6

I have a question about shared printers, and how to best limit access to them.

I have a printer shared from our print server (\\server01\printer01) and I locked it down to just the security groups that should have access via the share security tab.

I also have the AD object for that printer, which allows anyone to access that printer. I figured that it was better to lock it down via the share, because I didn't want to leave the share open for any unauthenticated users.

Any thoughts on how I can do this better, or how I've totally fubar'd up my network? It seems to work for the moment, except for the times when I look at the AD permissions and go "I thought I locked this down".

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
David Liese
  • 145
  • 1
  • 10

1 Answers1

2

Instead of messing with the share's security, you should simply edit the printer object's security settings to your liking (probably removing the Everyone:Print ACE in the process which is set by default):

printer security

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • I agree. Much like file system ACLs, it's best to leave the share's permissions simple and manage the object ACLs. Server 2008R2 and up allow for [Delegated Print Administration](http://technet.microsoft.com/en-us/library/ee524015(WS.10).aspx#BKMK_Designing_security_groups) which further eases the management of printer ACLs. – jscott May 14 '14 at 10:32