Is it possible to regulate printer permissions based upon computer OU

Question

Lets say my domain is structured as follows:

For the computers:

DOMAIN\North\Computers\OU1\PC1
DOMAIN\North\Computers\OU1\PC2
DOMAIN\North\Computers\OU1\PC2
.
.
.
DOMAIN\North\Computers\OU1\PCN
DOMAIN\North\Computers\OU2\PC1
DOMAIN\North\Computers\OU2\PC2
DOMAIN\North\Computers\OU2\PC2

For the Users:

DOMAIN\North\Staff\User
DOMAIN\North\Sales\User
DOMAIN\North\Marketing\User

There are different areas (North, South, East, West) and different OUs for the PCs. The point is the structure is the same as above no matter where you are. Now I have a print server with shared printers. It is trivial to set permissions so that The North Marketing people can only print to their printer. Is it possible to restrict printer permissions based upon the PC OU?

For example let's pretend there is a shared printer that all the North\OU1 PCs typically print to. I would like someone, no matter if they are vising from the east to be able to authenticate with that printer if and only if they are logged onto a PC that resides in DOMAIN\North\Computers\OU1. If they are on an OU2 PC they should be denied.

I am not allowed to violate the model set above. I am not allowed to add the visiting east staff member to a group in the north.

Print server is Server 2008 if that matters.

Answer 1

Assuming the printers you're talking about are exposed to users as Windows print queues then, no, there isn't functionality in the product to do what you're talking about.

Dynamic Access Control (DAC) is the first object permission system in Windows that allows the client computer to be taken into account in the access control decision, but DAC doesn't apply to print queues.

OUs aren't Seucurity Principals because they don't have Security Identifiers (SIDs). As such, OU "membership" can't be used in security decisions anyway.

There isn't any native functionality in the product I can think of that will do what you want. You'd pretty well have to bolt-on something third-party to make this happen (and even then I'm not coming up with good ideas).

I suppose you could stand up a dedicated print server computer to host the queues for each "area" and use firewall rules to limit the cleint computers computers that can communicate with the file and print sharing service (the "Server" service) on each machine. Seems like a terrible waste of OS licenses.

Answer 2

What you are trying to do can be accomplished with the User Group Policy Loopback Processing function. Technically you can't do what you want with just permissions since you'd need to move users between Groups to make this effective (which you cannot do). Rather, you map printers with a GPO by OU that the computer accounts are in. When you have User GPO's attached to a Computer OU, the Loopback Policy tells the Computer to apply the User GPOs when a user logs in even (and especially) if that user is in another OU. You can then choose to merge the loopedback polices with the user's original policies or replace the user's policies with only the loopback. The GPO that turns on Loopback processing for that OU needs to be ordered at the bottom of the list (so that it is first to run when the computer logs in to AD). It sets a flag that is just waiting for the next user to login to that machine.

So, DOMAIN\North\Computers\OU1\ and DOMAIN\North\Computers\OU2 can have separate GPOs with separate printers. When users login to PCs in each OU, they will pick up the GPO for just those PCs.

More information: http://blogs.technet.com/b/askds/archive/2013/05/21/back-to-the-loopback-troubleshooting-group-policy-loopback-processing-part-2.aspx