Default permission on local printer objects (W2k WKST)

[Povl H. Pedersen]

We have quite a few branch office PCs, with local printers. The PCs
run Windows 2000 and has been locked down. We have the problem, that
the local user can not manage the local printer queue when it is
halted for some reason.

How can deploy settings settings on all machines so that the user do
get control over his local print queues ? What is needed ? Is it a
policy ? It is some files we need to change permissions on ? We do not
know the printer name or type on these machines.

We are still a Windows NT domain (for at least another 6-12 months)

 

[Bill Peele [MS]]

--------------------
From: (e-mail address removed) (Povl H. Pedersen)
Newsgroups: microsoft.public.win2000.printing
Subject: Default permission on local printer objects (W2k WKST)
Date: 3 Mar 2004 04:32:21 -0800

We have quite a few branch office PCs, with local printers. The PCs
run Windows 2000 and has been locked down. We have the problem, that
the local user can not manage the local printer queue when it is
halted for some reason.

How can deploy settings settings on all machines so that the user do
get control over his local print queues ? What is needed ? Is it a
policy ? It is some files we need to change permissions on ? We do not
know the printer name or type on these machines.

We are still a Windows NT domain (for at least another 6-12 months)
--

Povl,

By default the Everyone group should have Print rights for all local printers, as shown by checking the Security tab in the
printer's Properties. With this right a user should be able to control their own documents in the print queue but not anyone
elses. To allow a user, group, etc. to control other peoples documents in the print queue they would need the Manage
Documents right, also set from the Security tab in the printer's Properties.

For more information go to Start\Help on a Windows 2000 system and then on the Contents tab go to Security\Concepts
\Understanding Security\Access Control\Objects and Objects Manager\Printer Permissions.

If a user is unable to delete their own documents from the print queue then we have changed something else with the
lockdown.

Bill Peele
Microsoft Enterprise Support

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread
from which they originated.

 

[Povl H. Pedersen]

--------------------
From: (e-mail address removed) (Povl H. Pedersen)
...
Povl,

By default the Everyone group should have Print rights for all local printers, as shown by checking the Security tab in the
printer's Properties. With this right a user should be able to control their own documents in the print queue but not anyone
elses. To allow a user, group, etc. to control other peoples documents in the print queue they would need the Manage
Documents right, also set from the Security tab in the printer's Properties.

Hi Bill,

Thanks for the answer. My question might have been unclear. I do know
about the permissions model in Windows. My problem is:

We have a few hundred stores, each with one W2k workstation machine,
locked down as much as possible. But we want the users to be able to
start/stop the printer queues on their own.

Now, we need to roll this out on the installed base. So what
files/folders/registry keys must we change the ACL on to give plain
users "Manage Documents" rights on the local printers (we do not know
the name/types of the printers. They probably got what was cheapest at
installation time, and might have replaced it).

For more information go to Start\Help on a Windows 2000 system and then on the Contents tab go to Security\Concepts
\Understanding Security\Access Control\Objects and Objects Manager\Printer Permissions.

If a user is unable to delete their own documents from the print queue then we have changed something else with the
lockdown.

As I just wrote above, we need a way to script setting permissions on
all local printers on W2k.

Bill Peele
Microsoft Enterprise Support

Povl H. Pedersen

 

[Bill Peele [MS]]

--------------------
From: (e-mail address removed) (Povl H. Pedersen)
Newsgroups: microsoft.public.win2000.printing
Subject: Re: Default permission on local printer objects (W2k WKST)
Date: 8 Mar 2004 00:26:21 -0800

Hi Bill,

Thanks for the answer. My question might have been unclear. I do know
about the permissions model in Windows. My problem is:

We have a few hundred stores, each with one W2k workstation machine,
locked down as much as possible. But we want the users to be able to
start/stop the printer queues on their own.

Now, we need to roll this out on the installed base. So what
files/folders/registry keys must we change the ACL on to give plain
users "Manage Documents" rights on the local printers (we do not know
the name/types of the printers. They probably got what was cheapest at
installation time, and might have replaced it).

As I just wrote above, we need a way to script setting permissions on
all local printers on W2k.

Povl H. Pedersen
--

I don't know of a registry change that will allow this. The only way I know to change the permissions on a service is through
a GPO by going to Computer Configuration\Windows Settings\Security Settings\System Services and then selecting the
service you want to change the permissions on. On a stand alone system we do not have the System Services branch in
the policy editor.

You may want to see if any of the information in the following article helps.

288129 - HOW TO: Grant Users Rights to Manage Services in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;[LN];288129

Bill Peele
Microsoft Enterprise Support

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread
from which they originated.

 

[Povl H. Pedersen]

The above did not solve my problems. So now I have sent off the
question to our account manager at Microsoft. He might be able to get
us a solution through the official system.

But thanks for you effort anyway.