How to prevent users from adding printers other than shared printers in Mac OS 10.4

Hi Experts.
I have a lab with a mac server sharing two printers to 20 mac workstations. I would like those workstations to print to those shared printers only through the server. I already set it that way, but I would like to prevent students from adding additional printers (from other labs or from the same lab but skipping the server).
Is it possible to disable the Add button on the Printer Manager on OS 10.4, or any other way to prevent students from adding printers other than the server-shared ones?
Every student have their own network username and password. I don't think that it is a good idea to disable Bonjour or AppleTalk.
Thanks in advance for your response.

Open in new window

Who is Participating?
pheidiusConnect With a Mentor Commented:
I am only learning os X server myself for a lab sitiaution so I am not going to say I am an expert on this head. Workgroup Manager says it can do what you want
Printer preferences. Define a set of printers and a default printer for any user, group, or computer. With Workgroup
Manager, you dont need to set up printers on each computer in your organization. You can associate a computer
with a nearby printer, making it easy for users to find their printouts. You can also associate individual users with a
particular printer, regardless of the computer they are using. Workgroup Manager supports per-page print quotas to
limit printer use and can prevent unauthorized use of select printers. For example, you can permit unlimited use of
direct-connect inkjet printers, require administrator access for printing to specific printers, and restrict access to
expensive network color printers.
One way would be to not give them access to anything in system preferences much less add printer. But it looks like there are other ways too. Look at inclusive settings
Dump apple talk completely. it is pretty much a dead protocol anyway. Use ip printing in your room instead. Adding a printer via ip will no longer  be just plug scroll and pick anymore. students can't connect to printers whose ip addresses they do not know. Here is a good link to get you going.
supportlaselleduAuthor Commented:
I disabled AppleTalk from the DirectoryAccess utility, but -as your article said, printers in the same network still are reachable using AppleTalk even after disabling it.
Currently, students can see printers from these connections:
Open Directory
Shared printers
I would like them to see only shared printers.
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

The article was talking about disabling apple talk at the backbone article level.
that would stop them from accesing anything with apple talk outside your room. What are you using bonjor for?
With most, if not all network printers you can disable AppleTalk on the printer. It's usually available somewhere if you point your browser at the printer's IP address. Or you can do it from the printer's front panel.

The other thing you may want to do is to set the printer so it will only accept prints from specified IP addresses (in your case, that of the server). That way users can no longer connect to it even with IP printing. This is also done with your browser.
Yes that is even more detailed. I was thinking if you had a dedicated router for your room then disabling apple talk  at that level would not interfere with anyone else's ability to use it if they need it. HDhondt may also on a good track with the second suggestion. If no one else in the building still needs apple talk, or if no one in the whole building really needs apple talk any more than disabling  it at all the backbone routers would be the quickest way. Then you just need to do the second part of hdhondt's suggestion.
supportlaselleduAuthor Commented:
Thanks for your comments, but what I really need is to prevent students from adding printers to their workstations.
Even if I disable all protocols except TCP/IP in the mac-lab printer, students can see printers located in other labs, or in faculty offices.
There are hundreds of printers showing on Add Printers, of the connections I mentioned above.
Bonjour is a protocol innate to OS X and cannot be uninstalled without wreacking havoc on the system.
Disabling the Add button in the Print Manager will help, if you know how.
The printers will only show in Add Printers if AppleTalk is available on both the printer and the Mac. Disabling it on the firewall should fix that. The following link shows the port numbers used by AppleTalk. Set your firewall to block those ports.

For a TCP/IP printer you need to know the address before you can Add it. Of course, most students will find the address very quickly if they wants to. If you set your printers to only accept jobs specific addresses, that will stop people outside the lab from using your printer. Your students can then still print to other departments if they find the correct address, but at least you don't have to worry about your printers.
supportlaselleduAuthor Commented:
AppleTalk is the least problem I have, because our workstations only show a couple of AppleTalk-connected printers. However, it shows dozens of Bonjour- and OpenDirectory-connected printers.
Pheidius, I think that a mac server is the way to go. I am going to buy one this week. We used the instructor computer as a print server. We never really bought an actual OS server, because we only have one lab with 20 macs on campus. the rest of our labs run on Windows, and all our servers are Windows too. But with all this printer headaches, I think that we really need a Mac server.
Thanks for your help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.