Planning and implementing robust security measures for your print servers is crucial for any organization. Restricting access and managing permissions effectively safeguards sensitive information and ensures operational integrity. In earlier Windows operating systems like Windows Vista® and Windows Server® 2008, print administration was largely confined to full system administrators. However, Windows Server 2008 R2 and Windows Server 2012 introduced significant improvements, enabling the delegation of print management tasks to non-administrator users. Furthermore, these versions allow for the configuration of default printer security settings, which are automatically applied to new printers added to the server, streamlining security management and ensuring consistency.
These advancements bring several key benefits to printer and print server administration:
- Granular Access Control: Delegate specific print administrative responsibilities to users without granting them full system administrator privileges. This allows for better resource allocation and workload balancing, enhancing overall security and efficiency.
- Simplified Permission Management: Utilize the user-friendly interface of the Security tab within the Print Server Properties dialog box to effectively manage permission settings.
- Consistent Security Policies: Establish default printer security settings at the server level. New printers automatically inherit these configurations, eliminating the need for individual printer configuration and ensuring consistent security across your printing infrastructure.
Understanding and Configuring Security Settings
This section will guide you through the configuration of print server security settings.
Note: Configuration of print server security is restricted to members of the Administrators group.
Navigating the Print Server Security User Interface
Windows Server 2012 provides a direct and intuitive user interface for administrators to manage print security settings. Members of the Administrators group can directly modify print server access control list (ACL) permissions through the Print Management Microsoft Management Console (MMC) snap-in.
To access the ACL permissions for your print server:
- Open Server Manager.
- Click Tools.
- Select Print Management.
- In the left-hand pane, expand Print Servers.
- Right-click the desired print server.
- Click Properties.
- In the Print Server Properties dialog box, navigate to the Security tab.
Figure 1 illustrates the Security tab interface as seen by a user with Administrator privileges.
.jpeg)
Figure 1: Print Server Properties Security tab
Administrators within a domain can remotely manage print server security settings using the Print Management snap-in. While remote viewing of the print server security user interface is supported for older operating systems like Windows Server 2008 and Windows Vista (with SP1 or SP2), the delegated print administrator functionality is exclusive to Windows Server 2008 R2 and Windows Server 2012.
Defining Permissions within Print Server Properties
Print server permissions dictate the level of access users have to a specific print server. Printer permissions, on the other hand, control the printing tasks users can perform on newly added printers managed by the server. Administrators should carefully assign these permissions to non-administrator users based on their roles and responsibilities.
Once an administrator customizes the security settings for a print server, all subsequently added printers will automatically inherit these settings. It’s important to note that security settings for existing printers on the server remain unchanged.
There are two tiers of print server permissions:
- View Server: This permission grants users the ability to view the print server. Without this permission, users will not be able to see the printers managed by the server. By default, the “View Server” permission is granted to the Everyone group.
- Manage Server: The “Manage Server” permission empowers users to create and delete print queues (using pre-installed drivers), add or remove ports, and manage forms. Users with “Manage Server” permission, who are not system administrators, are designated as “delegated print administrators.”
Note: Adding printer drivers requires “Manage Server” access and membership in the Administrators group.
Printer permissions are categorized into three levels:
- Print: The “Print” permission allows users to connect to printers and perform basic printing tasks, including printing documents, pausing, resuming, starting, and canceling their own print jobs. By default, the “Print” permission is assigned to the Everyone group when a print queue is created.
- Manage Documents: Users with “Manage Documents” permission can control job settings for all documents and can pause, restart, and delete any print job within the queue.
- Manage Printers: The “Manage Printers” permission provides extensive control over a printer. Users with this permission can pause and restart the printer, modify spooler settings, share the printer, adjust printer permissions, and change printer properties.
The ability to assign printer access on a per-user or per-group basis offers centralized printer management. For instance, administrators can restrict access to a printer in a public area while maintaining control from a secure, central location.
The default print server and printer security settings in Windows Server 2012 are outlined below:
| Permission | Everyone | Creator Owner | Administrators |
|---|---|---|---|
| Allow | Allow | Allow | |
| Manage Documents | Allow | Allow | Allow |
| Manage Printers | Allow | ||
| View Server | Allow | Allow | Allow |
| Manage Server | Allow |
Creating a Delegated Print Administrator
Members of the Administrators group can easily create delegated print administrators. Assigning the “Manage Server” permission to a user automatically grants them “View Server” permission as well, effectively making them a full delegated print administrator. Alternatively, you can delegate a subset of these permissions to create a partial delegated print administrator, tailored to specific needs.
Steps to Create a Full Delegated Print Administrator
-
Open Server Manager, click Tools, and then select Print Management.
-
In the left pane, navigate to Print Servers, right-click the relevant print server, and choose Properties.
-
In Print Server Properties, click the Security tab.
-
To configure permissions for a new user or group, click Add. Enter the user or group name using the format: domain nameusername. Click OK to confirm.
Tip: It’s recommended to create user groups for delegated print tasks and configure permissions before adding printers to the server. This ensures that all new printers automatically inherit these settings, eliminating the need for individual printer configuration.
-
Select the newly added user or group name. In the “Permissions for ” section, check the Allow box for the Manage Server permission. (The View Server permission will be automatically selected.)
-
Optionally, select the Allow check boxes for Print, Manage Documents, and Manage Printers permissions if you wish to grant these additional rights to the delegated administrator.
Creating a Partial Delegated Print Administrator
- To enable an administrator to add printers: Follow the steps above, but only select the Allow check boxes for Manage Server and Print permissions. “View Server” permission is automatically included.
- To enable an administrator to manage existing print queues: Follow the steps above, but select the Allow check boxes for View Server, Print, Manage Documents, and Manage Printer permissions.
Print Permissions and Associated Tasks
The following table details the print-related tasks enabled by each permission level, as configured within the Print Server Properties Security tab.
| Task | Manage Printers | Manage Documents | View Server | Manage Server | |
|---|---|---|---|---|---|
| View the print queue (on the local server) | Yes | Yes | Yes | Yes | Yes |
| Print owned documents to the queue | Yes | Yes | Yes | Yes | Yes |
| View, pause, restart, and cancel all print jobs in a queue | Yes | Yes | Yes | ||
| Update installed or included drivers, and drivers available from Windows Update, to an existing queue Note: This does not apply to clustered print environments. |
Yes | Yes | |||
| Add or delete a form in a queue | Yes | Yes | |||
| View the printer properties | Yes | Yes | Yes | Yes | Yes |
| View the print server properties | Yes | Yes | Yes | ||
| Configure printer security permissions in a print queue | Yes | Yes | |||
| Manage the print server security descriptor setServerSecurityDescirptor flag | Yes | ||||
| Add a print queue to a print server | Yes (drivers pre-installed) | Yes (drivers pre-installed) | |||
| Delete a print queue from a print server | Yes (own queues) | Yes (any queue) | |||
| Add a print driver to a print server | Yes (locally, Admin group for remote) | Yes (locally, Admin group for remote) | |||
| Delete a print driver from a print server | Yes (drivers only) | Yes (drivers only) | |||
| Add, delete, and configure ports on a print server | Yes | ||||
| Add and delete a form on a print server | Yes (user forms, with registry setting) | Yes (all forms) | |||
| Share the printer | Yes (with File and Printer Sharing exceptions) | Yes (with File and Printer Sharing exceptions) |
Designing Effective Print Security Groups
Consider the following suggested print security groups and their corresponding permissions to streamline your security design:
- System Administrators Group: Includes members of the built-in Administrators security group. These users retain full administrative control.
- Print Administrators Group: Comprises System Administrators and users granted delegated print administrator rights. Depending on the assigned permissions, members can be classified as full or partial delegated administrators.
Note: For enhanced security, instead of adding entire groups to these print security groups, consider adding individual members and assigning permissions meticulously. This mitigates potential over-privileging of large groups.
The table below summarizes the actions permitted based on different permission assignments for various user roles:
| Action | Standard Users (Print, View Server) | Partial Delegated Admins (Print, View Server, Manage Server – Add Printers) | Partial Delegated Admins (Print, View Server, Manage Printers, Manage Documents – Manage Existing Queues) | Full Delegated Admins (All Permissions) | System Administrators (All Permissions) |
|---|---|---|---|---|---|
| View the print queue on the local server | Yes | Yes | Yes | Yes | Yes |
| Print to the queue | Yes | Yes | Yes | Yes | Yes |
| View, pause, restart, or cancel print jobs owned by the user in a queue | Yes | Yes | Yes | Yes | Yes |
| Modify all print jobs in a queue | Yes | Yes | Yes | ||
| Update an installed or included driver to an existing queue | Yes | Yes | Yes | ||
| Add or delete a form in the queue | Yes | Yes | Yes | ||
| View the printer properties | Yes | Yes | Yes | Yes | Yes |
| View the print server properties | Yes | Yes | Yes | Yes | Yes |
| Manage security permission on the print queue | Yes | Yes | Yes | ||
| Manage the print server security descriptor setServerSecurityDescirptor flag | Yes | Yes | |||
| Add and delete the print queue on a server | Yes (pre-installed drivers only) | Yes (Manage Printer permission to delete) | Yes (pre-installed drivers only) | Yes | |
| Add and delete a print driver on a server | Yes (locally, Admin group for remote) | Yes (locally, Admin group for remote) | Yes (locally, Admin group for remote) | Yes | |
| Add, delete, and configure ports on a print server | Yes | Yes | |||
| Add and delete a form on a print server | Yes | Yes | |||
| Share the printer | Yes (File and Printer Sharing exceptions) | Yes (File and Printer Sharing exceptions) | Yes (File and Printer Sharing exceptions) | Yes (File and Printer Sharing exceptions) |
Note: It is highly recommended that only members of the System Administrators group install printer drivers, especially for remote queue management. If delegated print administrators need to remotely add or manage queues, system administrators should pre-install drivers in the following directory using Windows PowerShell® or manually: *systemdrive*WindowsSystem32spool*driversprocessor_architecture3***
For further details on Windows PowerShell Print Management cmdlets, refer to Print Management Cmdlets in Windows PowerShell.
