Inherited Permissions for Printers

Archived from groups: microsoft.public.win2000.active_directory (More info?)

All,

I realise this is a printing question, but I think it's probably more GPO/AD
related too.

Is there any way that permissions for locally installed printers on a
Windows 2000 Advanced server can be set to inherit in the same way that
files and folders can? E.g. when someone creates a new local printer, I want
to be able to specify what the default security permissions will be set to.

We have a Windows 2000 domain with print queues set up locally on Windows
2000 Advanced Server member servers. I'm trying to set up our member servers
so that when a member of the domain security group "IT Helpdesk Staff"
creates a new local printer, the correct permissions are automatically
assigned to it and all the IT staff needs to do is add the relevant User
groups with print access.

The domain secirity group "IT Helpdesk Staff" has only domain user rights
but is also a member of the local Power Users group on the Windows 2000
member servers, and so has full permissions to create new printers locally.

Thanks again,
Paul.
17 answers Last reply
More about inherited permissions printers
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hello Paul,
    Good question. Yes it's possible to inheritance the Security (ACL) from the
    computer object in the Active Directory, since all printers published in
    active directory is child objects to it's host/computer/server.

    You can give the "IT Helpdesk Staff" Full Control of child objects of type
    PrinterObjects or just Add / Remove Printer Objects. You should see an entry
    for the Printer Operators group with rights Add / Remove Printer Objects in
    the ACL list on the computer/host/server object in AD.

    Have a look at this KB, How to view printers within the ADUC MMC.
    http://support.microsoft.com/support/kb/articles/Q235/9/25.ASP

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    > All,
    >
    > I realise this is a printing question, but I think it's probably more
    > GPO/AD related too.
    >
    > Is there any way that permissions for locally installed printers on a
    > Windows 2000 Advanced server can be set to inherit in the same way that
    > files and folders can? E.g. when someone creates a new local printer, I
    > want to be able to specify what the default security permissions will be
    > set to.
    >
    > We have a Windows 2000 domain with print queues set up locally on Windows
    > 2000 Advanced Server member servers. I'm trying to set up our member
    > servers so that when a member of the domain security group "IT Helpdesk
    > Staff" creates a new local printer, the correct permissions are
    > automatically assigned to it and all the IT staff needs to do is add the
    > relevant User groups with print access.
    >
    > The domain secirity group "IT Helpdesk Staff" has only domain user rights
    > but is also a member of the local Power Users group on the Windows 2000
    > member servers, and so has full permissions to create new printers
    > locally.
    >
    > Thanks again,
    > Paul.
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    > Hello Paul,
    > Good question. Yes it's possible to inheritance the Security (ACL) from
    the
    > computer object in the Active Directory, since all printers published in
    > active directory is child objects to it's host/computer/server.

    I don't think so. The Printer's so published are not
    "children" of the computer object for several reasons
    but the most important is that Computer objects are
    NOT containers.

    Also note, the Computer object in AD will not get
    you permissions to the actual PRINTER (queue)
    anyway.

    Also, since these are local printers they may not
    even be published in AD.

    > You can give the "IT Helpdesk Staff" Full Control of child objects of type
    > PrinterObjects or just Add / Remove Printer Objects. You should see an
    entry
    > for the Printer Operators group with rights Add / Remove Printer Objects
    in
    > the ACL list on the computer/host/server object in AD.

    Unless I am totally wrong about this, there is no
    place to "inherit permissions" on the PRINTER
    (queue) share objects themselves since they have
    no parent.

    I.E., you still won't be able to print.

    A Restricted Group MIGHT help but the group
    used will need to be one that is already assigned
    by default, or there must be another way to give
    this group the requisite permissions.

    A startup script might wrap this stuff up by
    enumerating Print shares etc.....


    --
    Herb Martin


    >
    > --
    > Regards
    > Christoffer Andersson
    > Microsoft MVP - Directory Services
    >
    > No email replies please - reply in the newsgroup
    > ------------------------------------------------
    > http://www.chrisse.se - Active Directory Tips
    >
    > "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    > news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    > > All,
    > >
    > > I realise this is a printing question, but I think it's probably more
    > > GPO/AD related too.
    > >
    > > Is there any way that permissions for locally installed printers on a
    > > Windows 2000 Advanced server can be set to inherit in the same way that
    > > files and folders can? E.g. when someone creates a new local printer, I
    > > want to be able to specify what the default security permissions will be
    > > set to.
    > >
    > > We have a Windows 2000 domain with print queues set up locally on
    Windows
    > > 2000 Advanced Server member servers. I'm trying to set up our member
    > > servers so that when a member of the domain security group "IT Helpdesk
    > > Staff" creates a new local printer, the correct permissions are
    > > automatically assigned to it and all the IT staff needs to do is add the
    > > relevant User groups with print access.
    > >
    > > The domain secirity group "IT Helpdesk Staff" has only domain user
    rights
    > > but is also a member of the local Power Users group on the Windows 2000
    > > member servers, and so has full permissions to create new printers
    > > locally.
    > >
    > > Thanks again,
    > > Paul.
    > >
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    What I see this works, at least for Add/Remove Printers right. All objects
    are possible containers from my view. Local printers are by default
    published in the directory. Have you tried this solution?

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "Herb Martin" <news@LearnQuick.com> skrev i meddelandet
    news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    >> Hello Paul,
    >> Good question. Yes it's possible to inheritance the Security (ACL) from
    > the
    >> computer object in the Active Directory, since all printers published in
    >> active directory is child objects to it's host/computer/server.
    >
    > I don't think so. The Printer's so published are not
    > "children" of the computer object for several reasons
    > but the most important is that Computer objects are
    > NOT containers.
    >
    > Also note, the Computer object in AD will not get
    > you permissions to the actual PRINTER (queue)
    > anyway.
    >
    > Also, since these are local printers they may not
    > even be published in AD.
    >
    >> You can give the "IT Helpdesk Staff" Full Control of child objects of
    >> type
    >> PrinterObjects or just Add / Remove Printer Objects. You should see an
    > entry
    >> for the Printer Operators group with rights Add / Remove Printer Objects
    > in
    >> the ACL list on the computer/host/server object in AD.
    >
    > Unless I am totally wrong about this, there is no
    > place to "inherit permissions" on the PRINTER
    > (queue) share objects themselves since they have
    > no parent.
    >
    > I.E., you still won't be able to print.
    >
    > A Restricted Group MIGHT help but the group
    > used will need to be one that is already assigned
    > by default, or there must be another way to give
    > this group the requisite permissions.
    >
    > A startup script might wrap this stuff up by
    > enumerating Print shares etc.....
    >
    >
    > --
    > Herb Martin
    >
    >
    >>
    >> --
    >> Regards
    >> Christoffer Andersson
    >> Microsoft MVP - Directory Services
    >>
    >> No email replies please - reply in the newsgroup
    >> ------------------------------------------------
    >> http://www.chrisse.se - Active Directory Tips
    >>
    >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    >> > All,
    >> >
    >> > I realise this is a printing question, but I think it's probably more
    >> > GPO/AD related too.
    >> >
    >> > Is there any way that permissions for locally installed printers on a
    >> > Windows 2000 Advanced server can be set to inherit in the same way
    >> > that
    >> > files and folders can? E.g. when someone creates a new local printer, I
    >> > want to be able to specify what the default security permissions will
    >> > be
    >> > set to.
    >> >
    >> > We have a Windows 2000 domain with print queues set up locally on
    > Windows
    >> > 2000 Advanced Server member servers. I'm trying to set up our member
    >> > servers so that when a member of the domain security group "IT Helpdesk
    >> > Staff" creates a new local printer, the correct permissions are
    >> > automatically assigned to it and all the IT staff needs to do is add
    >> > the
    >> > relevant User groups with print access.
    >> >
    >> > The domain secirity group "IT Helpdesk Staff" has only domain user
    > rights
    >> > but is also a member of the local Power Users group on the Windows 2000
    >> > member servers, and so has full permissions to create new printers
    >> > locally.
    >> >
    >> > Thanks again,
    >> > Paul.
    >> >
    >> >
    >> >
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    news:#599QQ$9EHA.2180@TK2MSFTNGP10.phx.gbl...
    > What I see this works, at least for Add/Remove Printers right. All objects
    > are possible containers from my view. Local printers are by default
    > published in the directory. Have you tried this solution?
    >

    No, I was long under the impression that neither
    users nor computer (accounts) were containers.

    If fact, if this is correct, neither are groups. (They
    are lists, i.e., that have a property which lists
    other security principles.)

    I am confused by what you say about "Add/remove
    printers right" -- the AD object is NOT the same as
    the Printer (queue) share.

    Are you saying that having permissions on the Computer
    object lets you add a Printer (in AD) under that Computer
    hierarchically?

    Are you saying that having permissions (somewhere)
    would let you INSTALL/Create the printers on
    computers and/or create a share from those printers
    or otherwise manage the queue?


    --
    Herb Martin


    "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    news:#599QQ$9EHA.2180@TK2MSFTNGP10.phx.gbl...
    > What I see this works, at least for Add/Remove Printers right. All objects
    > are possible containers from my view. Local printers are by default
    > published in the directory. Have you tried this solution?
    >
    > --
    > Regards
    > Christoffer Andersson
    > Microsoft MVP - Directory Services
    >
    > No email replies please - reply in the newsgroup
    > ------------------------------------------------
    > http://www.chrisse.se - Active Directory Tips
    >
    > "Herb Martin" <news@LearnQuick.com> skrev i meddelandet
    > news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    > > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    > > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    > >> Hello Paul,
    > >> Good question. Yes it's possible to inheritance the Security (ACL) from
    > > the
    > >> computer object in the Active Directory, since all printers published
    in
    > >> active directory is child objects to it's host/computer/server.
    > >
    > > I don't think so. The Printer's so published are not
    > > "children" of the computer object for several reasons
    > > but the most important is that Computer objects are
    > > NOT containers.
    > >
    > > Also note, the Computer object in AD will not get
    > > you permissions to the actual PRINTER (queue)
    > > anyway.
    > >
    > > Also, since these are local printers they may not
    > > even be published in AD.
    > >
    > >> You can give the "IT Helpdesk Staff" Full Control of child objects of
    > >> type
    > >> PrinterObjects or just Add / Remove Printer Objects. You should see an
    > > entry
    > >> for the Printer Operators group with rights Add / Remove Printer
    Objects
    > > in
    > >> the ACL list on the computer/host/server object in AD.
    > >
    > > Unless I am totally wrong about this, there is no
    > > place to "inherit permissions" on the PRINTER
    > > (queue) share objects themselves since they have
    > > no parent.
    > >
    > > I.E., you still won't be able to print.
    > >
    > > A Restricted Group MIGHT help but the group
    > > used will need to be one that is already assigned
    > > by default, or there must be another way to give
    > > this group the requisite permissions.
    > >
    > > A startup script might wrap this stuff up by
    > > enumerating Print shares etc.....
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >> --
    > >> Regards
    > >> Christoffer Andersson
    > >> Microsoft MVP - Directory Services
    > >>
    > >> No email replies please - reply in the newsgroup
    > >> ------------------------------------------------
    > >> http://www.chrisse.se - Active Directory Tips
    > >>
    > >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    > >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    > >> > All,
    > >> >
    > >> > I realise this is a printing question, but I think it's probably more
    > >> > GPO/AD related too.
    > >> >
    > >> > Is there any way that permissions for locally installed printers on a
    > >> > Windows 2000 Advanced server can be set to inherit in the same way
    > >> > that
    > >> > files and folders can? E.g. when someone creates a new local printer,
    I
    > >> > want to be able to specify what the default security permissions will
    > >> > be
    > >> > set to.
    > >> >
    > >> > We have a Windows 2000 domain with print queues set up locally on
    > > Windows
    > >> > 2000 Advanced Server member servers. I'm trying to set up our member
    > >> > servers so that when a member of the domain security group "IT
    Helpdesk
    > >> > Staff" creates a new local printer, the correct permissions are
    > >> > automatically assigned to it and all the IT staff needs to do is add
    > >> > the
    > >> > relevant User groups with print access.
    > >> >
    > >> > The domain secirity group "IT Helpdesk Staff" has only domain user
    > > rights
    > >> > but is also a member of the local Power Users group on the Windows
    2000
    > >> > member servers, and so has full permissions to create new printers
    > >> > locally.
    > >> >
    > >> > Thanks again,
    > >> > Paul.
    > >> >
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Computers, groups, and users are definitely container objects. See below, that
    shows all of the objects that can be instantiated below the user, group, and
    computer objects in my forest which is pretty standard.

    ADUC by default shows users, groups, and computers as nodes instead of as
    branches but you can override this by selecting view | Users, Groups, and
    Computers as Containers.

    Those objects just aren't normally considered containers by most people, this is
    mostly propogated by the default ADUC view.

    Any AD ACLs can be inherited to the sub objects of these objects just like in
    any AD inheritence. Question would come down to what specific permissions are
    needed and are they AD permissions on the Queue object or local server permissions.

    joe


    [Tue 01/11/2005 12:49:26.08]
    F:\temp\delete>adfind -schema -f
    "|(systemPossSuperiors=user)(possSuperiors=user)" -dn

    AdFind V01.25.01cpp Joe Richards (joe@joeware.net) December 2004

    Using server: 2k3dc02.joe.com
    Directory: Windows Server 2003
    Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com

    dn:CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=RID-Set,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Class-Store,CN=Schema,CN=Configuration,DC=joe,DC=com

    3 Objects returned


    The command completed successfully.


    [Tue 01/11/2005 12:49:36.90]
    F:\temp\delete>adfind -schema -f
    "|(systemPossSuperiors=computer)(possSuperiors=computer)" -dn

    AdFind V01.25.01cpp Joe Richards (joe@joeware.net) December 2004

    Using server: 2k3dc02.joe.com
    Directory: Windows Server 2003
    Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com

    dn:CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Exchange-Admin-Service,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-MDB,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-MTA,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Protocol-Cfg-Shared,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Intellimirror-SCP,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Ipsec-Filter,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Ipsec-ISAKMP-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Ipsec-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Storage-Group,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-DS-App-Configuration,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-DS-App-Data,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-ieee-80211-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Protocol-Cfg-Shared-Server,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-RAS-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=DSA,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-TP4-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Transport-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=MSMQ-Configuration,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-X25-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Private-MDB,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Local-DXA,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=ms-Exch-Public-MDB,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Print-Queue,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Application-Process,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Remote-Storage-Service-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Application-Version,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=RID-Set,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Class-Store,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Connection-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=RRAS-Administration-Connection-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    dn:CN=Service-Administration-Point,CN=Schema,CN=Configuration,DC=joe,DC=com

    35 Objects returned


    The command completed successfully.


    [Tue 01/11/2005 12:49:49.99]
    [Tue 01/11/2005 12:51:03.97]
    F:\temp\delete>adfind -schema -f
    "|(systemPossSuperiors=group)(possSuperiors=group)" -dn

    AdFind V01.25.01cpp Joe Richards (joe@joeware.net) December 2004

    Using server: 2k3dc02.joe.com
    Directory: Windows Server 2003
    Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com

    dn:CN=Class-Store,CN=Schema,CN=Configuration,DC=joe,DC=com

    1 Objects returned


    The command completed successfully.


    [Tue 01/11/2005 12:51:30.56]
    F:\temp\delete>


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Herb Martin wrote:
    > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    > news:#599QQ$9EHA.2180@TK2MSFTNGP10.phx.gbl...
    >
    >>What I see this works, at least for Add/Remove Printers right. All objects
    >>are possible containers from my view. Local printers are by default
    >>published in the directory. Have you tried this solution?
    >>
    >
    >
    > No, I was long under the impression that neither
    > users nor computer (accounts) were containers.
    >
    > If fact, if this is correct, neither are groups. (They
    > are lists, i.e., that have a property which lists
    > other security principles.)
    >
    > I am confused by what you say about "Add/remove
    > printers right" -- the AD object is NOT the same as
    > the Printer (queue) share.
    >
    > Are you saying that having permissions on the Computer
    > object lets you add a Printer (in AD) under that Computer
    > hierarchically?
    >
    > Are you saying that having permissions (somewhere)
    > would let you INSTALL/Create the printers on
    > computers and/or create a share from those printers
    > or otherwise manage the queue?
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:#i1jobA#EHA.2568@TK2MSFTNGP10.phx.gbl...
    > Computers, groups, and users are definitely container objects. See below,
    that
    > shows all of the objects that can be instantiated below the user, group,
    and
    > computer objects in my forest which is pretty standard.
    >

    Well, then Chris and you haved taught me
    something since I firmly believed that all
    of the security principles were Leaf Objects
    and not containers.


    > ADUC by default shows users, groups, and computers as nodes instead of as
    > branches but you can override this by selecting view | Users, Groups, and
    > Computers as Containers.

    Interesting.

    > Those objects just aren't normally considered containers by most people,
    this is
    > mostly propogated by the default ADUC view.

    Ok, but I really believed they were somehow marked
    as Leaf Objects.

    > Any AD ACLs can be inherited to the sub objects of these objects just like
    in
    > any AD inheritence.

    Sure, if they are true containers then this would
    be expected.

    > Question would come down to what specific permissions are
    > needed and are they AD permissions on the Queue object or local server
    permissions.

    Now, if you guys are telling me that this somehow
    affects the PRINTERS (the QUEUES) on the computers
    I am really going to be shocked.
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hey Joe.

    I have a comment for "Any AD ACL's can be inherited to the sub objects of
    these objects just like in any AD inheritance"

    Exchange doesn't follow the guidelines for permission and inheritance. Some
    Permissions must be added at the exactly right level to have inheritance
    effect else it will be ignored, even if the right are assigned explicit to
    the object it self.

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "Joe Richards [MVP]" <humorexpress@hotmail.com> skrev i meddelandet
    news:%23i1jobA%23EHA.2568@TK2MSFTNGP10.phx.gbl...
    > Computers, groups, and users are definitely container objects. See below,
    > that shows all of the objects that can be instantiated below the user,
    > group, and computer objects in my forest which is pretty standard.
    >
    > ADUC by default shows users, groups, and computers as nodes instead of as
    > branches but you can override this by selecting view | Users, Groups, and
    > Computers as Containers.
    >
    > Those objects just aren't normally considered containers by most people,
    > this is mostly propogated by the default ADUC view.
    >
    > Any AD ACLs can be inherited to the sub objects of these objects just like
    > in any AD inheritence. Question would come down to what specific
    > permissions are needed and are they AD permissions on the Queue object or
    > local server permissions.
    >
    > joe
    >
    >
    >
    >
    > [Tue 01/11/2005 12:49:26.08]
    > F:\temp\delete>adfind -schema -f
    > "|(systemPossSuperiors=user)(possSuperiors=user)" -dn
    >
    > AdFind V01.25.01cpp Joe Richards (joe@joeware.net) December 2004
    >
    > Using server: 2k3dc02.joe.com
    > Directory: Windows Server 2003
    > Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com
    >
    > dn:CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=RID-Set,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Class-Store,CN=Schema,CN=Configuration,DC=joe,DC=com
    >
    > 3 Objects returned
    >
    >
    > The command completed successfully.
    >
    >
    > [Tue 01/11/2005 12:49:36.90]
    > F:\temp\delete>adfind -schema -f
    > "|(systemPossSuperiors=computer)(possSuperiors=computer)" -dn
    >
    > AdFind V01.25.01cpp Joe Richards (joe@joeware.net) December 2004
    >
    > Using server: 2k3dc02.joe.com
    > Directory: Windows Server 2003
    > Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com
    >
    > dn:CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Exchange-Admin-Service,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-MDB,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-MTA,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Protocol-Cfg-Shared,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Intellimirror-SCP,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Ipsec-Filter,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Ipsec-ISAKMP-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Ipsec-Negotiation-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Ipsec-NFA,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Ipsec-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Storage-Group,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-DS-App-Configuration,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-DS-App-Data,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-ieee-80211-Policy,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Protocol-Cfg-Shared-Server,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-RAS-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=DSA,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-TP4-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Transport-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=MSMQ-Configuration,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-X25-Stack,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Private-MDB,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Local-DXA,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=NTFRS-Subscriptions,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=ms-Exch-Public-MDB,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Print-Queue,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Application-Process,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Remote-Storage-Service-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Application-Version,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=RID-Set,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Class-Store,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Connection-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=RRAS-Administration-Connection-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    > dn:CN=Service-Administration-Point,CN=Schema,CN=Configuration,DC=joe,DC=com
    >
    > 35 Objects returned
    >
    >
    > The command completed successfully.
    >
    >
    > [Tue 01/11/2005 12:49:49.99]
    > [Tue 01/11/2005 12:51:03.97]
    > F:\temp\delete>adfind -schema -f
    > "|(systemPossSuperiors=group)(possSuperiors=group)" -dn
    >
    > AdFind V01.25.01cpp Joe Richards (joe@joeware.net) December 2004
    >
    > Using server: 2k3dc02.joe.com
    > Directory: Windows Server 2003
    > Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com
    >
    > dn:CN=Class-Store,CN=Schema,CN=Configuration,DC=joe,DC=com
    >
    > 1 Objects returned
    >
    >
    > The command completed successfully.
    >
    >
    > [Tue 01/11/2005 12:51:30.56]
    > F:\temp\delete>
    >
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Herb Martin wrote:
    >> "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    >> news:#599QQ$9EHA.2180@TK2MSFTNGP10.phx.gbl...
    >>
    >>>What I see this works, at least for Add/Remove Printers right. All
    >>>objects
    >>>are possible containers from my view. Local printers are by default
    >>>published in the directory. Have you tried this solution?
    >>>
    >>
    >>
    >> No, I was long under the impression that neither
    >> users nor computer (accounts) were containers.
    >>
    >> If fact, if this is correct, neither are groups. (They
    >> are lists, i.e., that have a property which lists
    >> other security principles.)
    >>
    >> I am confused by what you say about "Add/remove
    >> printers right" -- the AD object is NOT the same as
    >> the Printer (queue) share.
    >>
    >> Are you saying that having permissions on the Computer
    >> object lets you add a Printer (in AD) under that Computer
    >> hierarchically?
    >>
    >> Are you saying that having permissions (somewhere)
    >> would let you INSTALL/Create the printers on
    >> computers and/or create a share from those printers
    >> or otherwise manage the queue?
    >>
    >>
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I don't think I follow what you mean Chris, could you expand on this?

    For specific AD permissioning on Exchange objects, Exchange has no choice but to
    follow the permissioning, however if Exchange is doing its own processing of
    permissions concerning functionality internal to Exchange, that it can do. But
    this is the same as the question about the whether the AD Permissions affecting
    the queue itself on the server versus just the AD Queue object. If there is
    something on the server checking the AD perms the AD perms would have whatever
    impact that sever process specified, if not there would be no linking.

    But again, I am not completely clear about what you are saying and a specific
    example would be great.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Chriss3 [MVP] wrote:
    > Hey Joe.
    >
    > I have a comment for "Any AD ACL's can be inherited to the sub objects of
    > these objects just like in any AD inheritance"
    >
    > Exchange doesn't follow the guidelines for permission and inheritance. Some
    > Permissions must be added at the exactly right level to have inheritance
    > effect else it will be ignored, even if the right are assigned explicit to
    > the object it self.
    >
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Shared Resources, such the printer queues or shared folders permission are
    not related to shared folder or printer objects in Active Directory, if you
    not want to, by reading SecurityDesscriptors from AD and apply them to the
    permission of the shared resource. Adding/Removing Printers in the directory
    can be delegated as the way I described. I was not clear and should pointed
    the solution of using the permission of the printer object in AD to the
    resource are not an easy task. You can use restricted groups and put the "IT
    Helpdesk Staff" into the Printer Operators group.

    The multivalued attribute possibleInferiors holds the object classes that
    can be possible child objects of an object class. I have once put the
    printer as a child objects to users. then I can create printer objects as
    child object of user accounts. You get some problem with port mapping I
    think, but it works.

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "Herb Martin" <news@LearnQuick.com> skrev i meddelandet
    news:uHINy3A%23EHA.2600@TK2MSFTNGP09.phx.gbl...
    > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    > news:#i1jobA#EHA.2568@TK2MSFTNGP10.phx.gbl...
    >> Computers, groups, and users are definitely container objects. See below,
    > that
    >> shows all of the objects that can be instantiated below the user, group,
    > and
    >> computer objects in my forest which is pretty standard.
    >>
    >
    > Well, then Chris and you haved taught me
    > something since I firmly believed that all
    > of the security principles were Leaf Objects
    > and not containers.
    >
    >
    >> ADUC by default shows users, groups, and computers as nodes instead of as
    >> branches but you can override this by selecting view | Users, Groups, and
    >> Computers as Containers.
    >
    > Interesting.
    >
    >> Those objects just aren't normally considered containers by most people,
    > this is
    >> mostly propogated by the default ADUC view.
    >
    > Ok, but I really believed they were somehow marked
    > as Leaf Objects.
    >
    >> Any AD ACLs can be inherited to the sub objects of these objects just
    >> like
    > in
    >> any AD inheritence.
    >
    > Sure, if they are true containers then this would
    > be expected.
    >
    >> Question would come down to what specific permissions are
    >> needed and are they AD permissions on the Queue object or local server
    > permissions.
    >
    > Now, if you guys are telling me that this somehow
    > affects the PRINTERS (the QUEUES) on the computers
    > I am really going to be shocked.
    >
    >
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I too am very intrigued by this thread, but didn't quite grasp that last
    post. Can you try that again please?

    Cheers!

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    news:uBytJQB%23EHA.3592@TK2MSFTNGP09.phx.gbl...
    Shared Resources, such the printer queues or shared folders permission are
    not related to shared folder or printer objects in Active Directory, if you
    not want to, by reading SecurityDesscriptors from AD and apply them to the
    permission of the shared resource. Adding/Removing Printers in the directory
    can be delegated as the way I described. I was not clear and should pointed
    the solution of using the permission of the printer object in AD to the
    resource are not an easy task. You can use restricted groups and put the "IT
    Helpdesk Staff" into the Printer Operators group.

    The multivalued attribute possibleInferiors holds the object classes that
    can be possible child objects of an object class. I have once put the
    printer as a child objects to users. then I can create printer objects as
    child object of user accounts. You get some problem with port mapping I
    think, but it works.

    --
    Regards
    Christoffer Andersson
    Microsoft MVP - Directory Services

    No email replies please - reply in the newsgroup
    ------------------------------------------------
    http://www.chrisse.se - Active Directory Tips

    "Herb Martin" <news@LearnQuick.com> skrev i meddelandet
    news:uHINy3A%23EHA.2600@TK2MSFTNGP09.phx.gbl...
    > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    > news:#i1jobA#EHA.2568@TK2MSFTNGP10.phx.gbl...
    >> Computers, groups, and users are definitely container objects. See below,
    > that
    >> shows all of the objects that can be instantiated below the user, group,
    > and
    >> computer objects in my forest which is pretty standard.
    >>
    >
    > Well, then Chris and you haved taught me
    > something since I firmly believed that all
    > of the security principles were Leaf Objects
    > and not containers.
    >
    >
    >> ADUC by default shows users, groups, and computers as nodes instead of as
    >> branches but you can override this by selecting view | Users, Groups, and
    >> Computers as Containers.
    >
    > Interesting.
    >
    >> Those objects just aren't normally considered containers by most people,
    > this is
    >> mostly propogated by the default ADUC view.
    >
    > Ok, but I really believed they were somehow marked
    > as Leaf Objects.
    >
    >> Any AD ACLs can be inherited to the sub objects of these objects just
    >> like
    > in
    >> any AD inheritence.
    >
    > Sure, if they are true containers then this would
    > be expected.
    >
    >> Question would come down to what specific permissions are
    >> needed and are they AD permissions on the Queue object or local server
    > permissions.
    >
    > Now, if you guys are telling me that this somehow
    > affects the PRINTERS (the QUEUES) on the computers
    > I am really going to be shocked.
    >
    >
  11. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    All,

    As Herb has pointed out (and I should have mentioned in the first place) the
    printer queues on the Windows 2000 member server in question are not
    published in active directory. Neither are they shared. They are accessed
    purely by the users that happen to be logged on to that local server at the
    time via Terminal Services.

    At the moment, when a member of IT Helpdesk Staff creates a new printer
    queue, the default security permissions are:
    Administrators = FC
    Creator Owner = Manage Docs
    Everyone = Print
    Power Users = FC

    I'm basically looking for an easy way to remove both the Creator Owner and
    Everyone groups so that a newly created print queue will only have the
    Administrators and PowerUsers group in the security permissions.

    This way when new print queues are created and the permissions have been
    'forgotten' about, no users will be able to print and someone will have to
    call the IT HelpDesk to have this resolved - as opposed to Everyone being
    able to use the printer and then jobs from Glasgow appearing on printers in
    London for example. (Not that I am at all implying that members of the IT
    HelpDesk Staff group have short term memory issues...)

    Thanks again,
    Paul.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    >> Hello Paul,
    >> Good question. Yes it's possible to inheritance the Security (ACL) from
    > the
    >> computer object in the Active Directory, since all printers published in
    >> active directory is child objects to it's host/computer/server.
    >
    > I don't think so. The Printer's so published are not
    > "children" of the computer object for several reasons
    > but the most important is that Computer objects are
    > NOT containers.
    >
    > Also note, the Computer object in AD will not get
    > you permissions to the actual PRINTER (queue)
    > anyway.
    >
    > Also, since these are local printers they may not
    > even be published in AD.
    >
    >> You can give the "IT Helpdesk Staff" Full Control of child objects of
    >> type
    >> PrinterObjects or just Add / Remove Printer Objects. You should see an
    > entry
    >> for the Printer Operators group with rights Add / Remove Printer Objects
    > in
    >> the ACL list on the computer/host/server object in AD.
    >
    > Unless I am totally wrong about this, there is no
    > place to "inherit permissions" on the PRINTER
    > (queue) share objects themselves since they have
    > no parent.
    >
    > I.E., you still won't be able to print.
    >
    > A Restricted Group MIGHT help but the group
    > used will need to be one that is already assigned
    > by default, or there must be another way to give
    > this group the requisite permissions.
    >
    > A startup script might wrap this stuff up by
    > enumerating Print shares etc.....
    >
    >
    > --
    > Herb Martin
    >
    >
    >>
    >> --
    >> Regards
    >> Christoffer Andersson
    >> Microsoft MVP - Directory Services
    >>
    >> No email replies please - reply in the newsgroup
    >> ------------------------------------------------
    >> http://www.chrisse.se - Active Directory Tips
    >>
    >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    >> > All,
    >> >
    >> > I realise this is a printing question, but I think it's probably more
    >> > GPO/AD related too.
    >> >
    >> > Is there any way that permissions for locally installed printers on a
    >> > Windows 2000 Advanced server can be set to inherit in the same way
    >> > that
    >> > files and folders can? E.g. when someone creates a new local printer, I
    >> > want to be able to specify what the default security permissions will
    >> > be
    >> > set to.
    >> >
    >> > We have a Windows 2000 domain with print queues set up locally on
    > Windows
    >> > 2000 Advanced Server member servers. I'm trying to set up our member
    >> > servers so that when a member of the domain security group "IT Helpdesk
    >> > Staff" creates a new local printer, the correct permissions are
    >> > automatically assigned to it and all the IT staff needs to do is add
    >> > the
    >> > relevant User groups with print access.
    >> >
    >> > The domain secirity group "IT Helpdesk Staff" has only domain user
    > rights
    >> > but is also a member of the local Power Users group on the Windows 2000
    >> > member servers, and so has full permissions to create new printers
    >> > locally.
    >> >
    >> > Thanks again,
    >> > Paul.
    >> >
    >> >
    >> >
    >>
    >>
    >
    >
  12. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I don't think you can modify the default queue perms like that. You should
    probably look into possibly scripting the queue installations or at least set up
    a script for checking/setting permissions that maybe runs nightly or hourly on
    the servers.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Paul Hadfield wrote:
    > All,
    >
    > As Herb has pointed out (and I should have mentioned in the first place) the
    > printer queues on the Windows 2000 member server in question are not
    > published in active directory. Neither are they shared. They are accessed
    > purely by the users that happen to be logged on to that local server at the
    > time via Terminal Services.
    >
    > At the moment, when a member of IT Helpdesk Staff creates a new printer
    > queue, the default security permissions are:
    > Administrators = FC
    > Creator Owner = Manage Docs
    > Everyone = Print
    > Power Users = FC
    >
    > I'm basically looking for an easy way to remove both the Creator Owner and
    > Everyone groups so that a newly created print queue will only have the
    > Administrators and PowerUsers group in the security permissions.
    >
    > This way when new print queues are created and the permissions have been
    > 'forgotten' about, no users will be able to print and someone will have to
    > call the IT HelpDesk to have this resolved - as opposed to Everyone being
    > able to use the printer and then jobs from Glasgow appearing on printers in
    > London for example. (Not that I am at all implying that members of the IT
    > HelpDesk Staff group have short term memory issues...)
    >
    > Thanks again,
    > Paul.
    >
    >
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    >
    >>"Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    >>news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    >>
    >>>Hello Paul,
    >>>Good question. Yes it's possible to inheritance the Security (ACL) from
    >>
    >>the
    >>
    >>>computer object in the Active Directory, since all printers published in
    >>>active directory is child objects to it's host/computer/server.
    >>
    >>I don't think so. The Printer's so published are not
    >>"children" of the computer object for several reasons
    >>but the most important is that Computer objects are
    >>NOT containers.
    >>
    >>Also note, the Computer object in AD will not get
    >>you permissions to the actual PRINTER (queue)
    >>anyway.
    >>
    >>Also, since these are local printers they may not
    >>even be published in AD.
    >>
    >>
    >>>You can give the "IT Helpdesk Staff" Full Control of child objects of
    >>>type
    >>>PrinterObjects or just Add / Remove Printer Objects. You should see an
    >>
    >>entry
    >>
    >>>for the Printer Operators group with rights Add / Remove Printer Objects
    >>
    >>in
    >>
    >>>the ACL list on the computer/host/server object in AD.
    >>
    >>Unless I am totally wrong about this, there is no
    >>place to "inherit permissions" on the PRINTER
    >>(queue) share objects themselves since they have
    >>no parent.
    >>
    >>I.E., you still won't be able to print.
    >>
    >>A Restricted Group MIGHT help but the group
    >>used will need to be one that is already assigned
    >>by default, or there must be another way to give
    >>this group the requisite permissions.
    >>
    >>A startup script might wrap this stuff up by
    >>enumerating Print shares etc.....
    >>
    >>
    >>--
    >>Herb Martin
    >>
    >>
    >>
    >>>--
    >>>Regards
    >>>Christoffer Andersson
    >>>Microsoft MVP - Directory Services
    >>>
    >>>No email replies please - reply in the newsgroup
    >>>------------------------------------------------
    >>>http://www.chrisse.se - Active Directory Tips
    >>>
    >>>"Paul Hadfield" <paul@anon.com> skrev i meddelandet
    >>>news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    >>>
    >>>>All,
    >>>>
    >>>>I realise this is a printing question, but I think it's probably more
    >>>>GPO/AD related too.
    >>>>
    >>>>Is there any way that permissions for locally installed printers on a
    >>>>Windows 2000 Advanced server can be set to inherit in the same way
    >>>>that
    >>>>files and folders can? E.g. when someone creates a new local printer, I
    >>>>want to be able to specify what the default security permissions will
    >>>>be
    >>>>set to.
    >>>>
    >>>>We have a Windows 2000 domain with print queues set up locally on
    >>
    >>Windows
    >>
    >>>>2000 Advanced Server member servers. I'm trying to set up our member
    >>>>servers so that when a member of the domain security group "IT Helpdesk
    >>>>Staff" creates a new local printer, the correct permissions are
    >>>>automatically assigned to it and all the IT staff needs to do is add
    >>>>the
    >>>>relevant User groups with print access.
    >>>>
    >>>>The domain secirity group "IT Helpdesk Staff" has only domain user
    >>
    >>rights
    >>
    >>>>but is also a member of the local Power Users group on the Windows 2000
    >>>>member servers, and so has full permissions to create new printers
    >>>>locally.
    >>>>
    >>>>Thanks again,
    >>>>Paul.
    >>>>
    >>>>
    >>>>
    >>>
    >>>
    >>
    >
    >
  13. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Paul Hadfield" <me@none.com> wrote in message
    news:eexT6WD#EHA.1604@TK2MSFTNGP12.phx.gbl...
    > All,
    >
    > As Herb has pointed out (and I should have mentioned in the first place)
    the
    > printer queues on the Windows 2000 member server in question are not
    > published in active directory. Neither are they shared. They are accessed
    > purely by the users that happen to be logged on to that local server at
    the
    > time via Terminal Services.
    >
    > At the moment, when a member of IT Helpdesk Staff creates a new printer
    > queue, the default security permissions are:
    > Administrators = FC
    > Creator Owner = Manage Docs
    > Everyone = Print
    > Power Users = FC
    >
    > I'm basically looking for an easy way to remove both the Creator Owner and
    > Everyone groups so that a newly created print queue will only have the
    > Administrators and PowerUsers group in the security permissions.

    On it's face removing Creator/Owner sounds silly
    and the creator owner can ALWAYS change the
    permissions on an owned object even with no other
    (or even DENY all) permissions.

    Changing the Everyone group defaults sounds like
    a useful goal.

    How about a Startup script that just enumerates and
    fixes up the permissions on any print queues?

    > This way when new print queues are created and the permissions have been
    > 'forgotten' about, no users will be able to print and someone will have to
    > call the IT HelpDesk to have this resolved -

    Maybe best is to make the Users members of USERS
    instead of Power Users (or <ugh> Administrators)
    or just remove the ability to create printers from
    Power Users.

    Then they have to cal the Help Desk to start.

    > as opposed to Everyone being
    > able to use the printer and then jobs from Glasgow appearing on printers
    in
    > London for example. (Not that I am at all implying that members of the IT
    > HelpDesk Staff group have short term memory issues...)

    Or just teach users not to share (or use permissions
    correctly...)

    --
    Herb Martin


    >
    > Thanks again,
    > Paul.
    >
    >
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    > > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    > > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    > >> Hello Paul,
    > >> Good question. Yes it's possible to inheritance the Security (ACL) from
    > > the
    > >> computer object in the Active Directory, since all printers published
    in
    > >> active directory is child objects to it's host/computer/server.
    > >
    > > I don't think so. The Printer's so published are not
    > > "children" of the computer object for several reasons
    > > but the most important is that Computer objects are
    > > NOT containers.
    > >
    > > Also note, the Computer object in AD will not get
    > > you permissions to the actual PRINTER (queue)
    > > anyway.
    > >
    > > Also, since these are local printers they may not
    > > even be published in AD.
    > >
    > >> You can give the "IT Helpdesk Staff" Full Control of child objects of
    > >> type
    > >> PrinterObjects or just Add / Remove Printer Objects. You should see an
    > > entry
    > >> for the Printer Operators group with rights Add / Remove Printer
    Objects
    > > in
    > >> the ACL list on the computer/host/server object in AD.
    > >
    > > Unless I am totally wrong about this, there is no
    > > place to "inherit permissions" on the PRINTER
    > > (queue) share objects themselves since they have
    > > no parent.
    > >
    > > I.E., you still won't be able to print.
    > >
    > > A Restricted Group MIGHT help but the group
    > > used will need to be one that is already assigned
    > > by default, or there must be another way to give
    > > this group the requisite permissions.
    > >
    > > A startup script might wrap this stuff up by
    > > enumerating Print shares etc.....
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >> --
    > >> Regards
    > >> Christoffer Andersson
    > >> Microsoft MVP - Directory Services
    > >>
    > >> No email replies please - reply in the newsgroup
    > >> ------------------------------------------------
    > >> http://www.chrisse.se - Active Directory Tips
    > >>
    > >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    > >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    > >> > All,
    > >> >
    > >> > I realise this is a printing question, but I think it's probably more
    > >> > GPO/AD related too.
    > >> >
    > >> > Is there any way that permissions for locally installed printers on a
    > >> > Windows 2000 Advanced server can be set to inherit in the same way
    > >> > that
    > >> > files and folders can? E.g. when someone creates a new local printer,
    I
    > >> > want to be able to specify what the default security permissions will
    > >> > be
    > >> > set to.
    > >> >
    > >> > We have a Windows 2000 domain with print queues set up locally on
    > > Windows
    > >> > 2000 Advanced Server member servers. I'm trying to set up our member
    > >> > servers so that when a member of the domain security group "IT
    Helpdesk
    > >> > Staff" creates a new local printer, the correct permissions are
    > >> > automatically assigned to it and all the IT staff needs to do is add
    > >> > the
    > >> > relevant User groups with print access.
    > >> >
    > >> > The domain secirity group "IT Helpdesk Staff" has only domain user
    > > rights
    > >> > but is also a member of the local Power Users group on the Windows
    2000
    > >> > member servers, and so has full permissions to create new printers
    > >> > locally.
    > >> >
    > >> > Thanks again,
    > >> > Paul.
    > >> >
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  14. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "How about a Startup script that just enumerates and fixes up the
    permissions on any print queues?"


    I'm not sure how I would go about writing a script to do this - can you give
    me any pointers? My primary goal is to remove the Everyone group from all
    print queues and this seems to be the best idea so far.

    Cheers,
    Paul.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%237UKFBH%23EHA.3260@TK2MSFTNGP14.phx.gbl...
    > "Paul Hadfield" <me@none.com> wrote in message
    > news:eexT6WD#EHA.1604@TK2MSFTNGP12.phx.gbl...
    >> All,
    >>
    >> As Herb has pointed out (and I should have mentioned in the first place)
    > the
    >> printer queues on the Windows 2000 member server in question are not
    >> published in active directory. Neither are they shared. They are accessed
    >> purely by the users that happen to be logged on to that local server at
    > the
    >> time via Terminal Services.
    >>
    >> At the moment, when a member of IT Helpdesk Staff creates a new printer
    >> queue, the default security permissions are:
    >> Administrators = FC
    >> Creator Owner = Manage Docs
    >> Everyone = Print
    >> Power Users = FC
    >>
    >> I'm basically looking for an easy way to remove both the Creator Owner
    >> and
    >> Everyone groups so that a newly created print queue will only have the
    >> Administrators and PowerUsers group in the security permissions.
    >
    > On it's face removing Creator/Owner sounds silly
    > and the creator owner can ALWAYS change the
    > permissions on an owned object even with no other
    > (or even DENY all) permissions.
    >
    > Changing the Everyone group defaults sounds like
    > a useful goal.
    >
    > How about a Startup script that just enumerates and
    > fixes up the permissions on any print queues?
    >
    >> This way when new print queues are created and the permissions have been
    >> 'forgotten' about, no users will be able to print and someone will have
    >> to
    >> call the IT HelpDesk to have this resolved -
    >
    > Maybe best is to make the Users members of USERS
    > instead of Power Users (or <ugh> Administrators)
    > or just remove the ability to create printers from
    > Power Users.
    >
    > Then they have to cal the Help Desk to start.
    >
    >> as opposed to Everyone being
    >> able to use the printer and then jobs from Glasgow appearing on printers
    > in
    >> London for example. (Not that I am at all implying that members of the IT
    >> HelpDesk Staff group have short term memory issues...)
    >
    > Or just teach users not to share (or use permissions
    > correctly...)
    >
    > --
    > Herb Martin
    >
    >
    >>
    >> Thanks again,
    >> Paul.
    >>
    >>
    >>
    >>
    >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    >> > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    >> > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    >> >> Hello Paul,
    >> >> Good question. Yes it's possible to inheritance the Security (ACL)
    >> >> from
    >> > the
    >> >> computer object in the Active Directory, since all printers published
    > in
    >> >> active directory is child objects to it's host/computer/server.
    >> >
    >> > I don't think so. The Printer's so published are not
    >> > "children" of the computer object for several reasons
    >> > but the most important is that Computer objects are
    >> > NOT containers.
    >> >
    >> > Also note, the Computer object in AD will not get
    >> > you permissions to the actual PRINTER (queue)
    >> > anyway.
    >> >
    >> > Also, since these are local printers they may not
    >> > even be published in AD.
    >> >
    >> >> You can give the "IT Helpdesk Staff" Full Control of child objects of
    >> >> type
    >> >> PrinterObjects or just Add / Remove Printer Objects. You should see an
    >> > entry
    >> >> for the Printer Operators group with rights Add / Remove Printer
    > Objects
    >> > in
    >> >> the ACL list on the computer/host/server object in AD.
    >> >
    >> > Unless I am totally wrong about this, there is no
    >> > place to "inherit permissions" on the PRINTER
    >> > (queue) share objects themselves since they have
    >> > no parent.
    >> >
    >> > I.E., you still won't be able to print.
    >> >
    >> > A Restricted Group MIGHT help but the group
    >> > used will need to be one that is already assigned
    >> > by default, or there must be another way to give
    >> > this group the requisite permissions.
    >> >
    >> > A startup script might wrap this stuff up by
    >> > enumerating Print shares etc.....
    >> >
    >> >
    >> > --
    >> > Herb Martin
    >> >
    >> >
    >> >>
    >> >> --
    >> >> Regards
    >> >> Christoffer Andersson
    >> >> Microsoft MVP - Directory Services
    >> >>
    >> >> No email replies please - reply in the newsgroup
    >> >> ------------------------------------------------
    >> >> http://www.chrisse.se - Active Directory Tips
    >> >>
    >> >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    >> >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    >> >> > All,
    >> >> >
    >> >> > I realise this is a printing question, but I think it's probably
    >> >> > more
    >> >> > GPO/AD related too.
    >> >> >
    >> >> > Is there any way that permissions for locally installed printers on
    >> >> > a
    >> >> > Windows 2000 Advanced server can be set to inherit in the same way
    >> >> > that
    >> >> > files and folders can? E.g. when someone creates a new local
    >> >> > printer,
    > I
    >> >> > want to be able to specify what the default security permissions
    >> >> > will
    >> >> > be
    >> >> > set to.
    >> >> >
    >> >> > We have a Windows 2000 domain with print queues set up locally on
    >> > Windows
    >> >> > 2000 Advanced Server member servers. I'm trying to set up our member
    >> >> > servers so that when a member of the domain security group "IT
    > Helpdesk
    >> >> > Staff" creates a new local printer, the correct permissions are
    >> >> > automatically assigned to it and all the IT staff needs to do is add
    >> >> > the
    >> >> > relevant User groups with print access.
    >> >> >
    >> >> > The domain secirity group "IT Helpdesk Staff" has only domain user
    >> > rights
    >> >> > but is also a member of the local Power Users group on the Windows
    > 2000
    >> >> > member servers, and so has full permissions to create new printers
    >> >> > locally.
    >> >> >
    >> >> > Thanks again,
    >> >> > Paul.
    >> >> >
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
  15. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Paul Hadfield" <paul@anon.com> wrote in message
    news:uyK0DwK#EHA.1396@tk2msftngp13.phx.gbl...
    >
    > "How about a Startup script that just enumerates and fixes up the
    > permissions on any print queues?"
    >
    >
    > I'm not sure how I would go about writing a script to do this - can you
    give
    > me any pointers? My primary goal is to remove the Everyone group from all
    > print queues and this seems to be the best idea so far.


    If you don't already write a few scripts this would
    be a big "chunk" to learn all at once, and unfortunately
    the commands available natively (and flexibility) varies
    by OS version/type.

    Naively (it's not perfect) you can get a list of Print shares this way:

    net share | find "Spooled"

    On XP+ you can use PrnMngr to do (some of the) work.

    Using things like VBS/WMI/ADSI you can do this stuff.

    SetAcl.exe free from SourceForge.net can do it, but it has
    a really complex command line.

    Someone who does this everyday might have a pre-built
    suggestion -- I would have to write something and much
    of that would depend on which clients and server OS's
    you have.

    --
    Herb Martin


    >
    > Cheers,
    > Paul.
    >
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:%237UKFBH%23EHA.3260@TK2MSFTNGP14.phx.gbl...
    > > "Paul Hadfield" <me@none.com> wrote in message
    > > news:eexT6WD#EHA.1604@TK2MSFTNGP12.phx.gbl...
    > >> All,
    > >>
    > >> As Herb has pointed out (and I should have mentioned in the first
    place)
    > > the
    > >> printer queues on the Windows 2000 member server in question are not
    > >> published in active directory. Neither are they shared. They are
    accessed
    > >> purely by the users that happen to be logged on to that local server at
    > > the
    > >> time via Terminal Services.
    > >>
    > >> At the moment, when a member of IT Helpdesk Staff creates a new printer
    > >> queue, the default security permissions are:
    > >> Administrators = FC
    > >> Creator Owner = Manage Docs
    > >> Everyone = Print
    > >> Power Users = FC
    > >>
    > >> I'm basically looking for an easy way to remove both the Creator Owner
    > >> and
    > >> Everyone groups so that a newly created print queue will only have the
    > >> Administrators and PowerUsers group in the security permissions.
    > >
    > > On it's face removing Creator/Owner sounds silly
    > > and the creator owner can ALWAYS change the
    > > permissions on an owned object even with no other
    > > (or even DENY all) permissions.
    > >
    > > Changing the Everyone group defaults sounds like
    > > a useful goal.
    > >
    > > How about a Startup script that just enumerates and
    > > fixes up the permissions on any print queues?
    > >
    > >> This way when new print queues are created and the permissions have
    been
    > >> 'forgotten' about, no users will be able to print and someone will have
    > >> to
    > >> call the IT HelpDesk to have this resolved -
    > >
    > > Maybe best is to make the Users members of USERS
    > > instead of Power Users (or <ugh> Administrators)
    > > or just remove the ability to create printers from
    > > Power Users.
    > >
    > > Then they have to cal the Help Desk to start.
    > >
    > >> as opposed to Everyone being
    > >> able to use the printer and then jobs from Glasgow appearing on
    printers
    > > in
    > >> London for example. (Not that I am at all implying that members of the
    IT
    > >> HelpDesk Staff group have short term memory issues...)
    > >
    > > Or just teach users not to share (or use permissions
    > > correctly...)
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >> Thanks again,
    > >> Paul.
    > >>
    > >>
    > >>
    > >>
    > >> "Herb Martin" <news@LearnQuick.com> wrote in message
    > >> news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    > >> > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    > >> > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    > >> >> Hello Paul,
    > >> >> Good question. Yes it's possible to inheritance the Security (ACL)
    > >> >> from
    > >> > the
    > >> >> computer object in the Active Directory, since all printers
    published
    > > in
    > >> >> active directory is child objects to it's host/computer/server.
    > >> >
    > >> > I don't think so. The Printer's so published are not
    > >> > "children" of the computer object for several reasons
    > >> > but the most important is that Computer objects are
    > >> > NOT containers.
    > >> >
    > >> > Also note, the Computer object in AD will not get
    > >> > you permissions to the actual PRINTER (queue)
    > >> > anyway.
    > >> >
    > >> > Also, since these are local printers they may not
    > >> > even be published in AD.
    > >> >
    > >> >> You can give the "IT Helpdesk Staff" Full Control of child objects
    of
    > >> >> type
    > >> >> PrinterObjects or just Add / Remove Printer Objects. You should see
    an
    > >> > entry
    > >> >> for the Printer Operators group with rights Add / Remove Printer
    > > Objects
    > >> > in
    > >> >> the ACL list on the computer/host/server object in AD.
    > >> >
    > >> > Unless I am totally wrong about this, there is no
    > >> > place to "inherit permissions" on the PRINTER
    > >> > (queue) share objects themselves since they have
    > >> > no parent.
    > >> >
    > >> > I.E., you still won't be able to print.
    > >> >
    > >> > A Restricted Group MIGHT help but the group
    > >> > used will need to be one that is already assigned
    > >> > by default, or there must be another way to give
    > >> > this group the requisite permissions.
    > >> >
    > >> > A startup script might wrap this stuff up by
    > >> > enumerating Print shares etc.....
    > >> >
    > >> >
    > >> > --
    > >> > Herb Martin
    > >> >
    > >> >
    > >> >>
    > >> >> --
    > >> >> Regards
    > >> >> Christoffer Andersson
    > >> >> Microsoft MVP - Directory Services
    > >> >>
    > >> >> No email replies please - reply in the newsgroup
    > >> >> ------------------------------------------------
    > >> >> http://www.chrisse.se - Active Directory Tips
    > >> >>
    > >> >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    > >> >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    > >> >> > All,
    > >> >> >
    > >> >> > I realise this is a printing question, but I think it's probably
    > >> >> > more
    > >> >> > GPO/AD related too.
    > >> >> >
    > >> >> > Is there any way that permissions for locally installed printers
    on
    > >> >> > a
    > >> >> > Windows 2000 Advanced server can be set to inherit in the same
    way
    > >> >> > that
    > >> >> > files and folders can? E.g. when someone creates a new local
    > >> >> > printer,
    > > I
    > >> >> > want to be able to specify what the default security permissions
    > >> >> > will
    > >> >> > be
    > >> >> > set to.
    > >> >> >
    > >> >> > We have a Windows 2000 domain with print queues set up locally on
    > >> > Windows
    > >> >> > 2000 Advanced Server member servers. I'm trying to set up our
    member
    > >> >> > servers so that when a member of the domain security group "IT
    > > Helpdesk
    > >> >> > Staff" creates a new local printer, the correct permissions are
    > >> >> > automatically assigned to it and all the IT staff needs to do is
    add
    > >> >> > the
    > >> >> > relevant User groups with print access.
    > >> >> >
    > >> >> > The domain secirity group "IT Helpdesk Staff" has only domain user
    > >> > rights
    > >> >> > but is also a member of the local Power Users group on the Windows
    > > 2000
    > >> >> > member servers, and so has full permissions to create new printers
    > >> >> > locally.
    > >> >> >
    > >> >> > Thanks again,
    > >> >> > Paul.
    > >> >> >
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
  16. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thanks for this - I'm not sure that the NET command will help me as the
    local printer queues are not shared.

    I've had a quick look at the SetACL program on SourceForge and that look
    like it might be the easiest solution. Only problem is that is is an .ocx
    not an .exe that can be run at the command line (as far as I can see after a
    quick 60 second look at it that is). Maybe I'll have to blow the dust of VB6
    and write a small utility to interface with it.

    Thanks again for you input,
    Paul.


    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:eDQLx2M%23EHA.600@TK2MSFTNGP09.phx.gbl...
    > "Paul Hadfield" <paul@anon.com> wrote in message
    > news:uyK0DwK#EHA.1396@tk2msftngp13.phx.gbl...
    >>
    >> "How about a Startup script that just enumerates and fixes up the
    >> permissions on any print queues?"
    >>
    >>
    >> I'm not sure how I would go about writing a script to do this - can you
    > give
    >> me any pointers? My primary goal is to remove the Everyone group from all
    >> print queues and this seems to be the best idea so far.
    >
    >
    > If you don't already write a few scripts this would
    > be a big "chunk" to learn all at once, and unfortunately
    > the commands available natively (and flexibility) varies
    > by OS version/type.
    >
    > Naively (it's not perfect) you can get a list of Print shares this way:
    >
    > net share | find "Spooled"
    >
    > On XP+ you can use PrnMngr to do (some of the) work.
    >
    > Using things like VBS/WMI/ADSI you can do this stuff.
    >
    > SetAcl.exe free from SourceForge.net can do it, but it has
    > a really complex command line.
    >
    > Someone who does this everyday might have a pre-built
    > suggestion -- I would have to write something and much
    > of that would depend on which clients and server OS's
    > you have.
    >
    > --
    > Herb Martin
    >
    >
    >>
    >> Cheers,
    >> Paul.
    >>
    >>
    >>
    >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> news:%237UKFBH%23EHA.3260@TK2MSFTNGP14.phx.gbl...
    >> > "Paul Hadfield" <me@none.com> wrote in message
    >> > news:eexT6WD#EHA.1604@TK2MSFTNGP12.phx.gbl...
    >> >> All,
    >> >>
    >> >> As Herb has pointed out (and I should have mentioned in the first
    > place)
    >> > the
    >> >> printer queues on the Windows 2000 member server in question are not
    >> >> published in active directory. Neither are they shared. They are
    > accessed
    >> >> purely by the users that happen to be logged on to that local server
    >> >> at
    >> > the
    >> >> time via Terminal Services.
    >> >>
    >> >> At the moment, when a member of IT Helpdesk Staff creates a new
    >> >> printer
    >> >> queue, the default security permissions are:
    >> >> Administrators = FC
    >> >> Creator Owner = Manage Docs
    >> >> Everyone = Print
    >> >> Power Users = FC
    >> >>
    >> >> I'm basically looking for an easy way to remove both the Creator Owner
    >> >> and
    >> >> Everyone groups so that a newly created print queue will only have the
    >> >> Administrators and PowerUsers group in the security permissions.
    >> >
    >> > On it's face removing Creator/Owner sounds silly
    >> > and the creator owner can ALWAYS change the
    >> > permissions on an owned object even with no other
    >> > (or even DENY all) permissions.
    >> >
    >> > Changing the Everyone group defaults sounds like
    >> > a useful goal.
    >> >
    >> > How about a Startup script that just enumerates and
    >> > fixes up the permissions on any print queues?
    >> >
    >> >> This way when new print queues are created and the permissions have
    > been
    >> >> 'forgotten' about, no users will be able to print and someone will
    >> >> have
    >> >> to
    >> >> call the IT HelpDesk to have this resolved -
    >> >
    >> > Maybe best is to make the Users members of USERS
    >> > instead of Power Users (or <ugh> Administrators)
    >> > or just remove the ability to create printers from
    >> > Power Users.
    >> >
    >> > Then they have to cal the Help Desk to start.
    >> >
    >> >> as opposed to Everyone being
    >> >> able to use the printer and then jobs from Glasgow appearing on
    > printers
    >> > in
    >> >> London for example. (Not that I am at all implying that members of the
    > IT
    >> >> HelpDesk Staff group have short term memory issues...)
    >> >
    >> > Or just teach users not to share (or use permissions
    >> > correctly...)
    >> >
    >> > --
    >> > Herb Martin
    >> >
    >> >
    >> >>
    >> >> Thanks again,
    >> >> Paul.
    >> >>
    >> >>
    >> >>
    >> >>
    >> >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> >> news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    >> >> > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    >> >> > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    >> >> >> Hello Paul,
    >> >> >> Good question. Yes it's possible to inheritance the Security (ACL)
    >> >> >> from
    >> >> > the
    >> >> >> computer object in the Active Directory, since all printers
    > published
    >> > in
    >> >> >> active directory is child objects to it's host/computer/server.
    >> >> >
    >> >> > I don't think so. The Printer's so published are not
    >> >> > "children" of the computer object for several reasons
    >> >> > but the most important is that Computer objects are
    >> >> > NOT containers.
    >> >> >
    >> >> > Also note, the Computer object in AD will not get
    >> >> > you permissions to the actual PRINTER (queue)
    >> >> > anyway.
    >> >> >
    >> >> > Also, since these are local printers they may not
    >> >> > even be published in AD.
    >> >> >
    >> >> >> You can give the "IT Helpdesk Staff" Full Control of child objects
    > of
    >> >> >> type
    >> >> >> PrinterObjects or just Add / Remove Printer Objects. You should see
    > an
    >> >> > entry
    >> >> >> for the Printer Operators group with rights Add / Remove Printer
    >> > Objects
    >> >> > in
    >> >> >> the ACL list on the computer/host/server object in AD.
    >> >> >
    >> >> > Unless I am totally wrong about this, there is no
    >> >> > place to "inherit permissions" on the PRINTER
    >> >> > (queue) share objects themselves since they have
    >> >> > no parent.
    >> >> >
    >> >> > I.E., you still won't be able to print.
    >> >> >
    >> >> > A Restricted Group MIGHT help but the group
    >> >> > used will need to be one that is already assigned
    >> >> > by default, or there must be another way to give
    >> >> > this group the requisite permissions.
    >> >> >
    >> >> > A startup script might wrap this stuff up by
    >> >> > enumerating Print shares etc.....
    >> >> >
    >> >> >
    >> >> > --
    >> >> > Herb Martin
    >> >> >
    >> >> >
    >> >> >>
    >> >> >> --
    >> >> >> Regards
    >> >> >> Christoffer Andersson
    >> >> >> Microsoft MVP - Directory Services
    >> >> >>
    >> >> >> No email replies please - reply in the newsgroup
    >> >> >> ------------------------------------------------
    >> >> >> http://www.chrisse.se - Active Directory Tips
    >> >> >>
    >> >> >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    >> >> >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    >> >> >> > All,
    >> >> >> >
    >> >> >> > I realise this is a printing question, but I think it's probably
    >> >> >> > more
    >> >> >> > GPO/AD related too.
    >> >> >> >
    >> >> >> > Is there any way that permissions for locally installed printers
    > on
    >> >> >> > a
    >> >> >> > Windows 2000 Advanced server can be set to inherit in the same
    > way
    >> >> >> > that
    >> >> >> > files and folders can? E.g. when someone creates a new local
    >> >> >> > printer,
    >> > I
    >> >> >> > want to be able to specify what the default security permissions
    >> >> >> > will
    >> >> >> > be
    >> >> >> > set to.
    >> >> >> >
    >> >> >> > We have a Windows 2000 domain with print queues set up locally on
    >> >> > Windows
    >> >> >> > 2000 Advanced Server member servers. I'm trying to set up our
    > member
    >> >> >> > servers so that when a member of the domain security group "IT
    >> > Helpdesk
    >> >> >> > Staff" creates a new local printer, the correct permissions are
    >> >> >> > automatically assigned to it and all the IT staff needs to do is
    > add
    >> >> >> > the
    >> >> >> > relevant User groups with print access.
    >> >> >> >
    >> >> >> > The domain secirity group "IT Helpdesk Staff" has only domain
    >> >> >> > user
    >> >> > rights
    >> >> >> > but is also a member of the local Power Users group on the
    >> >> >> > Windows
    >> > 2000
    >> >> >> > member servers, and so has full permissions to create new
    >> >> >> > printers
    >> >> >> > locally.
    >> >> >> >
    >> >> >> > Thanks again,
    >> >> >> > Paul.
    >> >> >> >
    >> >> >> >
    >> >> >> >
    >> >> >>
    >> >> >>
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >
  17. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Paul Hadfield" <paul@anon.com> wrote in message
    news:ueXrnRV#EHA.2196@TK2MSFTNGP14.phx.gbl...
    > Thanks for this - I'm not sure that the NET command will help me as the
    > local printer queues are not shared.

    Does not matter -- we were talking about doing this
    in the context of a Startup script which runs locally
    on each machine.

    > I've had a quick look at the SetACL program on SourceForge and that look
    > like it might be the easiest solution. Only problem is that is is an .ocx
    > not an .exe that can be run at the command line (as far as I can see after
    a
    > quick 60 second look at it that is).

    There is also an exe. They split it for script (language)
    purposes) to make it more flexible.

    > Maybe I'll have to blow the dust of VB6
    > and write a small utility to interface with it.

    You can do that or just use straight batch with
    the exe version.

    --
    Herb Martin


    >
    > Thanks again for you input,
    > Paul.
    >
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:eDQLx2M%23EHA.600@TK2MSFTNGP09.phx.gbl...
    > > "Paul Hadfield" <paul@anon.com> wrote in message
    > > news:uyK0DwK#EHA.1396@tk2msftngp13.phx.gbl...
    > >>
    > >> "How about a Startup script that just enumerates and fixes up the
    > >> permissions on any print queues?"
    > >>
    > >>
    > >> I'm not sure how I would go about writing a script to do this - can you
    > > give
    > >> me any pointers? My primary goal is to remove the Everyone group from
    all
    > >> print queues and this seems to be the best idea so far.
    > >
    > >
    > > If you don't already write a few scripts this would
    > > be a big "chunk" to learn all at once, and unfortunately
    > > the commands available natively (and flexibility) varies
    > > by OS version/type.
    > >
    > > Naively (it's not perfect) you can get a list of Print shares this way:
    > >
    > > net share | find "Spooled"
    > >
    > > On XP+ you can use PrnMngr to do (some of the) work.
    > >
    > > Using things like VBS/WMI/ADSI you can do this stuff.
    > >
    > > SetAcl.exe free from SourceForge.net can do it, but it has
    > > a really complex command line.
    > >
    > > Someone who does this everyday might have a pre-built
    > > suggestion -- I would have to write something and much
    > > of that would depend on which clients and server OS's
    > > you have.
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > >>
    > >> Cheers,
    > >> Paul.
    > >>
    > >>
    > >>
    > >> "Herb Martin" <news@LearnQuick.com> wrote in message
    > >> news:%237UKFBH%23EHA.3260@TK2MSFTNGP14.phx.gbl...
    > >> > "Paul Hadfield" <me@none.com> wrote in message
    > >> > news:eexT6WD#EHA.1604@TK2MSFTNGP12.phx.gbl...
    > >> >> All,
    > >> >>
    > >> >> As Herb has pointed out (and I should have mentioned in the first
    > > place)
    > >> > the
    > >> >> printer queues on the Windows 2000 member server in question are not
    > >> >> published in active directory. Neither are they shared. They are
    > > accessed
    > >> >> purely by the users that happen to be logged on to that local server
    > >> >> at
    > >> > the
    > >> >> time via Terminal Services.
    > >> >>
    > >> >> At the moment, when a member of IT Helpdesk Staff creates a new
    > >> >> printer
    > >> >> queue, the default security permissions are:
    > >> >> Administrators = FC
    > >> >> Creator Owner = Manage Docs
    > >> >> Everyone = Print
    > >> >> Power Users = FC
    > >> >>
    > >> >> I'm basically looking for an easy way to remove both the Creator
    Owner
    > >> >> and
    > >> >> Everyone groups so that a newly created print queue will only have
    the
    > >> >> Administrators and PowerUsers group in the security permissions.
    > >> >
    > >> > On it's face removing Creator/Owner sounds silly
    > >> > and the creator owner can ALWAYS change the
    > >> > permissions on an owned object even with no other
    > >> > (or even DENY all) permissions.
    > >> >
    > >> > Changing the Everyone group defaults sounds like
    > >> > a useful goal.
    > >> >
    > >> > How about a Startup script that just enumerates and
    > >> > fixes up the permissions on any print queues?
    > >> >
    > >> >> This way when new print queues are created and the permissions have
    > > been
    > >> >> 'forgotten' about, no users will be able to print and someone will
    > >> >> have
    > >> >> to
    > >> >> call the IT HelpDesk to have this resolved -
    > >> >
    > >> > Maybe best is to make the Users members of USERS
    > >> > instead of Power Users (or <ugh> Administrators)
    > >> > or just remove the ability to create printers from
    > >> > Power Users.
    > >> >
    > >> > Then they have to cal the Help Desk to start.
    > >> >
    > >> >> as opposed to Everyone being
    > >> >> able to use the printer and then jobs from Glasgow appearing on
    > > printers
    > >> > in
    > >> >> London for example. (Not that I am at all implying that members of
    the
    > > IT
    > >> >> HelpDesk Staff group have short term memory issues...)
    > >> >
    > >> > Or just teach users not to share (or use permissions
    > >> > correctly...)
    > >> >
    > >> > --
    > >> > Herb Martin
    > >> >
    > >> >
    > >> >>
    > >> >> Thanks again,
    > >> >> Paul.
    > >> >>
    > >> >>
    > >> >>
    > >> >>
    > >> >> "Herb Martin" <news@LearnQuick.com> wrote in message
    > >> >> news:uabX$H$9EHA.1260@TK2MSFTNGP12.phx.gbl...
    > >> >> > "Chriss3 [MVP]" <noSpamHere@chrisse.se> wrote in message
    > >> >> > news:eMZ8B1#9EHA.2996@TK2MSFTNGP10.phx.gbl...
    > >> >> >> Hello Paul,
    > >> >> >> Good question. Yes it's possible to inheritance the Security
    (ACL)
    > >> >> >> from
    > >> >> > the
    > >> >> >> computer object in the Active Directory, since all printers
    > > published
    > >> > in
    > >> >> >> active directory is child objects to it's host/computer/server.
    > >> >> >
    > >> >> > I don't think so. The Printer's so published are not
    > >> >> > "children" of the computer object for several reasons
    > >> >> > but the most important is that Computer objects are
    > >> >> > NOT containers.
    > >> >> >
    > >> >> > Also note, the Computer object in AD will not get
    > >> >> > you permissions to the actual PRINTER (queue)
    > >> >> > anyway.
    > >> >> >
    > >> >> > Also, since these are local printers they may not
    > >> >> > even be published in AD.
    > >> >> >
    > >> >> >> You can give the "IT Helpdesk Staff" Full Control of child
    objects
    > > of
    > >> >> >> type
    > >> >> >> PrinterObjects or just Add / Remove Printer Objects. You should
    see
    > > an
    > >> >> > entry
    > >> >> >> for the Printer Operators group with rights Add / Remove Printer
    > >> > Objects
    > >> >> > in
    > >> >> >> the ACL list on the computer/host/server object in AD.
    > >> >> >
    > >> >> > Unless I am totally wrong about this, there is no
    > >> >> > place to "inherit permissions" on the PRINTER
    > >> >> > (queue) share objects themselves since they have
    > >> >> > no parent.
    > >> >> >
    > >> >> > I.E., you still won't be able to print.
    > >> >> >
    > >> >> > A Restricted Group MIGHT help but the group
    > >> >> > used will need to be one that is already assigned
    > >> >> > by default, or there must be another way to give
    > >> >> > this group the requisite permissions.
    > >> >> >
    > >> >> > A startup script might wrap this stuff up by
    > >> >> > enumerating Print shares etc.....
    > >> >> >
    > >> >> >
    > >> >> > --
    > >> >> > Herb Martin
    > >> >> >
    > >> >> >
    > >> >> >>
    > >> >> >> --
    > >> >> >> Regards
    > >> >> >> Christoffer Andersson
    > >> >> >> Microsoft MVP - Directory Services
    > >> >> >>
    > >> >> >> No email replies please - reply in the newsgroup
    > >> >> >> ------------------------------------------------
    > >> >> >> http://www.chrisse.se - Active Directory Tips
    > >> >> >>
    > >> >> >> "Paul Hadfield" <paul@anon.com> skrev i meddelandet
    > >> >> >> news:%239EC3G99EHA.1084@tk2msftngp13.phx.gbl...
    > >> >> >> > All,
    > >> >> >> >
    > >> >> >> > I realise this is a printing question, but I think it's
    probably
    > >> >> >> > more
    > >> >> >> > GPO/AD related too.
    > >> >> >> >
    > >> >> >> > Is there any way that permissions for locally installed
    printers
    > > on
    > >> >> >> > a
    > >> >> >> > Windows 2000 Advanced server can be set to inherit in the same
    > > way
    > >> >> >> > that
    > >> >> >> > files and folders can? E.g. when someone creates a new local
    > >> >> >> > printer,
    > >> > I
    > >> >> >> > want to be able to specify what the default security
    permissions
    > >> >> >> > will
    > >> >> >> > be
    > >> >> >> > set to.
    > >> >> >> >
    > >> >> >> > We have a Windows 2000 domain with print queues set up locally
    on
    > >> >> > Windows
    > >> >> >> > 2000 Advanced Server member servers. I'm trying to set up our
    > > member
    > >> >> >> > servers so that when a member of the domain security group "IT
    > >> > Helpdesk
    > >> >> >> > Staff" creates a new local printer, the correct permissions are
    > >> >> >> > automatically assigned to it and all the IT staff needs to do
    is
    > > add
    > >> >> >> > the
    > >> >> >> > relevant User groups with print access.
    > >> >> >> >
    > >> >> >> > The domain secirity group "IT Helpdesk Staff" has only domain
    > >> >> >> > user
    > >> >> > rights
    > >> >> >> > but is also a member of the local Power Users group on the
    > >> >> >> > Windows
    > >> > 2000
    > >> >> >> > member servers, and so has full permissions to create new
    > >> >> >> > printers
    > >> >> >> > locally.
    > >> >> >> >
    > >> >> >> > Thanks again,
    > >> >> >> > Paul.
    > >> >> >> >
    > >> >> >> >
    > >> >> >> >
    > >> >> >>
    > >> >> >>
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Permissions Servers Printers Windows