What right allows admins to see all printers

[Guest PGM]

We have applications loaded on our terminal servers that require users to be

member of the local admins group. The problem we have is that each of those

users can see and access printers of other users on the system. I need to be

able to prevent this from happening, is it possible? I'm assuming there is a

policy or maybe a registry key that controls this. Any help would be greatly

appreciated

[Guest Lanwench [MVP - Exchange]]

Re: What right allows admins to see all printers

 

PGM <pmatthews@chw.org> wrote:

> We have applications loaded on our terminal servers that require

> users to be member of the local admins group.

 

Ouch. Sure you can't fix that? It's a bad plan. If you can't get help from

the app vendor (you should at least holler at them to fix their sloppy code)

you can probably allow the app to run as a limited user - check out Process

Monitor 1.26 from Microsoft ( a nifty Sysinternals tool) and it should help

you identify where, in the registry and file system, these apps expect to

have permissions. Then you, as an admin, can modify the NTFS and registry

permissions accordingly, so end users have the appropriate rights. You still

may be opening up more than you need to, but it's certainly better than

admin rights for all!

> The problem we have

 

Oh, but you've got more problems than this one lurking, I assure you!

> is

> that each of those users can see and access printers of other users

> on the system. I need to be able to prevent this from happening, is

> it possible? I'm assuming there is a policy or maybe a registry key

> that controls this. Any help would be greatly appreciated

 

I'm sure someone can help you with the specifics (I'd try

m.p.windows.group_policy) but thought I'd post and suggest you render any

such fix unneccessary, by addressing the core problem. HTH.

[Guest Vera Noest [MVP]]

Re: What right allows admins to see all printers

 

"Lanwench [MVP - Exchange]"

<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote

on 26 nov 2007 in microsoft.public.windows.terminal_services:

> PGM <pmatthews@chw.org> wrote:

>> We have applications loaded on our terminal servers that

>> require users to be member of the local admins group.

>

> Ouch. Sure you can't fix that? It's a bad plan. If you can't get

> help from the app vendor (you should at least holler at them to

> fix their sloppy code) you can probably allow the app to run as

> a limited user - check out Process Monitor 1.26 from Microsoft (

> a nifty Sysinternals tool) and it should help you identify

> where, in the registry and file system, these apps expect to

> have permissions. Then you, as an admin, can modify the NTFS and

> registry permissions accordingly, so end users have the

> appropriate rights. You still may be opening up more than you

> need to, but it's certainly better than admin rights for all!

>

>> The problem we have

>

> Oh, but you've got more problems than this one lurking, I assure

> you!

 

I totally agree with the above.

>> is

>> that each of those users can see and access printers of other

>> users on the system. I need to be able to prevent this from

>> happening, is it possible? I'm assuming there is a policy or

>> maybe a registry key that controls this. Any help would be

>> greatly appreciated

>

> I'm sure someone can help you with the specifics (I'd try

> m.p.windows.group_policy) but thought I'd post and suggest you

> render any such fix unneccessary, by addressing the core

> problem. HTH.

 

No, this isn't possible. Administrators and Printer Operators see

all printers and there's no way to take that right away from them

through a registry setting or GPO, AFAIK.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___