[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1445
  • Last Modified:

Granting a non-administrator full print management permissions.

One of our clients needs one of their users to fully manage printers he needs to be able to Add and/or remove them, manage network sharing of them, updating and drivers, adding or changing ports etc...   So I have given him "Print Operators" group however it appears as if Server 2008 cripples the PO group.  Once granted those rights, he can access almost everything except the sharing.  Our Client does not want this particular user to be able to do anything on the print server which is also the Domain Controller and file server.  What I am looking for is explicit permissions to manage everything for the printers and the printers only.  I have created a new GPO for the print operators group and fixed the permissions for adding drivers.  IS there a GPO template for a Printer Admin??
0
sbaylis
Asked:
sbaylis
  • 8
  • 8
1 Solution
 
yo_beeDirector of ITCommented:
Is this a Domain or Workgroup.

Add the user to the Print Server Print Operators group.
0
 
sbaylisAuthor Commented:
Domain.  Please read the question, I have already added them to the PO group.
0
 
yo_beeDirector of ITCommented:
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
sbaylisAuthor Commented:
I have already put these options in place, and when I test the users account he still gets a UAC username and password prompt followed by "access denied" when I try to access the sharing properties.
0
 
yo_beeDirector of ITCommented:
Have you tried adding the user to one of the Printer Object ACL ?
0
 
yo_beeDirector of ITCommented:
0
 
sbaylisAuthor Commented:
Ok, Allow me to clarify a bit.  This is not for managing printers on a local machine.  This is for management of all aspects of the "Print Server" on the clients Domain Controller. I have  created a GPO and AD group named "Print Administrators" which I have applied the microsoft recommended changes to.  I've made the user a member of the print adminstrator and print operator security groups, and with all of those things done almost everything is working.  But when I try to access the sharing I am prompted for a password if I put the users password in I get the attached error.  I would think that with NTFS permissions I could simply grant the group access to the particular files needed but it is not an option.
gpo.jpg
gpo2.jpg
uacpwprompt.jpg
requireselevation.jpg
0
 
yo_beeDirector of ITCommented:
If I am understanding this correctly Your DC is also a File and Print server?
0
 
sbaylisAuthor Commented:
They have a seperate file server.  But it is DHCP, DNS, AD, Antivirus, Print server and MSUS
0
 
yo_beeDirector of ITCommented:
Are you getting access denied on the User's computer or the Server?
0
 
sbaylisAuthor Commented:
I have the user remoting in to the DC via RDP, and I am getting the message there.  However, I must add some updates, I made some more Group Policy changes and was able to resolve most of the permission issues.  The only problem I have left now is when adding a new printer it allows me to choose a driver location but then fails saying it that ntprint.exe needs elevation.  And this is a signed driver so I haven't found a GP setting for that yet but I am still looking.  When I am done I am going to send the GPO template to Microsoft because this is just rediculous.
0
 
yo_beeDirector of ITCommented:
GL
0
 
sbaylisAuthor Commented:
thx
0
 
yo_beeDirector of ITCommented:
Most of your issues stem from the GPO and Security placed on a DC and non-admin users.
If this was a standalon PS you probably would not of had any issues at all.
0
 
sbaylisAuthor Commented:
This particular client hired us a while back and when we started they had 10 plus servers for a single office operation.  We have them down to about 3 physical servers, so setting up a standalone PS isn't an option.  Though it was an option I presented them with at first for simplification.  I've resolved the issue through trial and error and many manual adjustments to NTFS file permissions and GPOs.   The user only needs an admin password when he adds a new driver which he shouldn't and won't be doing very often, so the office admin has agreed to enter the Domain admin credentials if and when he needs them.  Thank you everyone for you help and input.
0
 
sbaylisAuthor Commented:
No one was able to help resolve the issue or offer any advice that resolved it.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now