How to delegate the permission to create printers on DC ?

P

printer admin

Does anybody know how I can delegate the permission to
install printers on my W2K servers (and DC's) in my
AD domain ?
I want to delegate this (and nothing more) to printer
administrators on the remote sites.

Tried Policy settings :
- Load and unload drivers...
- Prevent users to install printers ...

Searched the Knowledge base

No success and getting pretty tiered of it.
 
C

Chriss3

Do you mean delegate the right to create a printer object in AD or logon to
the Domain Controller and install a printer and share it?

Use Delegate of Control Wizard to delegate creation of objects in the Active
Directory. Other wise they may should be member of the Built-in Printer
Operators Group to perform an installation of a printer device since Printer
Operators are allowed to logon locally to Domain Controllers by default.

Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp
 
P

pinter admin

Thanks for the reply, but...

I don't want them to create the objects, but to logon on
the DC (this works fine) and to install a printer on it
that can be shared to the users.
They must as well be able to manage the printer afterwards.

When they logon (via Terminal Svcs) and want to create the
printer, the 'local printer' option is grayed out.
The network printer option is available.

I don't want to use the built in Printer Operators group,
because I have multiple sites with each an own DC and
servers. Those local admin should not be able to manage
the servers on remote sites (this is, not able to install
printers on it).
 
C

Chriss3

Then you may want to modify the Allow Logon Locally Right within a Group
Policy. You can here use different policies for different sites this provide
some security if you create your own group like Printer Operators Site1 and
add them to GPO SITE1 and link it to the Site object. Feel free to post
back. Have a nice day!
 
G

Guest

The users can 'log on locally' on the DC.
But, when they open up control panel, printers, add
printer, the "local printer" option is grayed out.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

PUBLISHED PRINTERS KEEP ON GETTING PRUNED 1
Delegate full rights to a DC? 2
isolated DC fails to work 5
New 2003 DC 9
DC not servicing logon requests 6
How to set default printer permissions on all AD printers 3
Windows 2000 Domain with Windows 2003 DC's?? 6
2003 DC not replicating 2

Top