Announcement

Collapse
No announcement yet.

Printer access based on active directory site

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Printer access based on active directory site

    Hi!

    We have two sites in active directory. We have one printerserver.

    We want computers in siteA to be able to access printers in both siteA and siteB but computers in siteB should only be able to access printers in siteB.

    We can restrict printeraccess on user level because users might work in both sites.

    Is this possible to do? Any good ideas to how to solve this if not?

  • #2
    Re: Printer access based on active directory site

    Hmmm I'm not sure if Windows could provide this, but you could setup a seperate vlan on the remote site, put the printers into it and make sure routing to that subnet is not possible over the remote connection (VPN?)

    Downside, You can't remotly manage the printers. You should logon onto a client/server at the remote side.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Printer access based on active directory site

      Create 2 AD groups:

      gPrn_SiteA
      gPrn_SiteB

      Both groups should be Global Security groups.

      gPrn_SiteA should have members from your already defined group, say, gSec_SiteA_Users.

      gPrn_SiteB should have members from your already defined group, say, gSec_SiteB_Users.

      Place these groups in your logon script as such:

      Code:
      ' Connect Windows printer based on Group Membership
      intNum = ConnectGroupPrinters (objLogFileName, strUserNameADsPath)
      
      ....
      
      Private Function ConnectGroupPrinters (objFileName, strUserNameADsPath)
      ....
      ....
      End Function
      This will automatically map the relevant printers to the relevant users.

      Go to the Security tab of Printers in site A and add the group gPrn_SiteA. This allows all users in Site A to access their local printers.

      Go to the Security tab of Printers in site B and add the group gPrn_SiteA & gPrn_SiteB. This allows all users in Site B to access their local printers plus users from Site A.

      Do this for all printers in all sites.

      PS, I've vaguely seen a way in which Sites & Services is used to allow printer to show up for users in specific sites when they do a Search For Printers. I'll see if I can dig that up.
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: Printer access based on active directory site

        Hi and thank you for answering!

        JDMills solution is user based on user rights, as I wrote - users might work at both sites.

        The other thing JDMills is writing about is called printer location tracking. This is something I have looked at - but as far as I can understand this only puts a default value in the location field of the printer search. The user can change this, and can still add printers from the other site.

        The reason for this is that users have access to different applications on the different sites and we do not want prints from "secret" siteB to a printer in siteA.

        Comment


        • #5
          Re: Printer access based on active directory site

          Originally posted by JDMils View Post
          PS, I've vaguely seen a way in which Sites & Services is used to allow printer to show up for users in specific sites when they do a Search For Printers. I'll see if I can dig that up.
          Its called "Printer Location Tracking" and is a right PITA to set up!
          For more info, look at:
          http://technet2.microsoft.com/window....mspx?mfr=true
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Printer access based on active directory site

            I think an additional VLAN is the nicest way to accomplish this.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Printer access based on active directory site

              Have you considered using GRoup Policy based Printing (which comes with Windows 2003 R2)? Then you can use GPOs to assign printers to computers automatically rather than to users.
              Obviously computers can only be used in one location (except laptops), and thus would work for different sites.

              See this article:
              http://technet2.microsoft.com/Window....mspx?mfr=true

              Comment


              • #8
                Re: Printer access based on active directory site

                Originally posted by pjhutch View Post
                Have you considered using GRoup Policy based Printing (which comes with Windows 2003 R2)? Then you can use GPOs to assign printers to computers automatically rather than to users.

                As far as I have understood this, users can still add printers to the computer they are using that the GPO is not asigning ? Or is there a GPO setting to stop users from adding printers AND use the R2 Printing GPO to add the one we want ?

                Comment

                Working...
                X