?
Solved

How-to restrict printing rights based on the computer you are logged into

Posted on 2003-03-13
18
Medium Priority
?
893 Views
Last Modified: 2008-02-01
I am a member of the support team for a Higher Education University. I/we have set up a windows 2000 based print server. We have many student labs on campus, with a variety of network attached printers. We would like to give students and faculty access/rights to print to these printers based on the workstation that they are trying to print from. Specifically, we would like to give them access to print while logged in with their credentials in our labs, but not when they are in their offices and/or in dorm rooms etc. We originally felt this would be a simple task, however, when we began to set this up, it seems that Windows Security and Group policy is limited in it's ability to restrict printing based on the workstation from which a user is trying to print. Does anyone know how to restrict/permit printing based on the workstation credentials and location?

Thank You for any assistance in this matter.

Frank
0
Comment
Question by:hillf121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +2
18 Comments
 

Author Comment

by:hillf121
ID: 8136467
The computers, servers and users in this situation log into a domain while in the labs and in some cases while they are in their offices. The print server in question is also in this domain.
0
 
LVL 8

Accepted Solution

by:
heskyttberg earned 1000 total points
ID: 8140096
Hi!

The best way to control this would be to put printers on their own subnet.

In the firewall router only allow access to that subnet for the printserver server.

No other machines are allowed to print directly to the printservers.

Now set up user/group rights on the printer shares. In the printserver and only allow authenticated users access to the printer. This means they need to be logged into to the domain in order to print.

You might also be interested in getting som third party software to enforce printing quota and give students like 500 free pages / year or whatever you thin is enough.
If they want more they have to pay a small fee for every additonal 50 pages.

This is how we got to the problem on a school where I worked a few years ago.

Regards
/Hans - Erik Skyttberg

0
 

Author Comment

by:hillf121
ID: 8143362
Thank You for the post. We have taken the steps you have suggested here. The question is how do we restrict printing based on the machine a user sits at, not the domain or credentials they have. We have a single campus wide domain infrastructure in place, and the students can print from ANY machine right now that they log into as a domain user. We are trying to limit the machines they can print from, based on the computer lab that they are in. This is necessary, because we have other users on campus who are domain users, can install printers on their machines, but whom we don't want to be able to print to our labs (i.e. staff and faculty).

Thanks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:heskyttberg
ID: 8144481
Hi!

There really isn't any real solution to hinder certain machines to print, you can only stop users and the groups they belong to.

I'm not sure how your setup is, but if you are only trying to stop students to print to certain printers and stop them from connecting to printers form their dorm room.

Give student computers in dorm room their own subnet and deny any traffic to/from printer subnet from dorm room subnet.

The same procedure can be done for the labs, you can even from one lab subnet deny printing to any printer but one. That would require static IP on printer servers.

This would still allow you to run DHCP, just give any LABs, DROM rooms, Faculty their own subnets. You also need to connect all theese subnets through a firewall/router or a linux box acting like one to make it all work.

It might be quite some work to implement. I'd rather do that through user credentials and a printing quota software.

Only way to stop someone from printing directly to a printserver is by denying traffic to from that printservers IP in a firewall.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:hillf121
ID: 8149347
Yes, we are aware of traffic restrictions based on firewall setup, but this does not provide us with what we want. We are, however, looking for a Windows security based solution to this. We could use security groups to accomplish only part of what we want to do. The problem is, if we restrict printing this way, it becomes an all or nothing solution. We noticed that the machine name provides credentials at some point when attempting to connect to the printer. We also noticed that the machine names were selectable objects when setting security restrictions for printing. These two observations led us to believe there was some combination of security settings that would allow us to restrict users who could print, based on the machine that they sat at, even if it meant preventing them from ADDING printers to their printer list, while on machines NOT in our labs.
0
 

Expert Comment

by:Notapro
ID: 8170688
What Logon script do you use
0
 

Expert Comment

by:Notapro
ID: 8170700
What Logon script do you use
0
 

Expert Comment

by:Notapro
ID: 8170703
What Logon script do you use
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8177759
Hi!

Well stopping a user from adding printers to a computer can be done with user and group policies, it's a pain to setup in NT though, but in there you can do machine restrictions such as dissalow a certain computer to add printers or hide C: and so on.

Be careful though, once policy is set on computer it cannot be undone, any other way then setting a new policy.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:hillf121
ID: 8178734
Logon Script? Please be more specific.
0
 

Author Comment

by:hillf121
ID: 8178764
We are running a windows 2000 Active driectory domain and most clients are XP. Group policy is a cinch, but we wouldn't set polocies on the machines I want to restrict, which is part of the reason I am looking for a workaround solution server side, using Security in conjunction with local security polocies. The machines I speak of are student laptops, for the most part, and they are owned by the students. In an academic setting, it is almost impossible to impose most policies on people, and in this case, where laptops are NOT owned by the college, it isn't even a slight possiblility. Thank You for your comments Erik, let's see if someone else picks up this thread and can offer some additional insight.

Frank
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8185821
Hi!

If you have printers on a special subnet and only allow the print server computer access to that net, the student's have to be logged in in order to use the printer.

Now you can use a quota software to only allow them to use a certain amount of pages each year, and if tehy want more they have to pay for it.

This is them easiest course of action.

Since there is a problem with NT and 2000 that allows a client within same workgroup as the domain and a the same local account/pass as in domain full access to everything in the domain as the user would have if they actually logged in to the domain.

There is nothing you can do for this from not happening.

I'm not sure about this, but only way of stopping this might be to change the AD and only allow w2k or newer clients access, as long as you need older clients to be able to connect there is nothing you can do about this.

Regards
/Hans - Erik Skyttberg

0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8185828
Hi!

I just remember another thing you might try.
Only allow authenticated users, I think this means they need to be logged in to the domain.

On the security tab in Windows Server 2003 RC2, I can choose computers to give access, then you could remove all others. You need to click on object types and makr computers in order to list computers.

I have no 2000 AD availible, but check if you have this, if not it's not possible in 2000, you would need to upgrade to 2003 or make a waorkaround as denying by IP, using quota or whatever.

Regards
/Hans - Erik Skyttberg
0
 
LVL 21

Assisted Solution

by:wyliecoyoteuk
wyliecoyoteuk earned 1000 total points
ID: 8187758
try this:
subnet for printers, including printserver(s).
router between printserver(s) and main network (this could be one of the printservers).
subnet for dormrooms, no route allowed between dormroom subnet and printserver.

DHCP servers for all the subnets in question, so that if they connect, they are allocated an IP address and subnet based on their connection.

Also, some modern network printers  allow "access masks" (Ricoh and Canon do, as far as I know).
This can be used to exclude subnets.
Also check:
No gateway set on printers, or set a gateway, and subnet your printservers on that route.
Only TCP/IP enabled on printers (disable appletalk, netbios, IPX/SPX, and IPP).
Other than that, you may need to set up domain trust systems based on subnet location, or split up your domain into subdomains (trusted and untrusted).

(And yes, I know that this is a variation on a theme above).


There is no windows security based answer that I am aware of, for what you want, without limiting which computers the user can logon to, but careful subnetting could prevent it.
0
 

Expert Comment

by:MKoteshwar
ID: 8788860
Hi,

If you are having Xerox Phaser Printers, each printer can be given a Host Access List. Only computers that are listed in the Host Access List can print to this printer. So, you can ensure that only computers listed on the printer can print to it.
0
 
LVL 21

Expert Comment

by:wyliecoyoteuk
ID: 10643502
hillf121:

any comment?
0
 
LVL 21

Expert Comment

by:wyliecoyoteuk
ID: 10681313
 No comment has been added lately, so it's time to clean up this TA.
    I will leave a recommendation in the Cleanup topic area that this question is:

    points split heskttberg and wyliecoyoteuk

    Please leave any comments here within the next four days.

    PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

    WylieCoyoteUK
    EE Cleanup Volunteer
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to solve seemingly unsolvable printer issues. Users sometimes run into printing issues where all the normal steps do not seem to work. Well the steps below can show users how to take one extra step beyond the normal steps needed to remove old…
Printers have changed substantially in the last 30 or so years, not just in technical capabilities but in cost and usage as well.  Printers were originally used for interfacing with the operator, not necessarily for printing copy or pictures. In …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question