Can I give printing rights without giving login rights?

Discussion in 'Microsoft Windows 2000 Setup' started by Peter, Dec 5, 2003.

  1. Peter

    Peter Guest

    I have a PC (admin) with a printer attached, and some PCs (user)
    networked to it which I want to access the printer.

    I can make it work if I create a user account on the admin PC for
    every user on the LAN.

    But then it is possible for each of the users to login into the admin
    PC. Obviously only under their user login, but I don't want them to be
    able to login at all.

    How can I create a user account but with login **on that machine**
    blocked?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 5, 2003
    #1
    1. Advertisements

  2. Peter

    Jetro Guest

    You can enable Guest account and lock down its desktop or purchase the
    server.
     
    Jetro, Dec 5, 2003
    #2
    1. Advertisements

  3. Peter

    Peter Guest

    "Jetro" <> wrote

    >You can enable Guest account and lock down its desktop or purchase the
    >server.


    Doesn't enabling the Guest account create a big security hole?


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 5, 2003
    #3
  4. Peter

    Jetro Guest

    Not related to the subject. As you see, the practical solution is a domain.
     
    Jetro, Dec 6, 2003
    #4
  5. Peter

    Peter Guest

    "Jetro" <> wrote

    >Not related to the subject. As you see, the practical solution is a domain.
    >


    Perhaps you could offer more than cryptic 1-line replies; I might then
    have a chance of understanding them.


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 8, 2003
    #5
  6. Peter

    Jetro Guest

    Did I offend you somehow?
    That's impossible to disable the logon on particular workstation in the
    workgroup environment. You need the domain with domain controller (server).
    Enabled Guest account is a breach in the security, you are right, but I
    wouldn't bother about the workgroup security at all - nothing is secure.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299909
    HOW TO: Join a Workgroup in Windows 2000 Server
     
    Jetro, Dec 8, 2003
    #6
  7. Peter

    Peter Guest

    "Jetro" <> wrote:

    >Did I offend you somehow?
    >That's impossible to disable the logon on particular workstation in the
    >workgroup environment. You need the domain with domain controller (server).
    >Enabled Guest account is a breach in the security, you are right, but I
    >wouldn't bother about the workgroup security at all - nothing is secure.
    >http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299909
    >HOW TO: Join a Workgroup in Windows 2000 Server


    OK, thank you, I understand that it cannot be done. In a workgroup
    system, if you want rights to a printer attached to PC X then you also
    have inevitable login rights into PC X console.

    Perhaps if the printer in question was directly ethernet-attached
    (rather difficult with a UBS-only inkjet pritner), or attached to a PC
    which is only used as a print server, that would be a solution.

    This raises an interesting question... if I did dedicate a PC to act
    as a print server, that same PC could also run an email server and
    filter out all the Swen spam... run Winfax, etc etc...


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 9, 2003
    #7
  8. Peter

    Jetro Guest

    The printer can be attached to any workstation, say, nearest to admin
    computer, or you could buy hardware print server. WinFax could be run as
    distributed shared application etc etc etc. As to the workstation acting as
    an email server... It wouldn't be productive enough and limited by 10
    simultaneous connections in the case of W2kPro, but dedicated Linux machine
    would be sufficient for everything.
     
    Jetro, Dec 9, 2003
    #8
  9. Peter

    Peter Guest

    (Peter) wrote

    >OK, thank you, I understand that it cannot be done. In a workgroup
    >system, if you want rights to a printer attached to PC X then you also
    >have inevitable login rights into PC X console.


    I have just proven the above is wrong!

    I have created an account for my son on my own PC (the one which has
    the printer attached to it) and tried to login using his login/pwd on
    my PC and it says only an administrator can login.

    That's good news. No idea how it was achieved :) There must be some
    config on my PC which specifies that only administrators can login.


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 9, 2003
    #9
  10. Peter

    Jetro Guest

    Alright, here is the trick - I just forgot about it (don't remember when I
    configured the workgroup last time - 10 years ago?! ;-)
    Create special group and add restricted users to it. Run 'gpedit.msc' and
    drill down to
    ComputerConfiguration/WindowsSettings/SecuritySettings/LocalPolicies/UserRig
    htsAssignment: DenyLogonLocally - add the group mentioned above.
    If you locked down yourself (I did), you need 'ntrights.exe' from
    ResourceKit. Run from any remote machine as administrator:
    ntrights -u {user or group} -m \\lockedcomputer -r
    SeDenyInteractiveLogonRight

    Indeed, if you have ntrights.exe around already, you can lock interactive
    logon directly.
     
    Jetro, Dec 11, 2003
    #10
  11. Peter

    Peter Guest

    "Jetro" <> wrote:

    >Alright, here is the trick - I just forgot about it (don't remember when I
    >configured the workgroup last time - 10 years ago?! ;-)
    >Create special group and add restricted users to it. Run 'gpedit.msc' and
    >drill down to
    >ComputerConfiguration/WindowsSettings/SecuritySettings/LocalPolicies/UserRig
    >htsAssignment: DenyLogonLocally - add the group mentioned above.
    >If you locked down yourself (I did), you need 'ntrights.exe' from
    >ResourceKit. Run from any remote machine as administrator:
    >ntrights -u {user or group} -m \\lockedcomputer -r
    >SeDenyInteractiveLogonRight
    >
    >Indeed, if you have ntrights.exe around already, you can lock interactive
    >logon directly.
    >


    Jetro - thank you! However I didn't do the above; it must have
    happened somehow (win2kpro, sp4).


    Peter.
    --
    Return address is invalid to help stop junk mail.
    E-mail replies to but remove the X and the Y.
    Please do NOT copy usenet posts to email - it is NOT necessary.
     
    Peter, Dec 11, 2003
    #11
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dany Drapeau

    Mirror computer to give the most server availability as possible

    Dany Drapeau, Jul 3, 2003, in forum: Microsoft Windows 2000 Setup
    Replies:
    1
    Views:
    467
    Michael Holzemer
    Jul 4, 2003
  2. POS

    Anyone can give me solution?

    POS, Aug 5, 2003, in forum: Microsoft Windows 2000 Setup
    Replies:
    7
    Views:
    580
    Dave Patrick
    Aug 6, 2003
  3. Jason TLA

    Manage Local Printer without Admin rights

    Jason TLA, Nov 10, 2003, in forum: Microsoft Windows 2000 Setup
    Replies:
    0
    Views:
    211
    Jason TLA
    Nov 10, 2003
  4. GAlan

    Network 2k to 2k without needing to login?

    GAlan, Oct 9, 2004, in forum: Microsoft Windows 2000 Setup
    Replies:
    2
    Views:
    171
    Lanwench [MVP - Exchange]
    Oct 9, 2004
  5. Guest

    login script default to user login name

    Guest, Jun 8, 2005, in forum: Microsoft Windows 2000 Setup
    Replies:
    3
    Views:
    579
    Dave Patrick
    Jun 8, 2005
Loading...

Share This Page