, just doing a gpupdate was not enough.

    It also requires that the printer on each computer is named exactly the same. Not a problem for us, as the 8 computers i want to do this too, all have the same exact model of local printer. But thats a pretty big gotcha for this method in terms of scalability.

    i was only able to find another method using a script. There appears to be no built in way to do this. Cant add to "print operators" because the group does not exist locally, and the printers are not shared at all.

    The script method for anyone else who this may work better for: https://community.spiceworks.com/topic/537203-group-policy-manage-locally-installed-printers-for-all-users?page=1

    The spiceworks script solution doesnt work for me because i dont want them to have this right on ALL printers ( just a specific one), i want to do it by machine not user, i hate logon scripts, and  because i only want them to have this right on certain very specific computers with a local printer, not any computer they log onto.

    The other solution would be to just manually set this checkbox if you have a small number of computers. I was going to do that, but i would have to remember to do it going forward anytime the machine is reimaged. This solves the problem nicely, albeit hackily. Nicely would be if it supported doing this out of the box. Plenty of people probably have a local printer that is unmanged by the IT department, in terms of permissions to queues.

    Monday, October 1, 2018 6:48 PM