Windows Server 2003 Auto connect printers;

[Guest]

I was looking for a Windows Server 2003 newsgroup but I guess there is
nothing unfortunately.
My question is this and I haven't been able to find much info on this topic;
When several users login the Term Server they all auto connect their local
printers with each session as well. This is a good thing so they can print
back locally. However, this complete list of all the printers of all the
users with their local printers connected, is available to every user to see
and/or use by accident. How do I remove the other user's printers and only
show the printers that are for this user alone.
Any help would be greatly appreciated.
Thanks!!

 

[TP]

By default users will only see their own autocreated printers as well
as any printers that are installed directly on the TS that they have
rights to.

Check to make sure that users are not members of Administrators,
Power Users, Print Operators, Server Operators, etc.

Thanks.

-TP

 

[Guest]

Thanks TP,
The users that connect to the TS are only members of Domain Users and no
other rights at all. Still you can see all other users' printers connected
from their sessions with the computer name. Is there maybe a TS configuration
or is it somehow a premission issue.
Any idea's are welcome.

Thanks!
Paul

 

[TP]

Is the Domain Users group a member of any other group?

I am assuming this is a member server. Double check all
of the local groups like Administrators, etc., and make
sure that there are no memberships giving users more rights like
Everyone, Users, Authenticated Users, Remote Desktop
Users, Interactive, etc., being a member.

This should not impact printer visibility, but what do you
have Permission Compatibility set to? Full Security or
Relaxed Security?

Thanks.

-TP

 

[Guest]

The Domain Users group is a member of the build in Users, that's it.
Yes the TS is a member server, Authenticated Users is added to the local
Admin group to give users local admin rights. We did this to solve some
software issues. Would this be related to our printer issue and how?
Where could I check again where we set the Permission Compatibility to??
Thanks for helping out, greatly appreciated.

Paul

 

[TP]

That explains it. Users who are Administrators are able to see
all printers. "Normal" Users should not be a member of
administrators. This is very bad for security and stability of
the TS. Administrators can do all sorts of bad things to the
TS (intentionally & not), regardless of any group policies or
other measures you take to restrict them.

In order to fix things you need to remove authenticated users
from the Administrators group. Then you are left to get your
software applications functioning properly with limited
permissions.

You do this by granting only those permissions that are
absolutely necessary for each application to run. For example,
an application typically needs read access to its program
directory and registry keys at a minimum. Some applications
may need to read/write to their program directory as well as
subkeys of their main registry key. Other applications may
need you to use per-user class hives, etc.

Logon to the server as an administrator and run filemon and
regmon from www.sysinternals.com. Then logon as a limited
user and run the problem app to see what areas of the file
system or registry it is being denied access to.

Some applications can be a pain to get working properly
with limited permissions, but almost all will work. Others it
is a combination of permissions and setting the application's
data/save locations to different than default.

If you have a specific app that you can't figure out, post
here and someone will help you.

Thanks.

-TP

 

[Guest]

Thanks so much TP for your help. I'll try this as soon as I can when no users
are on the TS. I'll let you know.
Thanks

Paul

 

[Guest]

I removed the NT Authentication but then the user's don't have enough
permission to even login to the TS. What (minimum) rights would be required
then for a normal basic user to login to a TS without having NT
Authentication. Isn't some form of admin rights required for a non admin user
to login to a server?
I am glad we're almost there but now we just have to give the user more
rights in order to login without having NT Authentication.
THanks TP.

Paul

 

[TP]

Make them a member of Remote Desktop Users. For
example, you could make Domain Users a member of
the Remote Desktop Users group, this would allow all
users of the domain to logon (if that is what you need).

Also, check in Start-->Run-->tscc.msc, click on Server
Settings on the left, make sure Permission Compatibility
is set to Full Security.

Thanks.

-TP

 

[Guest]

Thanks TP, I added the Remote Desktop Users to the Domain Users group in AD
but cannot view or even see the Remote Desktop Users in the AD list itself.
Then I added the Domain Users Group to the local Remote Desktop Users group
on the TS and now users are able to login successfully without the NT
Authentication.
I checked the Premissions and it's set to Full Security.
It did remove some printers from other users from the list which is good.
However I still have some problems auto connecting the printers from the
local system to the TS, even with the local resources printers check box
checked in the RDP properties. Is there anything else required that you can
think of in order for the auto connect local printers to TS to work???
Thanks for your help TP!

Paul