[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

What rights do I need to give to my users to copy file directly to printer device over SMB2 ?

Our primary Domain Controller is a SBS 2011, which also acts as a printserver.
When connecting with clients as Vista/Win7/Win2008(R2), SMB2 is used when  printing directly to the printer device by copying a file to the device, eg:
C:\Temp> copy printfile.txt  \\servername\printername 

Open in new window


C:\Temp> type printfile.txt >> \\servername\printername 

Open in new window

When issueing this with my user (Domain administrator rights), I have no problem.
When issueing this as a regular user i get an Access denied error.

When I disable the SMB2 protocol, this works fine.
Ref: http://www.experts-exchange.com/Database/Reporting_/Q_25353394.html?sfQueryTermInfo=1+10+30+access+deni+smb2

But that is not what I want. I want to keep SMB2 for backup and filecopy speed.

For testing purposes I set up another Windows 2008 R2 server as a print server, and on that server it works fine !

The printers are configured exactly the same on both printservers, everyone has print and manage rights. So I guess it must be a another security issue, not ?
Or is it because my SBS 2011 is a domain controller ?

What rigths do I need to give to my users to be able to print by copying a file directly to the device on the printserver ?

Tnx in advance, been struggling with this for 2 days now :-(
1 Solution
This is probably due to it being a domain controller - standard users have very few permissions on DC's, and I would suggest that you want to keep it that way;
The best option would be to use a different server as your print / file server - the other option would be to give users restricted print operator rights, but I wouldn't recomment this (see this article:  http://www.tech-faq.com/securing-domain-controllers.html )
XtensoAuthor Commented:
That was indeed what was needed.

I added our users (they are almost all power users) to the Print Operators group, and following the suggested document I removed the right for Print operators to "log on locally" and "shutdown the server".

This was a short and simple thread, but it resolved my issue !

Thanks !
Just to add to the already great solution:

eventhough I gave all domain users access to full control to all printers, (just like print operators do) my users could not print from DOS.

Adding them to the print operator group fixed it - just like Xtenso said.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now