Managing Printer Permissions

The preferred method for managing any network resource in a Windows 2000 environment is through NTFS permissions, and the same rule holds true for shared printers. Depending on your network needs, you may have several print devices that you want to make available to all users at all times. Or, you may have certain print devices that should be available to some users some of the time and others at other times—or not at all. The possible permission scenarios with any shared resource are many, and printer sharing is certainly no exception.

To modify the permissions of a shared printer, you first must be the administrator/owner of that printer on the local machine. If you needed to configure the permissions from a different computer through the Active Directory, you will need to be at least a member of the Server Operator or Print Operator group.

To modify the permissions of a printer, you need to access the Security tab of the printer’s Properties pages. There are three primary permissions that you can assign concerning printing:

  • Print  This permission allows a user to print to the printer.

  • Manage Printers  This permission allows a user to open the printer’s Properties pages and configure options.

  • Manage Documents  This permission allows a user to open the print queue and manage documents.

In Windows XP, local administrators are given all three permissions. The Creator/Owner is given the Manage Documents permission, Everyone is given the Read permission, and Power Users are given all three permissions. Most users in your environment will have Print permission for the printer, while only a select few will be given the Manage Printers and Manage Documents permissions.

As with all permission features, you can also click the Advanced button to view a listing of permission entries for particular groups. You can select a desired group, click the Edit button, and reconfigure the default permissions for that group if necessary. You can also set up auditing, view the owner, and view the effective permissions for a group by using the Effective Permissions tab. The tabs you see here are standard, and they work for printer permissions as they do for any other shared object. It is important to note here that if no permission is expressly applied to the group, the group can inherit its permission from the Active Directory. If there is no inheritable permission, the group is simply denied any access.

Note 

If you do not see a Security tab, then Simple File Sharing is in use. See Chapter 6 for details.

Permissions, Priorities, and Printing

As you can see, printing permissions are rather straightforward. However, in most cases, your permission problems will not be so cut and dried. For example, suppose that two different groups, Marketing and Accounting, use a certain shared printer. You want to make certain that the Marketing group can access the printer only from 3:00 P.M. until 10:00 P.M., but Accounting has full access. Also, when the printer is available to both groups, how can you ensure that the Accounting group’s jobs are given preferential treatment? In such cases, you use a combination of multiple printers, different priorities, and different availability options in order to make the configuration work. Keep in mind that you cannot single out a group for certain time access through the security permissions available; that has to be done using multiple printers for the same print device.

Let’s consider an example. In your network, a certain printer is accessed by the Management group and by the Research group. Although the Research group technically uses the printer more often, it frequently prints documents over 100 pages long that are not critical hard copy needs. The Management group needs the printer all of the time, and the group’s documents should be printed first. You would like to configure the printer so that the Research group’s print jobs do not print until after 2:00 P.M. each day, keeping open the morning hours, when the printer is most busy. Also, if a user in the Management group needs the printer in the late afternoon, that user’s print job should be favored over any jobs from the Research group. How can you configure this? Follow these steps:

  1. Create the first printer. You can label the printer “Management.” Then access the Security tab.

  2. On the Security tab, give the Management group Allow permission for Print. Make sure that you deny any other group permission to print.

  3. Click the Advanced tab. Ensure that the printer is always available and that the Priority is set to 50. Click OK.

To configure a printer for the Research group, follow these steps:

  1. Create the second printer. You can label the printer “Research.” Then click the Security tab.

  2. On the Security tab, give the Research group Print permission. Make sure that you deny Print permission for any other groups.

  3. Click the Advanced tab. Change the schedule so that the printer is available only from 2:00 P.M. to 12:00 A.M. Under Priority, leave the value configured as 1.

Printer management functions like another other resource that you need to manage in a Windows 2000/.NET network. Once you establish the shared resource, you then determine who can access the shared resource and under what conditions. As a general rule, you should make certain that printer permission assignment is as simple as possible. This rule holds true for any kind of shared resource.

The more complex the permissions and the more crossgroup memberships you have in your environment, the more likely you are to have problems. As with a shared folder, NTFS permissions are cumulative, with the exception of deny. If a user is a member of one group that has Print permissions but a member of another group that also has the Manage Documents permission, the user effectively has the Manage Documents and Print permissions. In contrast, if the user is a member of one group that is given Print permission to the printer but another group that is denied access, the user effectively has no access. For this reason, Windows networking groups should be clearly and carefully defined, and then permissions to resources, including printers, should be based on those groups. Careful and logical permission assignment makes your life as an administrator much easier and simpler.




A+ Technician's on the Job Guide to Windows XP
A+ Technician's on the Job Guide to Windows XP
ISBN: 72226900
EAN: N/A
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net