Solved

Allow Print Operators to Add Printers to Domain Controllers

Posted on 2009-07-14
5
1,094 Views
Last Modified: 2012-05-07
I need to arrange for a limited number of our desktop engineers to be able to add printers to our 2K3 SP2 DCs.

I've tried a few things with no success.

1.  Created separate AD group and placed new group as member of Print Operators
2.  Amended the permissions on HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors on each of the DCs to allow Print Operators full control.
3.  Changed domain delegate control so that new AD group has full control over print objects

And whenever those users try to add a printer they're still immediately told on double clicking "Add Printer" that they don't have sufficient rights to add printers to <dc name>.

Any ideas where to look from here?

0
Comment
Question by:davewl
  • 3
  • 2
5 Comments
 
LVL 3

Author Comment

by:davewl
ID: 24848288
Also tried giving the Print Operators group ability to load and unload device drivers through Group Policy.

Still not playing.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24856823
Hey,

If your users are creating a printer on a server they should have the correct permissions on that server itself, being a member of the print operators locally. It might be that something strange happenend there.
Do you see anything in event viewer when they are trying to add printers?
0
 
LVL 3

Author Comment

by:davewl
ID: 24856885
Bear in mind these are DCs so there are no local user groups.  I'm guessing that whatever is wrong it's going to have to be resolved through domain rights.

The event logs also rather unhelpfully show nothing.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24856935
hmm... Even if you have a domain, you still have local groups you need to access..
If you look at a server, you will see there is an administrators group. Because the server joins the domain, the domain admins will automatically be added to the local administrators group on that server. This is just a long shot btw, but my guess is you shoul;d be looking at the server itself. Halfway the installation it only asks you to add the printer to the domain.
0
 
LVL 3

Accepted Solution

by:
davewl earned 0 total points
ID: 24903766
Member servers of a domain continue to have local user groups.

The domain controllers themselves don't - and these are the actual domain controllers and not member servers.

Anyway - the answer to my question seems to be one of patience.  About twelve hours after I amended the delegate control and the group policy change it all suddenly started working.  And this is despite several gpupdate /force runs while I was testing at the time.

So we'll put this one down to some sort of weird and wonderful replication/group policy interval.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lync 2010 4 43
LOGINSERVER and nltest /dsgetdc 3 37
Remove Exchange after Office 365 move 3 43
Need GPO to have IE is not set to automatically detect intranet sites 8 27
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question