After you install printers on the print server, you'll need to set security, set various printer options, select the default printer and its options, and select the print server and its options. This section explains how to perform these tasks and more.
Some people don't think about security when setting up printers, but this can be an important factor to consider. For example, you might not want everyone to print to the five-dollar-a-page dye sublimation printer purchased for the art staff. At a more basic level, you probably don't want most users to modify printer properties or change the priorities of documents in the print queue.
Setting permissions for groups (and occasionally individual users) and auditing the actions users and groups perform is how you handle printer security, just like access to a computer. Configure users to belong to groups, and then give the groups the level of permissions appropriate for those users. Turn on auditing for individual users or groups so that the person responsible for managing audit logs can track user actions in connection with the printer.
You must use an account with Manage Printers permissions to view and change printer security settings.
Printers are Windows 2000 resources and thus can be protected like any other resource by Windows 2000 security features. Printers in Windows 2000 have owners and access control lists (ACLs), which specify the permissions each user or group has. The creator of the printer is automatically made the owner of the printer, and only users with sufficient permissions (Manage Printers) can take the ownership of the printer from the creator. A user or group has three levels of control permissions for a printer: Print, Manage Documents, and Manage Printers.
Macintosh clients assume that if a client can physically send a document to a printer, it implicitly has permission to do so. Therefore, a Macintosh client has no printer security.
Members of the Everyone group are granted the Print permission by default. Users or groups with Print permission can connect to the printer and print documents. The Creator/Owner is granted the Manage Documents permission level by default. This means that the user who initiates a print job can pause, restart, and delete that job from the print queue. Separating the Creator/Owner permission from the Print permission allows permission to print to be widely granted while restricting users to managing only their own documents.
For additional security, you can remove the Print permission from the Everyone group and instead assign it to the built-in Users group. This permits only authenticated users to print.
The Manage Printers permission level is the Windows 2000 equivalent of Full Control permission in Windows NT. This level is granted by default to power users, print operators, and server operators on a domain controller and to administrators on a server. In addition to the Print and Manage Documents permissions, the Manage Printers permission level adds the ability to set printer sharing, modify printer properties, delete printers, change printer permissions, and take ownership of printers.
You should configure a printer according to the same guidelines you would follow for any shared resource. Create a local group with Print permissions, give it a name that matches the printer name, and then add global groups to the local group. If security isn't an issue, give Manage Documents or Manage Printers permission to the local group. For more on groups, see Chapter 9.
To change the permissions on a printer, follow these steps:
Figure 8-10. The Security tab of a printer's Properties dialog box.
Figure 8-11. The Select Users, Computers, Or Groups dialog box.
Figure 8-12. The Permission Entry dialog box.
To audit actions for the printer (to record the occurrences of successful or unsuccessful printer-related actions by users or groups), follow these steps:
You can view the results of the audit settings in the security log. After reviewing the log a few times, you might conclude that you're auditing too many or too few events. If you log too many actions, the log fills rapidly and events that are more serious can get lost in the long list of relatively trivial ones. If too few events are logged, you might miss a pattern of improper access to printers.
The owner of a printer is the person who has control over what level of permission users and groups have on the printer. To change the ownership for the printer, follow these steps:
Only users or groups with the Manage Printers permission level appear in the list of users or groups available to take ownership of the printer.
Macintosh clients assume that if a client can physically send a document to a printer, it implicitly has permission to do so. This can put a damper on attempts to control access to printers. Fortunately, there is a way you can still control what level of access Macintosh clients have to printers, but only as a group: all Macintosh clients will receive the same permissions.
To limit the permissions of Macintosh clients you need to create a new user account and then configure Print Services for Macintosh to use this account. These are the actions you need to take:
Windows 2000 installs new printers with printer options designed to work for most users, but frequently, you'll need to change them so the printer will work optimally. Some printer modifications to options that you might need to make include changing the default printer, changing print server printer drivers, specifying color profiles, changing printer availability, determining group printing priorities, and setting up printer pools. These features might not be available until you actively enable them. Security settings such as permissions, auditing, and ownership are covered separately in the section entitled Setting Security Options, earlier in this chapter.
Depending on the printer driver you use, the dialog boxes and printer options that you have are probably different from those that we show. If you use a printer driver provided by the printer manufacturer, additional tabs and options might be unavailable in the standard Windows 2000 printer drivers.
Applications on the computer that shares the printer automatically print to the default printer unless a different printer is specified. On a print server, it hardly matters which printer is the default printer, but it is important for clients. After a few users accidentally print their e-mail on the expensive plotter, you (or maybe just the finance department) begin to see the importance of having the default printer set correctly.
To change the default printer, follow these steps:
To change general printer options such as the printer name, or to print a test page, follow these steps:
You can also print a test page by opening Windows Notepad and creating a simple document. In fact, printing in Notepad is an easy troubleshooting technique used to see whether basic printing is working.
To change the share name the printer uses on a network, to stop sharing the printer, or to install drivers that client machines can use for the printer, follow these steps:
Figure 8-13. The Sharing tab of a printer's Properties dialog box.
When client drivers are installed on a print server, many Windows clients automatically download the drivers when they are initially connected to the printer. Windows 2000 and Windows NT 4 clients automatically check for updated versions of the printer drivers at startup and download newer versions if necessary. Windows NT 3.x clients automatically check and update their drivers when they print to the server. Windows 95 and 98 clients don't automatically check for updated drivers and must be updated manually.
To change the driver that the print server uses for a printer, follow these steps:
A printer pool is useful for handling a large volume of printing at a location, particularly when there is a mix of large and small documents. For example, someone with a single-page memo doesn't have to be stuck in the queue behind a print job that's the corporate equivalent of the Encyclopedia Britannica.
If printers share a single driver, they can appear to clients as one printer. The advantage of using a printer pool is that clients don't need to find which printer is available; they simply print to the single logical printer (print driver) on the print server, which then sends the print job to the first available printer. Administration of the printers is also simplified because they are all consolidated under one driver. If you modify the properties for the single logical printer, all physical printers in the printer pool use the same settings.
Printers in a printer pool should be located near each other to make finding a completed print job easier.
To set up a printer pool or simply change the port settings for a printer, follow these steps:
All printers in a printer pool must be identical or must at least be able to use the same printer driver, as they are all configured by one printer driver.
Windows 2000 includes the Integrated Color Management (ICM) 2 API for maintaining consistent colors across monitors, color printers, and scanners. When you need to achieve accurate color reproduction, it's useful to set up the printer, as well as the users' monitors and scanners, with an appropriate color profile. To do so, follow these steps:
Color management in Windows has come a long way, but most graphics professionals still use third-party, hardware-based, color-matching solutions when color accuracy is important. However, ICM provides a good way to attain a reasonable measure of accuracy for noncritical work.
To set up the printer to be available only during certain times—perhaps to discourage after-hours printing—perform the following steps:
To dedicate a printer to large, high-priority print jobs after normal hours, install a duplicate logical printer (printer driver) for the printer. Make one logical printer available during normal hours to all users. Make the second one available after hours to only particular users or groups.
Sometimes you might want to make the printer available preferentially to a certain group of users so that they can jump straight to the head of the print queue. This ability can be extremely useful for users who face time pressures and need to take precedence over other users when printing.
To set up groups to have different priorities on a printer, you need to set up two or more logical printers for the physical printer. Thus, you would have two or more printer drivers set up for a single printer, with each driver possessing a different priority level and a different set of users or groups. To do this, follow these steps:
Print spooling, or storing a print job on disk before printing, affects how clients perceive printing performance and the actual printing speed. You can change the way print spooling works to correct printing problems or to hold printed documents in the printer queue in case a user needs to print the document again. Follow these steps to change a printer's spool settings:
Figure 8-14. The Advanced tab of a printer's Properties dialog box.
The print processor determines the data format used with documents sent to the printer, generally either raw or EMF. (See the section entitled Understanding the Printing Process, earlier in this chapter, for information on these data types and their advantages.) To change the type of print processor the print server uses for a printer or to specify a separator page to insert between print jobs, follow these steps:
If you have a printer that supports printing in two printer languages (usually PostScript and PCL), you can set up the printer to simultaneously support both languages. To do this, set up two logical printers (printer drivers) for the printer: one for each data type. Clients with PostScript documents then use the PostScript-enabled logical printer, whereas users with PCL documents use the PCL logical printer.
Open the Printers folder and click Add Printer to create a logical printer that supports the first data type (either PostScript or PCL). Then click Add Printer a second time to create a logical printer that supports the second data type.
Each printer comes with several configurable device options, such as which paper tray to print from, whether a duplexer is installed, and how to handle downloadable fonts. Although the options that are configurable vary with the printer model, you can use the following procedure to change the printer device settings on any printer:
Figure 8-15. The Device Settings tab of a printer's Properties dialog box.
If the printer has multiple trays with different forms, match the form to the tray so that documents using the form always print properly. Under the Form To Tray Assignment heading, select each tray and choose the form that the tray holds. If the printer supports Page Protection and has 1 MB or more of available optional memory, click the Device Settings tab and turn on this option to ensure that complex pages print properly. When you turn this option on, the printer creates each page in memory before beginning to print.
After you configure the printer options for the installed printer, you should set the default print settings that are used by clients. The default printer settings you specify on the print server are used as the defaults for all clients connecting to the printer (users can change printing preferences on their computers if you haven't disabled this ability using Group Policy).
This section describes how to set layout options, how to set paper options, and how to set quality defaults for a print server and attached clients.
Layout involves such options as the orientation of documents and paper, the order in which pages are printed, and the number of pages per sheet of paper that are printed. To change these settings, follow these steps:
Figure 8-16. The Layout tab of a printer's Printing Preferences dialog box.
The Rotated Landscape orientation, if available, prints a page in the landscape format, but rotated 90 degrees counterclockwise.
Paper and quality options are important printing defaults because you generally want most users to print on a certain paper size from a particular paper tray with a certain quality setting. Most users change the default options only if their documents don't print the way they wanted, potentially causing a lot of waste if the defaults are inappropriate and the users don't correct them until after printing a copy (or more). Setting these defaults to a standard-size paper (most likely letter size) and at the quality setting most appropriate for the users can save the company a great deal of money over time. To specify paper options and quality settings, follow these steps:
To set duplex printing, staples, and other advanced printer options, use Advanced Options—these settings might not be available elsewhere—depending on the printer driver and whether you've enabled these installable options.
Although most printer configuration occurs in the printer driver for a particular printer, you can configure some of the actual print server settings. These settings affect all printers hosted by the print server; they include determining which forms are available to print on and which ports and printer drivers are available to use, as well as some spool settings.
Forms are the media you put in a printer; basically if you can print on it, Windows considers it a form. Forms can be paper of various sizes, every sort of envelope, or other types of media such as film. Print servers are set up to handle a wide variety of standard forms by default, but occasionally it can be useful to set up additional forms that the printers can use, maybe because you use special company forms. Perhaps you want to modify or delete an existing form. To do so, follow these steps:
Figure 8-17. The Forms tab of the Print Server Properties dialog box.
You can use the Ports and Drivers tabs in the Print Server Properties dialog box to configure the port and printer drivers that are available on the print server. You can add new ports for the printers or configure the printer drivers you want to make available to clients to download when they connect to the print server. To do so, follow these steps:
The Advanced tab of the Print Server Settings dialog box is extremely useful for configuring the print server for optimal performance and ease of use. You can and should specify where the spool folder is stored, and you can also control how the print server deals with printing events. To configure these settings, follow these steps:
For optimal performance, place the spool folder on a separate drive from Windows 2000, its applications, and especially its swap file. Also make sure that the drive is big enough to hold all the documents in the print queue. If you choose to enable the holding of printed documents, the drive needs to be even bigger.
To be notified of errors while printing remote documents, select Beep On Errors Of Remote Documents. To send a message to the user when the document finishes printing, select Notify When Remote Documents Are Printed. To display a notification message on the computer the document was printed on (even if the user who printed it is currently logged on elsewhere) select Notify Computer, Not User, When Remote Documents Are Printed.
The Notify When Remote Documents Are Printed feature can be useful on busy print servers when a significant delay might occur between the time that a client sends off a document and the time when the document reaches the head of the queue and actually prints. However, on less busy print servers or for users who need to print frequently, this feature can be annoying. If this situation occurs for users, you can turn off the option to eliminate the problem.