• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 169
  • Last Modified:

How can I restrict network printers to pc's only

Hi

We have windows 2000 servers and  windows 2000 pro clients here at a school.
We are currently using vb scripts on local machines to install network printers.
So when a user logs on a pc the network printers in that department are installed.
Currently with the setup, if a student visits all departments in one day, they shall have all the departments printers added to their profile. Which will allow them to print from any department pc's to any department printers.
This is what is happening now, and we want to allow only the geography computers to be able to print to the geography printer for eg.

Any advice would be much appreciated.

Thanks

H
0
downehouse
Asked:
downehouse
  • 4
  • 3
  • 2
  • +2
1 Solution
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Well if you are using Active Directory then you will need to create groups I think related to printers.Such as Geography group science group..
Then give permission to them containers to user that require them,..
0
 
downehouseAuthor Commented:
Hi

Thanks for the reply,
But all the users require access to all the department printers.
I need to restrict them so only when they are using the history dept pc's they can only print to the histroy printer.
Im looking into creating printer groups in ad.

any other advice?
0
 
David LeeCommented:
I don't believe there's a simple way to stop the printing once the printers are installed.  Printing permissions are based on users and groups, not on the computer the print is coming from.  So I don't think there's a permission that can be set somewhere that'd say "allow print from PCs in this area but not from PCs in another area".  Is there any way of accomplishing this?  Yes, I think there is.  It just isn't clean and straightfoward.  Since printer permissions are based on users and groups, you could use a departmental login script to handle this.  The login script would add the user to a departmental print control group that allowed printing to that department's printers but disallowed print from all other departmental groups.  You'd then also need to create a logout script and remove the user from the local departmental group when they logged out.  For example, let's say we have two deprtments, geography and science.  We create two printer control groups, Geography Printers and Science Printers.  We then create or modify a login script so that when a user logs in from a geography computer they are added to the Geography Printers group and a duplicate script for the science department.  Next, we mod the permissions on the printers so that only users who are a member of the correct group can print to that group's printers.  Last, we create a logoff script that removes the user from whichever printer group they were assigned to when they logged in.  With this in place a user who logs in to a geography computer gets added to the Geography Printers group which has rights to print to any geography printer but does not have rights to print to a science printer.  Users logging in to a science computer can print to science printers but not to geography printers.  One problem with this idea is that it'd require users to have the right to add and remove group memberships.  If they can't, then this won't work at all.  The only other problem I see with this is if a user fails to logout properly and therefore doesn't run the logout script, then they'll still be a member of the wrong group should they log into a computer in a different department.  Perhaps that could be best solved by adding more code to the login script causing it to remove the user from all printer groups before adding them to the local printer group.  As I said, not clean, but I don't see a lot of other options.  
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
tanelornCommented:
Hi
you could edit your vb script for the students to delete the printers that are there already in their profile except for the one in their proximity.

vbscript giveth, and vbscript can taketh away...

Tanelorn

0
 
scottman29Commented:
If you go to the NTFS security for a printer, you can allow security for a particular computer.  I've never tried it, but I wonder if you do that, if it would only let you print from that particular computer...

Give it a try!

Scott
0
 
David LeeCommented:
When you set the security to deny a particular computer, you're denying the machine account, not the account of any person who happens to be using that machine.  To make sure of this I denied my computer access to one of my printers and then tried printing to it.  The print went right through.  It makes you wonder what the point is of being able to assign permissions to a given computer.
0
 
tanelornCommented:
hi,
I found a little code snippet that should make this happen..

put this before the call to map the printers
if you want,  post your script, and I'll tak a look at it...

(plagerized from http://www.dbforums.com/archive/index.php/t-774023.html  )

############snip###############

set wshNetwork = CreateObject ("WScript.Network")
'deletes all network printers
Set clPrinters = WshNetwork.EnumPrinterConnections
On Error Resume Next
For i = 0 to clPrinters.Count - 1 Step 2
wshNetwork.RemovePrinterConnection clPrinters.Item(i+1), true
Next


################snip###############
Tanelorn
0
 
tanelornCommented:
Hi,

this however won't prevent someone from mapping a printer if they know how...
I'm not sure what your priority is..
T
0
 
downehouseAuthor Commented:
Hi

Thanks for the advice.
Im going to try this vb script.
We have vb scripts running on the workstations to install the network printers.
This vb script to remove the printers im going try it in gpo, log off.
I will let you know how it goes.
Cheers

H
0
 
downehouseAuthor Commented:
Hi

My current vb script for network printer connection is :
Set WshNetwork = CreateObject("WScript.Network")
WshNetwork.AddWindowsPrinterConnection "\\server\printer"
WshNetwork.SetDefaultPrinter "\\server\printer"

Now I have added that delete network printers part and the script looks as below :

set wshNetwork = CreateObject ("WScript.Network")
'deletes all network printers
Set clPrinters = WshNetwork.EnumPrinterConnections
On Error Resume Next
For i = 0 to clPrinters.Count - 1 Step 2
wshNetwork.RemovePrinterConnection clPrinters.Item(i+1), true
Next

My current vb script for network printer connection is :
Set WshNetwork = CreateObject("WScript.Network")
WshNetwork.AddWindowsPrinterConnection "\\server\printer"
WshNetwork.SetDefaultPrinter "\\server\printer"

This seems to have sorted it out. This script is run on the local machine for all users.

Cheers for that mate.
0
 
tanelornCommented:
Hi,
I'm glad that worked for you!!

:)

Be well

T
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now