Guest Yann Posted October 22, 2007 Posted October 22, 2007 Hi, Just wondering: is there an easy way to forbid users to connect/print directly on printers without going through my Windows 2003 print server? These are all kind of HP printers, and I want them to use the print server so I can control which drivers they are using and monitor the usage of printing. Thanks for any help
Guest Anthony Posted October 22, 2007 Posted October 22, 2007 Re: how to forbid users to connect directly to printers You could run a script that deletes all printers and adds only the ones you want, or deletes any printers that are not \\server\xxx I suppose you could also do something like put all printers on a VLAN behind a firewall and only allow connections from the server. Anthony, http://www.airdesk.co.uk "Yann" <Yann@discussions.microsoft.com> wrote in message news:7D5A46B6-C9C1-494F-95DF-AB7DF3FE29DB@microsoft.com... > Hi, > > Just wondering: is there an easy way to forbid users to connect/print > directly on printers without going through my Windows 2003 print server? > > These are all kind of HP printers, and I want them to use the print server > so I can control which drivers they are using and monitor the usage of > printing. > > Thanks for any help
Guest Danny Sanders Posted October 22, 2007 Posted October 22, 2007 Re: how to forbid users to connect directly to printers Using HP Web Jet admin you can create an access control list in the network section and by listing only your server's IP address in the access control list and NOT their workstation's IP address, then only the server can print to the printer. I'm using version 8. This link is to version 10. I haven't used version 10. http://h20338.www2.hp.com/hpsub/cache/332262-0-0-225-121.html?jumpid=ex_r2845_go/webjetadmin/gc121306 Or you can use telnet: Open a command prompt and type in telnet. On the resulting command prompt type "open" and enter the IP address of the printer you want to manage and hit enter. Type "menu" and hit enter. On the main menu page enter the number to choose TCP/IP settings and hit enter. On the TCP/IP menu page enter the number to choose TCP/IP - Access Control and hit enter. The command prompt will change to "Change settings ? [Y/N]" type "y" and then enter. On the resulting screen add the IP address and subnet mask of the computers you want to be able to print to this printer, usually the server, and the IP address and the IP address for the user computer making the change. This entry is needed if there is ever a need to manage the printer via telnet again. Without this entry the only way to manage the device remotely is by using the Web Jetadmin or Telnet from the server. When done entering information hit the enter key which will take you back to the command prompt "Change settings ? [Y/N]" this time select "N" and follow the directions to exit the program. To delete entries from the access control list, instead of listing an IP address enter the number "0". This will erase ALL entries from the access control list. This is the default setting and the printer will accept jobs from any IP address. hth DDS "Yann" <Yann@discussions.microsoft.com> wrote in message news:7D5A46B6-C9C1-494F-95DF-AB7DF3FE29DB@microsoft.com... > Hi, > > Just wondering: is there an easy way to forbid users to connect/print > directly on printers without going through my Windows 2003 print server? > > These are all kind of HP printers, and I want them to use the print server > so I can control which drivers they are using and monitor the usage of > printing. > > Thanks for any help
Guest Lanwench [MVP - Exchange] Posted October 22, 2007 Posted October 22, 2007 Re: how to forbid users to connect directly to printers Yann <Yann@discussions.microsoft.com> wrote: > Hi, > > Just wondering: is there an easy way to forbid users to connect/print > directly on printers without going through my Windows 2003 print > server? > > These are all kind of HP printers, and I want them to use the print > server so I can control which drivers they are using and monitor the > usage of printing. > > Thanks for any help Perhaps this is a silly suggestion, but if you don't give users local admin or power user rights, they won't be *able* to do this (can't add local printers or printer ports at all).
Guest Yann Posted October 22, 2007 Posted October 22, 2007 Re: how to forbid users to connect directly to printers Lanwench, I totally agree with you... unfortunately it's too late, they have already been granted local admin rights, that's why they can use printers without using the server. But the suggestion was good. Thanks "Lanwench [MVP - Exchange]" wrote: > > Perhaps this is a silly suggestion, but if you don't give users local admin > or power user rights, they won't be *able* to do this (can't add local > printers or printer ports at all). > > > >
Guest Yann Posted October 22, 2007 Posted October 22, 2007 Re: how to forbid users to connect directly to printers It's true that I was thinking about modifying a Group Policy or the permissions for the user on the spool folder in C:\Windows\system32... but the best solution is to do what you said: modify the ACL on the device itself. Thanks a lot for the recommendation, I think this is the best way to do it. "Danny Sanders" wrote: > Using HP Web Jet admin you can create an access control list in the network > section and by listing only your server's IP address in the access control > list and NOT their workstation's IP address, then only the server can print > to the printer. > I'm using version 8. This link is to version 10. I haven't used version 10. > http://h20338.www2.hp.com/hpsub/cache/332262-0-0-225-121.html?jumpid=ex_r2845_go/webjetadmin/gc121306 > > > Or you can use telnet: > Open a command prompt and type in telnet. > On the resulting command prompt type "open" and enter the IP address of the > printer you want to manage and hit enter. > Type "menu" and hit enter. > On the main menu page enter the number to choose TCP/IP settings and hit > enter. > On the TCP/IP menu page enter the number to choose TCP/IP - Access Control > and hit enter. > The command prompt will change to "Change settings ? [Y/N]" type "y" and > then enter. > On the resulting screen add the IP address and subnet mask of the computers > you want to be able to print to this printer, usually the server, and the IP > address and the IP address for the user computer making the change. This > entry is needed if there is ever a need to manage the printer via telnet > again. Without this entry the only way to manage the device remotely is by > using the Web Jetadmin or Telnet from the server. > When done entering information hit the enter key which will take you back to > the command prompt "Change settings ? [Y/N]" this time select "N" and follow > the directions to exit the program. > To delete entries from the access control list, instead of listing an IP > address enter the number "0". This will erase ALL entries from the access > control list. This is the default setting and the printer will accept jobs > from any IP address. > > > hth > DDS
Guest Yann Posted October 22, 2007 Posted October 22, 2007 Re: how to forbid users to connect directly to printers It's true that it could work just fine, unfortunately my infrastructure already uses VLANs but printers are connected on different VLANs and that are shared with users. But thanks a lot for the suggestion. "Anthony" wrote: > You could run a script that deletes all printers and adds only the ones you > want, or deletes any printers that are not \\server\xxx > I suppose you could also do something like put all printers on a VLAN behind > a firewall and only allow connections from the server. > Anthony, http://www.airdesk.co.uk
Guest Lanwench [MVP - Exchange] Posted October 23, 2007 Posted October 23, 2007 Re: how to forbid users to connect directly to printers Yann <Yann@discussions.microsoft.com> wrote: > Lanwench, I totally agree with you... unfortunately it's too late, > they have already been granted local admin rights, that's why they > can use printers without using the server. But the suggestion was > good. > > Thanks > OK, but that doesn't really explain why you you can't *revoke* the rights. Talk tothe business owners about the dangers of granting users permissions they don't actually require - they can get infested with very damaging malware, viruses, can deliberately or inadvertently make changes to the operating system & network, install illegal software (for which the company is likely liable), etc. > > "Lanwench [MVP - Exchange]" wrote: >> >> Perhaps this is a silly suggestion, but if you don't give users >> local admin or power user rights, they won't be *able* to do this >> (can't add local printers or printer ports at all).
Guest a Posted October 24, 2007 Posted October 24, 2007 Re: how to forbid users to connect directly to printers "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in news:ekAGNMYFIHA.1324@TK2MSFTNGP06.phx.gbl: > Yann <Yann@discussions.microsoft.com> wrote: >> Lanwench, I totally agree with you... unfortunately it's too late, >> they have already been granted local admin rights, that's why they >> can use printers without using the server. But the suggestion was >> good. >> >> Thanks >> > > OK, but that doesn't really explain why you you can't *revoke* the > rights. Talk tothe business owners about the dangers of granting users > permissions they don't actually require - they can get infested with > very damaging malware, viruses, can deliberately or inadvertently make > changes to the operating system & network, install illegal software > (for which the company is likely liable), etc. > > > >> >> "Lanwench [MVP - Exchange]" wrote: >>> >>> Perhaps this is a silly suggestion, but if you don't give users >>> local admin or power user rights, they won't be *able* to do this >>> (can't add local printers or printer ports at all). > > > > I may be jumping into this a bit late - can't see the beginning of this thread - but many network connected printers have internal settings to limit the IP numbers that they will accept connections from. You could set this to only allow access from the server. Turn off unused protocols like Appletalk/IPP/FTP printing... Another way is if the printer can do DLC protocol, you can set it to only do this, and have the server connect using DLC - there is often a setting to make it exclusive so that once a connection is made, it is not released when the print job is done so that another computer can connect (the server just has to get there first for this to work). Or, if you have control over the network and have the right type of switches so that you can create a VLAN that only the printer and server are in, other machines could not see the printer.
Guest Lanwench [MVP - Exchange] Posted October 25, 2007 Posted October 25, 2007 Re: how to forbid users to connect directly to printers a <b@c.d> wrote: > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > news:ekAGNMYFIHA.1324@TK2MSFTNGP06.phx.gbl: > >> Yann <Yann@discussions.microsoft.com> wrote: >>> Lanwench, I totally agree with you... unfortunately it's too late, >>> they have already been granted local admin rights, that's why they >>> can use printers without using the server. But the suggestion was >>> good. >>> >>> Thanks >>> >> >> OK, but that doesn't really explain why you you can't *revoke* the >> rights. Talk tothe business owners about the dangers of granting >> users permissions they don't actually require - they can get >> infested with very damaging malware, viruses, can deliberately or >> inadvertently make changes to the operating system & network, >> install illegal software (for which the company is likely liable), >> etc. >> >> >> >>> >>> "Lanwench [MVP - Exchange]" wrote: >>>> >>>> Perhaps this is a silly suggestion, but if you don't give users >>>> local admin or power user rights, they won't be *able* to do this >>>> (can't add local printers or printer ports at all). >> >> >> >> > > I may be jumping into this a bit late - can't see the beginning of > this thread - Try using msnews.microsoft.com as your NNTP server, and a regular newsreader client.... > but many network connected printers have internal > settings to limit the IP numbers that they will accept connections > from. This has already been suggested, yes. I still think it makes the most sense to prevent users from having access to *try* stuff like this in the first place,tho. You could set this to only allow access from the server. Turn > off unused protocols like Appletalk/IPP/FTP printing... Another way > is if the printer can do DLC protocol, you can set it to only do > this, and have the server connect using DLC - there is often a > setting to make it exclusive so that once a connection is made, it is > not released when the print job is done so that another computer can > connect (the server just has to get there first for this to work). > > Or, if you have control over the network and have the right type of > switches so that you can create a VLAN that only the printer and > server are in, other machines could not see the printer. That's already been suggested too.... won't work for the OP.
Recommended Posts