Jump to content

how to forbid users to connect directly to printers

Guest Yann

By Guest Yann
in Windows 2003 Server

 Share

Recommended Posts

Guest Yann

Guest Yann

Posted
Posted

Hi,

 

Just wondering: is there an easy way to forbid users to connect/print

directly on printers without going through my Windows 2003 print server?

 

These are all kind of HP printers, and I want them to use the print server

so I can control which drivers they are using and monitor the usage of

printing.

 

Thanks for any help

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Anthony

Guest Anthony

Posted
Posted

Re: how to forbid users to connect directly to printers

 

You could run a script that deletes all printers and adds only the ones you

want, or deletes any printers that are not \\server\xxx

I suppose you could also do something like put all printers on a VLAN behind

a firewall and only allow connections from the server.

Anthony, http://www.airdesk.co.uk

 

 

 

"Yann" <Yann@discussions.microsoft.com> wrote in message

news:7D5A46B6-C9C1-494F-95DF-AB7DF3FE29DB@microsoft.com...

> Hi,

>

> Just wondering: is there an easy way to forbid users to connect/print

> directly on printers without going through my Windows 2003 print server?

>

> These are all kind of HP printers, and I want them to use the print server

> so I can control which drivers they are using and monitor the usage of

> printing.

>

> Thanks for any help

Guest Danny Sanders

Guest Danny Sanders

Posted
Posted

Re: how to forbid users to connect directly to printers

 

Using HP Web Jet admin you can create an access control list in the network

section and by listing only your server's IP address in the access control

list and NOT their workstation's IP address, then only the server can print

to the printer.

I'm using version 8. This link is to version 10. I haven't used version 10.

http://h20338.www2.hp.com/hpsub/cache/332262-0-0-225-121.html?jumpid=ex_r2845_go/webjetadmin/gc121306

 

 

Or you can use telnet:

Open a command prompt and type in telnet.

On the resulting command prompt type "open" and enter the IP address of the

printer you want to manage and hit enter.

Type "menu" and hit enter.

On the main menu page enter the number to choose TCP/IP settings and hit

enter.

On the TCP/IP menu page enter the number to choose TCP/IP - Access Control

and hit enter.

The command prompt will change to "Change settings ? [Y/N]" type "y" and

then enter.

On the resulting screen add the IP address and subnet mask of the computers

you want to be able to print to this printer, usually the server, and the IP

address and the IP address for the user computer making the change. This

entry is needed if there is ever a need to manage the printer via telnet

again. Without this entry the only way to manage the device remotely is by

using the Web Jetadmin or Telnet from the server.

When done entering information hit the enter key which will take you back to

the command prompt "Change settings ? [Y/N]" this time select "N" and follow

the directions to exit the program.

To delete entries from the access control list, instead of listing an IP

address enter the number "0". This will erase ALL entries from the access

control list. This is the default setting and the printer will accept jobs

from any IP address.

 

 

hth

DDS

 

 

 

 

"Yann" <Yann@discussions.microsoft.com> wrote in message

news:7D5A46B6-C9C1-494F-95DF-AB7DF3FE29DB@microsoft.com...

> Hi,

>

> Just wondering: is there an easy way to forbid users to connect/print

> directly on printers without going through my Windows 2003 print server?

>

> These are all kind of HP printers, and I want them to use the print server

> so I can control which drivers they are using and monitor the usage of

> printing.

>

> Thanks for any help

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: how to forbid users to connect directly to printers

 

Yann <Yann@discussions.microsoft.com> wrote:

> Hi,

>

> Just wondering: is there an easy way to forbid users to connect/print

> directly on printers without going through my Windows 2003 print

> server?

>

> These are all kind of HP printers, and I want them to use the print

> server so I can control which drivers they are using and monitor the

> usage of printing.

>

> Thanks for any help

 

Perhaps this is a silly suggestion, but if you don't give users local admin

or power user rights, they won't be *able* to do this (can't add local

printers or printer ports at all).

Guest Yann

Guest Yann

Posted
Posted

Re: how to forbid users to connect directly to printers

 

Lanwench, I totally agree with you... unfortunately it's too late, they have

already been granted local admin rights, that's why they can use printers

without using the server. But the suggestion was good.

 

Thanks

 

 

"Lanwench [MVP - Exchange]" wrote:

>

> Perhaps this is a silly suggestion, but if you don't give users local admin

> or power user rights, they won't be *able* to do this (can't add local

> printers or printer ports at all).

>

>

>

>

Guest Yann

Guest Yann

Posted
Posted

Re: how to forbid users to connect directly to printers

 

It's true that I was thinking about modifying a Group Policy or the

permissions for the user on the spool folder in C:\Windows\system32... but

the best solution is to do what you said: modify the ACL on the device

itself.

 

Thanks a lot for the recommendation, I think this is the best way to do it.

 

 

 

"Danny Sanders" wrote:

> Using HP Web Jet admin you can create an access control list in the network

> section and by listing only your server's IP address in the access control

> list and NOT their workstation's IP address, then only the server can print

> to the printer.

> I'm using version 8. This link is to version 10. I haven't used version 10.

> http://h20338.www2.hp.com/hpsub/cache/332262-0-0-225-121.html?jumpid=ex_r2845_go/webjetadmin/gc121306

>

>

> Or you can use telnet:

> Open a command prompt and type in telnet.

> On the resulting command prompt type "open" and enter the IP address of the

> printer you want to manage and hit enter.

> Type "menu" and hit enter.

> On the main menu page enter the number to choose TCP/IP settings and hit

> enter.

> On the TCP/IP menu page enter the number to choose TCP/IP - Access Control

> and hit enter.

> The command prompt will change to "Change settings ? [Y/N]" type "y" and

> then enter.

> On the resulting screen add the IP address and subnet mask of the computers

> you want to be able to print to this printer, usually the server, and the IP

> address and the IP address for the user computer making the change. This

> entry is needed if there is ever a need to manage the printer via telnet

> again. Without this entry the only way to manage the device remotely is by

> using the Web Jetadmin or Telnet from the server.

> When done entering information hit the enter key which will take you back to

> the command prompt "Change settings ? [Y/N]" this time select "N" and follow

> the directions to exit the program.

> To delete entries from the access control list, instead of listing an IP

> address enter the number "0". This will erase ALL entries from the access

> control list. This is the default setting and the printer will accept jobs

> from any IP address.

>

>

> hth

> DDS

Guest Yann

Guest Yann

Posted
Posted

Re: how to forbid users to connect directly to printers

 

It's true that it could work just fine, unfortunately my infrastructure

already uses VLANs but printers are connected on different VLANs and that are

shared with users. But thanks a lot for the suggestion.

 

 

"Anthony" wrote:

> You could run a script that deletes all printers and adds only the ones you

> want, or deletes any printers that are not \\server\xxx

> I suppose you could also do something like put all printers on a VLAN behind

> a firewall and only allow connections from the server.

> Anthony, http://www.airdesk.co.uk

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: how to forbid users to connect directly to printers

 

Yann <Yann@discussions.microsoft.com> wrote:

> Lanwench, I totally agree with you... unfortunately it's too late,

> they have already been granted local admin rights, that's why they

> can use printers without using the server. But the suggestion was

> good.

>

> Thanks

>

 

OK, but that doesn't really explain why you you can't *revoke* the rights.

Talk tothe business owners about the dangers of granting users permissions

they don't actually require - they can get infested with very damaging

malware, viruses, can deliberately or inadvertently make changes to the

operating system & network, install illegal software (for which the company

is likely liable), etc.

 

 

>

> "Lanwench [MVP - Exchange]" wrote:

>>

>> Perhaps this is a silly suggestion, but if you don't give users

>> local admin or power user rights, they won't be *able* to do this

>> (can't add local printers or printer ports at all).

Guest a

Guest a

Posted
Posted

Re: how to forbid users to connect directly to printers

 

"Lanwench [MVP - Exchange]"

<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in

news:ekAGNMYFIHA.1324@TK2MSFTNGP06.phx.gbl:

> Yann <Yann@discussions.microsoft.com> wrote:

>> Lanwench, I totally agree with you... unfortunately it's too late,

>> they have already been granted local admin rights, that's why they

>> can use printers without using the server. But the suggestion was

>> good.

>>

>> Thanks

>>

>

> OK, but that doesn't really explain why you you can't *revoke* the

> rights. Talk tothe business owners about the dangers of granting users

> permissions they don't actually require - they can get infested with

> very damaging malware, viruses, can deliberately or inadvertently make

> changes to the operating system & network, install illegal software

> (for which the company is likely liable), etc.

>

>

>

>>

>> "Lanwench [MVP - Exchange]" wrote:

>>>

>>> Perhaps this is a silly suggestion, but if you don't give users

>>> local admin or power user rights, they won't be *able* to do this

>>> (can't add local printers or printer ports at all).

>

>

>

>

 

I may be jumping into this a bit late - can't see the beginning of this

thread - but many network connected printers have internal settings to

limit the IP numbers that they will accept connections from. You could

set this to only allow access from the server. Turn off unused protocols

like Appletalk/IPP/FTP printing... Another way is if the printer can do

DLC protocol, you can set it to only do this, and have the server connect

using DLC - there is often a setting to make it exclusive so that once a

connection is made, it is not released when the print job is done so that

another computer can connect (the server just has to get there first for

this to work).

 

Or, if you have control over the network and have the right type of

switches so that you can create a VLAN that only the printer and server

are in, other machines could not see the printer.

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: how to forbid users to connect directly to printers

 

a <b@c.d> wrote:

> "Lanwench [MVP - Exchange]"

> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in

> news:ekAGNMYFIHA.1324@TK2MSFTNGP06.phx.gbl:

>

>> Yann <Yann@discussions.microsoft.com> wrote:

>>> Lanwench, I totally agree with you... unfortunately it's too late,

>>> they have already been granted local admin rights, that's why they

>>> can use printers without using the server. But the suggestion was

>>> good.

>>>

>>> Thanks

>>>

>>

>> OK, but that doesn't really explain why you you can't *revoke* the

>> rights. Talk tothe business owners about the dangers of granting

>> users permissions they don't actually require - they can get

>> infested with very damaging malware, viruses, can deliberately or

>> inadvertently make changes to the operating system & network,

>> install illegal software (for which the company is likely liable),

>> etc.

>>

>>

>>

>>>

>>> "Lanwench [MVP - Exchange]" wrote:

>>>>

>>>> Perhaps this is a silly suggestion, but if you don't give users

>>>> local admin or power user rights, they won't be *able* to do this

>>>> (can't add local printers or printer ports at all).

>>

>>

>>

>>

>

> I may be jumping into this a bit late - can't see the beginning of

> this thread -

 

Try using msnews.microsoft.com as your NNTP server, and a regular newsreader

client....

> but many network connected printers have internal

> settings to limit the IP numbers that they will accept connections

> from.

 

This has already been suggested, yes. I still think it makes the most sense

to prevent users from having access to *try* stuff like this in the first

place,tho.

 

You could set this to only allow access from the server. Turn

> off unused protocols like Appletalk/IPP/FTP printing... Another way

> is if the printer can do DLC protocol, you can set it to only do

> this, and have the server connect using DLC - there is often a

> setting to make it exclusive so that once a connection is made, it is

> not released when the print job is done so that another computer can

> connect (the server just has to get there first for this to work).

>

> Or, if you have control over the network and have the right type of

> switches so that you can create a VLAN that only the printer and

> server are in, other machines could not see the printer.

 

That's already been suggested too.... won't work for the OP.

 Share
Go to topic listing
×
×
  • Create New...