We help IT Professionals succeed at work.

Restrict network printer to only allow 2 people to print to it

Quick issue.

Currently one of my clients has a printer in the CEO's office that everyone has the ability to print to.   The printer is not shared on the network so I am unsure how the printers are being added to the workstations, perhaps some clever people here that know how to manually map to it.

What is the best practice to only allow 2 people to access the printer?  

What I did was share the printer on the network, and removed everyone from the security tab under printer properties.   I then just added the 2 users that need it since they are on the domain.  My only worry is 1 user is a mac user and will the policy reach her mac machine allowing her to print?  I guess I need to test it out from another machine to ensure noone else can.   But I wanted thoughts if what I did was not 100% and perhaps there is a better recommendation.
Comment
Watch Question

Most Valuable Expert 2013

Commented:
What is the make & model? Many business grade printers have embedded utilities that can be used to help with this.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:

HP LaserJet 400 color M451dn

It doesn't have to be shared, If it's connected to the network it'll be seen. If not wired, check wireless (DHCP can be a PITA)
You might want to make sure WDS is disabled too

What is the best practice to only allow 2 people to access the printer?

Put it in a DMZ and Block all traffic to and from the printer in relationship to the LAN
Then create an allowance rule for the two users (IP's) you want to be able to use it
Andrew N. KowtaloSupport Center Engineer

Author

Commented:

The printer is hardwired statically.   Can you explain how to do the second part of your answer?

What type of firewall does the site have?

Sonicwall, fortinet etc
DP230Network Administrator

Commented:
Separate the BOD network, then you can use Access List to block other networks for connecting to the printer
Distinguished Expert 2019

Commented:
The printer is not shared on the network so I am unsure how the printers are being added to the workstations, perhaps some clever people here that know how to manually map to it.
It has an IP address on the network. Not very hard to locate a printer connected to a network.

The printer is hardwired statically.
Not a matter of cleverness. Some utilities search a network for all of the printer located on it.

Create a VLAN for just the printers. Have a print server in place. If users are only able to communicate with the print server, then you can do your restrictions there for any of the printers that you have it set up to share out.
Andrew N. KowtaloSupport Center Engineer

Author

Commented:

This is a very small infrastructure I am almost positive there is no print server in place at all.   That is a good idea I am going to keep this open for now.

Most Valuable Expert 2013

Commented:
Yes, unfortunately nothing in the printer's embedded web server that will help, so having it in a separate IP range only visible to a VLAN for the two chosen users would be a good fix.  If the infrastructure is as small as you suggest and the users are geographically close could you simply turn one PC into the "print server" and share the connection just to those two accounts?
Andrew N. KowtaloSupport Center Engineer

Author

Commented:

MASQ I wonder how hard it would be to setup a print server on 2012


Support Center Engineer
Commented:

I found out there was a local admin profile that allowed printing to the printer in question.  I restricted the logins to a restricted OU which prevents any students from doing anything further.