JaybirdOSU
asked on
Limit printer permissions to specific computers
I host all of my printers from a Server 2012 R2 print server, in an Active Directory environment. I use standard printer deployment via Group Policy to deploy the correct printers to the proper computers.
I have a lab with computers and a printer. I want to limit printing to this printer to ONLY the computers that are in the lab. Basically, I don't want a user on a computer outside the lab to be able to manually add this printer and print to it. I know I can limit printing to a printer based off of a group of users, but I haven't had any success doing it with a group of computers. Right now, I have removed the printer from being listed in the directory, which helps, but I have some pretty savvy users who would try to connect to the printer from the computer at their desk once they saw the printer share name.
Is it possible to do what I'm asking?
I have a lab with computers and a printer. I want to limit printing to this printer to ONLY the computers that are in the lab. Basically, I don't want a user on a computer outside the lab to be able to manually add this printer and print to it. I know I can limit printing to a printer based off of a group of users, but I haven't had any success doing it with a group of computers. Right now, I have removed the printer from being listed in the directory, which helps, but I have some pretty savvy users who would try to connect to the printer from the computer at their desk once they saw the printer share name.
Is it possible to do what I'm asking?
You can configure a GPO for all user to prevent installation of Printer Drivers
Devices: Prevent users from installing printer drivers
If there is a support team, you can create group add support members for installing printers.
http://technet.microsoft.com/en-us/library/jj852204.aspx
else, as printer is connected to network anyone can install printer driver and configure it by giving IP address
Devices: Prevent users from installing printer drivers
If there is a support team, you can create group add support members for installing printers.
http://technet.microsoft.com/en-us/library/jj852204.aspx
else, as printer is connected to network anyone can install printer driver and configure it by giving IP address
Yes, I would recommend:
1- Setup the printer on your print server as you have specified and limit access to it
2- Connect to the printer
a- disable all unnecessary protocols
b- lock down the printer so only the print server (and maybe an Admin PC) can access it
Please provide the make/model of the printer and I can provide more specific details.
1- Setup the printer on your print server as you have specified and limit access to it
2- Connect to the printer
a- disable all unnecessary protocols
b- lock down the printer so only the print server (and maybe an Admin PC) can access it
Please provide the make/model of the printer and I can provide more specific details.
ASKER
This is an HP Color LaserJet 4700.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
AD tends to restrict access based on user accounts, rather than computers. You might be be able to restrict it through the printer configuration.
What type of printer is it? Most will have the ability to limit printing by IP address. It is usually a setting within the printer software. This way you could only allow access by the systems in the lab. If you have DHCP setup, you may also be able to restrict via MAC address.
What type of printer is it? Most will have the ability to limit printing by IP address. It is usually a setting within the printer software. This way you could only allow access by the systems in the lab. If you have DHCP setup, you may also be able to restrict via MAC address.
If you remove the printer from AD and manually assign it to the PCs in the Lab, that still doesn't keep others from printing to it outside of the lab as long as the lab VLAN/IP segment is accessible. All that I need is to obtain the IP address of the printer by printing a config page.
If you only want PCs in that lab to print to the designated printer and do not care what users do so, then you have a few choices.
However, I see that this question is closed and will assume that you no longer want to pursue the issue.
If you only want PCs in that lab to print to the designated printer and do not care what users do so, then you have a few choices.
However, I see that this question is closed and will assume that you no longer want to pursue the issue.
Then if you really want, you can add just the computer accounts to the printer object rather than the user accounts.