What right allows admins to see all printers

  • Thread starter Thread starter PGM
  • Start date Start date
P

PGM

Guest
We have applications loaded on our terminal servers that require users to be
member of the local admins group. The problem we have is that each of those
users can see and access printers of other users on the system. I need to be
able to prevent this from happening, is it possible? I'm assuming there is a
policy or maybe a registry key that controls this. Any help would be greatly
appreciated
 
Re: What right allows admins to see all printers

PGM <pmatthews@chw.org> wrote:
> We have applications loaded on our terminal servers that require
> users to be member of the local admins group.

Ouch. Sure you can't fix that? It's a bad plan. If you can't get help from
the app vendor (you should at least holler at them to fix their sloppy code)
you can probably allow the app to run as a limited user - check out Process
Monitor 1.26 from Microsoft ( a nifty Sysinternals tool) and it should help
you identify where, in the registry and file system, these apps expect to
have permissions. Then you, as an admin, can modify the NTFS and registry
permissions accordingly, so end users have the appropriate rights. You still
may be opening up more than you need to, but it's certainly better than
admin rights for all!

> The problem we have

Oh, but you've got more problems than this one lurking, I assure you!

> is
> that each of those users can see and access printers of other users
> on the system. I need to be able to prevent this from happening, is
> it possible? I'm assuming there is a policy or maybe a registry key
> that controls this. Any help would be greatly appreciated

I'm sure someone can help you with the specifics (I'd try
m.p.windows.group_policy) but thought I'd post and suggest you render any
such fix unneccessary, by addressing the core problem. HTH.
 
Re: What right allows admins to see all printers

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote
on 26 nov 2007 in microsoft.public.windows.terminal_services:

> PGM <pmatthews@chw.org> wrote:
>> We have applications loaded on our terminal servers that
>> require users to be member of the local admins group.
>
> Ouch. Sure you can't fix that? It's a bad plan. If you can't get
> help from the app vendor (you should at least holler at them to
> fix their sloppy code) you can probably allow the app to run as
> a limited user - check out Process Monitor 1.26 from Microsoft (
> a nifty Sysinternals tool) and it should help you identify
> where, in the registry and file system, these apps expect to
> have permissions. Then you, as an admin, can modify the NTFS and
> registry permissions accordingly, so end users have the
> appropriate rights. You still may be opening up more than you
> need to, but it's certainly better than admin rights for all!
>
>> The problem we have
>
> Oh, but you've got more problems than this one lurking, I assure
> you!

I totally agree with the above.

>> is
>> that each of those users can see and access printers of other
>> users on the system. I need to be able to prevent this from
>> happening, is it possible? I'm assuming there is a policy or
>> maybe a registry key that controls this. Any help would be
>> greatly appreciated
>
> I'm sure someone can help you with the specifics (I'd try
> m.p.windows.group_policy) but thought I'd post and suggest you
> render any such fix unneccessary, by addressing the core
> problem. HTH.

No, this isn't possible. Administrators and Printer Operators see
all printers and there's no way to take that right away from them
through a registry setting or GPO, AFAIK.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Back
Top