?
Solved

Allow Print Operators to Add Printers to Domain Controllers

Posted on 2009-07-14
5
Medium Priority
?
1,120 Views
Last Modified: 2012-05-07
I need to arrange for a limited number of our desktop engineers to be able to add printers to our 2K3 SP2 DCs.

I've tried a few things with no success.

1.  Created separate AD group and placed new group as member of Print Operators
2.  Amended the permissions on HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors on each of the DCs to allow Print Operators full control.
3.  Changed domain delegate control so that new AD group has full control over print objects

And whenever those users try to add a printer they're still immediately told on double clicking "Add Printer" that they don't have sufficient rights to add printers to <dc name>.

Any ideas where to look from here?

0
Comment
Question by:davewl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 3

Author Comment

by:davewl
ID: 24848288
Also tried giving the Print Operators group ability to load and unload device drivers through Group Policy.

Still not playing.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24856823
Hey,

If your users are creating a printer on a server they should have the correct permissions on that server itself, being a member of the print operators locally. It might be that something strange happenend there.
Do you see anything in event viewer when they are trying to add printers?
0
 
LVL 3

Author Comment

by:davewl
ID: 24856885
Bear in mind these are DCs so there are no local user groups.  I'm guessing that whatever is wrong it's going to have to be resolved through domain rights.

The event logs also rather unhelpfully show nothing.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24856935
hmm... Even if you have a domain, you still have local groups you need to access..
If you look at a server, you will see there is an administrators group. Because the server joins the domain, the domain admins will automatically be added to the local administrators group on that server. This is just a long shot btw, but my guess is you shoul;d be looking at the server itself. Halfway the installation it only asks you to add the printer to the domain.
0
 
LVL 3

Accepted Solution

by:
davewl earned 0 total points
ID: 24903766
Member servers of a domain continue to have local user groups.

The domain controllers themselves don't - and these are the actual domain controllers and not member servers.

Anyway - the answer to my question seems to be one of patience.  About twelve hours after I amended the delegate control and the group policy change it all suddenly started working.  And this is despite several gpupdate /force runs while I was testing at the time.

So we'll put this one down to some sort of weird and wonderful replication/group policy interval.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question