3

I have:

  • A Windows Server 2003 machine acting as a file server and domain controller. Call this "Server 1".
  • Another Windows Server 2003 machine acting as a terminal server, file server and DNS server. Call this one "Server 2". People often log in to this machine via RDP to use a certain piece of software.
  • An old Windows XP SP3 machine with a USB printer attached and shared. This machine has its own local accounts, it does not validate logons against the domain controller. It is a member of the domain, though. Call this "PC 1".

(I have inherited this setup and am temporarily administering it. I am not particularly knowledgeable about administration of Windows servers, so forgive me if I've omitted valuable details.)

I want users to be able to print from the printer on PC 1 while working on Server 2, even if PC 1 is in use. I can add the shared printer to Server 2 as the administrator, but the user themselves cannot add the printer. When I try (logged in as them) to add it, I see "You do not have sufficient access to your computer to connect to the selected printer".

I followed the instructions in this KB article ie. disabled the "Prevent users from installing printer drivers" property in Local Security Settings, rebooted, and got the same message. I tried adding the user to Local Security Settings > Load and unload device drivers, rebooted, still can't add it. I added the user to the (local) Power Users group, rebooted, still can't add it.

Finally I added the user to the Administrators group, rebooted, and I could add the printer to their account — success! But then, when I removed them from the Administrators group and rebooted, the printer was... gone.

So what do I try next?

detly
  • 192
  • 1
  • 3
  • 11

3 Answers3

3

Dump the "shared printer" and make the printer a local printer on the Terminal Server computer.

  • Install the optional component "Print Services for Unix" onto the Windows XP PC that is "sharing" the printer, which will turn the PC into an expensive HP JetDirect-alike (i.e. it will make the PC answer on TCP port 515 for the LPR protocol).

  • Verify that the Windows Firewall on the Windows XP machine permits inbound connections from the Terminal Server on TCP port 515.

  • Add the printer to the Terminal Server as a local printer attached to a "Standard TCP/IP Port" referring to the name or IP address of the Windows XP PC. There will be a long delay while Windows attempts to "detect" the port. When you finally get the dialog with a drop-down list of port types choose "Custom", click "Settings" and modify the default properties to use the "LPR" protocol, set the "Queue Name" to the "Share Name" of the printer on the Windows XP machine, and tick the "LPR Byte Counting Enabled" box. (This selection has nothing to do with the printer model-- this is just to get LPR going between the boxes.)

This will give you a local printer on the Terminal Server computer (and, thus, available to all users automatically). Since you need to restrict access to the printer use an ACL on the print queue to do so.

Edit:

Sadly, some printer drivers are not amenable to this technique. Consumer inkjet printers and all-in-one devices seem to be the worst.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • *Since you need to restrict access to the printer* — I don't actually. If staff want to walk all the way over there, they can :P But I'll try this out. – detly Feb 14 '12 at 02:26
  • I took your phrase "I want a particular user to be able to print ..." to mean that you needed restricted access. – Evan Anderson Feb 14 '12 at 02:30
  • Ah, I see. What I meant was that I would be satisfied with an answer if it had to be done per-user, OR if it worked for all users. If that makes sense. – detly Feb 14 '12 at 02:41
  • Alas, I cannot select the driver for the printer when I get past the port configuration dialog. It's a Canon MP830 Printer, which in fact is already installed as a shared printer on the machine, but neither that nor the HP JetDirect the driver is are listed. – detly Feb 14 '12 at 05:46
  • I missed that step! In the "Port Configuration" dialog you're going to choose a "Generic" type. This has nothing to do with the printer model-- this is just the TCP/IP communication between the Terminal Server computer and the LPD server on the Windows XP machine. I just dropped on an edit. – Evan Anderson Feb 14 '12 at 06:01
  • AWW YEAH. Used the "Generic/Text only" driver to get it installed, and **then** I could use the properties dialog to change the driver to the MP830. It prints! – detly Feb 14 '12 at 06:18
  • Glad to hear you got it going. I try to make all printers on Terminal Server computers "local", if at all possible, to make them easier to deal with. – Evan Anderson Feb 14 '12 at 07:05
  • Okay, it sort of works... sometimes. Not always. But I get the error message: "Cannot communicate with printer. Turn Enable bidirectional support on in the printer's Properties dialog box." This occurs even if I turn both firewalls off altogether. – detly Feb 14 '12 at 09:09
1

  1. Add the printer to each workstation (while logged in as the user)

  2. Configure the TS to allow printer redirection

  3. Configure the RDP client on each workstation to redirect printers to the TS session (while logged in as the user)

  4. Done

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
0

On the terminal server, is the driver for the printer installed? I'm referring to the Printers and Faxes Folder > Server Properties > Drivers tab. If the driver is already installed, there should be no need to install a driver when a user attempts to connect to a network printer. If the correct driver is installed, when the user connects to the printer, it should use the driver that is already installed.

If it is not installed, you can add drivers ad-hoc independent of the printer installation process.

Note that in nearly all cases, if you can find a "built-in" printer driver that will work, you should use this instead of any custom driver that may have been provided from the vendor. A "built-in" driver is one that appears in the driver list that Windows knows about, that is included with the Windows installation media. This may not be practical with some printers or complex printing requirements, but it does work in a surprising number of scenarios.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • The driver is already installed. The printer is actually available for the administrator user. – detly Feb 14 '12 at 03:13