0

Is it possible Active Directory domain completely deny printing of documents from any workstations and servers to some user group using Group Policy or another way?

It is important that:

  • the prohibition must apply to the user (another user on the same computer must be able to print).
  • the prohibition must works, even if the user's PC has a locally connected printer.
  • it must be able to quickly enable or disable the user to print, by changing its membership in the domain group.
  • some printers are connected to users' computers via USB
Slipeer
  • 3,255
  • 2
  • 18
  • 32
  • The printer must be configurable to only accept print jobs from the print server or anyone can connect to the printer via IP. – JBaldridge Nov 21 '16 at 17:26
  • @JBaldrige anyone can connect to the printer via IP, and some printers connected via USB. – Slipeer Nov 21 '16 at 17:42

2 Answers2

1
  • Add a security group 'DenyPrinting' to all printers with the setting Print -> Deny.
  • Use GPO to 'Disable the addition of printers' for this group.
  • Add users to the group who shouldn't print
haveNidea
  • 11
  • 1
  • How then control whether that security settings are available? printers, more than 500 ... described only policy disables the interface. it does not eliminate 100% the possibility of printing the user – Slipeer Nov 21 '16 at 17:48
0

Best way that i found:

On all computers in the domain using GPP create a task for the regular run powershell script with local system account:

$Account = "DOMAIN\Group_deny_print"
Get-Printer -full | Where-Object Type -eq "Local" | foreach { 
    try  
    { 
        $acl = New-Object -TypeName Security.AccessControl.CommonSecurityDescriptor $false, $false, ($_ | Select-Object PermissionSDDL -ExpandProperty PermissionSDDL);
        Write-Host "Deny $Account print to printer ($_.Name)";
        $NTAccountSid = (New-Object Security.Principal.NTAccount $Account).Translate([Security.Principal.SecurityIdentifier]).Value;
        $acl.DiscretionaryAcl.AddAccess( 
                [System.Security.AccessControl.AccessControlType]::Deny, 
                $NTAccountSid, 
                131080, #Print = (ACCESS_MASK.PRINTER_ACCESS_USE | BASE_RIGHTS.READ_CONTROL),
                [System.Security.AccessControl.InheritanceFlags]::None, 
                [System.Security.AccessControl.PropagationFlags]::None);
        $newacl = $acl.GetSddlForm("All");
    }
    catch [Exception]  
    { 
        Write-Error -Message "Failed:`n $_.Message" -Exception $_.Exception 
    } 
    $_ | Set-Printer -PermissionSDDL $newacl -verbose;
}

But int's work only in Windows Server 2012 / Windows 8 or later.

Slipeer
  • 3,255
  • 2
  • 18
  • 32