Assigning Delegated Print Administrator and Printer Permission Settings in Windows Server 2008 R2

Applies To: Windows 7, Windows Server 2008 R2

Planning security for your print servers and determining how to restrict access to them is an important part of print server administration. In Windows Vista® and Windows Server® 2008, only full system administrators were able to perform print administrative tasks. In Windows Server 2008 R2, you can now delegate print management tasks directly to users who are not system administrators. You can also define default printer security settings that are inherited when you add new printers to your print server.

These changes enable the following improvements for printer and print server administration:

  • You can control access to resources and balance workloads by delegating specific print administrative tasks to users without adding them to the Administrators security group.

  • You can manage permission settings through the improved user interface of the Security tab in the Print Server Properties dialog box.

  • You can manage your printer infrastructure by configuring default printer security settings which new printers inherit automatically when you add them. You can configure the settings per server so that you do not have to configure the printers individually.

Configuring security settings

This section covers the following:

  • The print server security user interface

  • Setting permissions in Print Server Properties

  • Creating a delegated print administrator

  • Print-related permissions and the tasks they enable

  • Designing and creating print security groups

Note

Print server security can be configured only by members of the Administrators group.

The print server security user interface

In Windows Server 2008 R2, users in the Administrators group can configure the print security settings directly by editing the print server access control list (ACL) permissions in the Print Management Microsoft Management Console (MMC) snap-in. (To view the ACL permissions for your printer server, click Start, click Administrative Tools, right-click Print Management, and then click Run as administrator. In the left pane, click Print Servers, right-click the applicable print server and then click Properties. In the Print Server Properties dialog box, click the Security tab.)

Figure 1 shows the user interface of the Security tab that is opened by a user who is a member of the Administrators group.

Figure 1   Print Server Properties Security tab

In a domain, members of the Administrators group can remotely configure the print server security settings. You can do this by using the Print Management snap-in. The remote functionality for users to view the print server security user interface is supported for certain earlier operating systems, including Windows Server 2008, Windows Vista with SP1, and Windows Vista with SP2. However, the delegated print administrator functionality is currently only available on Windows Server 2008 R2.

Setting permissions in Print Server Properties

Print server permissions control the levels of access for users on a particular print server. Printer permissions control which printing tasks users can perform on newly added printers that are managed by the print server. Administrators should assign these permissions as needed to users who are not system administrators.

After an administrator customizes the security settings for the print server, all newly added printers to this print server automatically inherit these security settings. (The security settings for the existing printers on the server are not altered.)

The two levels of print server permissions are:

  • View Server

    The View Server permission assigns the ability to view the print server. Without the View Server permission, users cannot see the printers that are managed by the server. By default, this permission is given to members of the Everyone group.

  • Manage Server

    The Manage Server permission assigns the ability to create and delete print queues (with already installed drivers), add or delete ports, and add or delete forms. A standard user with this permission is called a “delegated print administrator.”

Note

Only users who have Manage Server access and are members of the Administrators group can add printer drivers.

The three levels of printer permissions are:

  • Print

    The Print permission assigns the ability for users to connect to printers and to print, pause, resume, start, and cancel their own documents. By default, this permission is given to members of the Everyone group when a print queue is created.

  • Manage Documents

    The Manage Documents permission assigns the ability to control job settings for all documents and to pause, restart, and delete all documents.

  • Manage Printers

    The Manage Printer permission assigns the ability to pause and restart the printer, change spooler settings, share a printer, adjust printer permissions, and change printer properties.

The ability to assign access to a printer on a per-user or a per-group basis makes it possible to manage printers from a central location. For example, an administrator could limit access to a printer in a public area while managing the printer from a more secure, central location.

In Windows Server 2008 R2, the default print server and printer security settings are as follows:

 

  Everyone Creator Owner Administrators

Print

Allow

Allow

Manage Documents

Allow

Allow

Manage Printers

Allow

View Server

Allow

Allow

Manage Server

Allow

Creating a delegated print administrator

Members of the Administrators group can create a full delegated print administrator by assigning the Manage Server permission to a user. When the Manage Server permission is assigned, the View Server permission is also automatically assigned. You can also delegate a subset of these permissions to create a partial delegated print administrator.

To create a full delegated print administrator

  1. Click Start, click Administrative Tools, right-click Print Management, and then click Run as administrator.

    In the left pane, click Print Servers, right-click the applicable print server, and then click Properties.

    In Print Server Properties, click the Security tab.

  2. To configure permissions for a new group or user, click Add. Type the name of the group or user that you want to set permissions for by using the following format: domain name\username. Click OK to close the dialog box.

Tip

Before adding any printers to the server, you should create a group of users who can perform delegated print tasks, and then configure the proper permissions. If you do this, all newly added printers automatically inherit these settings, and you do not have to individually configure existing printers for the print server.

  1. Highlight the user or group name that you just added, and in Permissions for <user or group name>, click Allow for the Manage Server permission. (The View Server permission is assigned too.)

  2. Select the Allow check boxes for the Print, Manage Documents, and Manage Printers permissions.

To create a partial delegated print administrator

  • To enable an administrator to add printers:

    Follow the previous instructions, but select the Allow check boxes for the Manage Server and Print permissions. (View Server permission is assigned automatically too.)

  • To enable an administrator to manage existing print queues:

    Follow the previous instructions, but select the Allow check boxes for the View Server, Print, Manage Documents, and Manage Printer permissions.

The following table lists the print tasks that a user can perform when assigned the corresponding permissions from the Print Server PropertiesSecurity tab.

  Print Manage Printers Manage Documents View Server Manage Server

View the print queue (on the local server)

Yes

Print owned documents to the queue

Yes

View, pause, restart, and cancel all print jobs in a queue

Yes

Update installed or included drivers, and drivers available from Windows Update, to an existing queue

Note

This does not apply to clustered print environments.

Yes

Add or delete a form in a queue

Yes

View the printer properties

Yes

View the print server proprieties

Yes

Configure printer security permissions in a print queue

Yes

Manage the print server security descriptor setServerSecurityDescirptor flag

Add a print queue to a print server

Yes, when the drivers are already installed.

Delete a print queue from a print server

Yes, but only the queue they have permissions for.

Add a print driver to a print server

Yes, but locally only. The user must be a member of the Administrators group to add drivers (including remotely) to the print server.

Delete a print driver from a print server

Yes, but only for drivers (not driver packages).

Add, delete, and configure ports on a print server

Yes

Add and delete a form on a print server

A user who is assigned Manage Printers, but not Manage Server, permissions can add a form when AllowUserManageForms is set in the Windows registry to a non-zero value. A user can add forms up to the specified value for AllowUserManageForms. A user can only add user forms and delete user forms. However, a user with SERVER_ACCESS_ADMINISTER permission can add and delete printer and user forms with no limitations.

Yes

Share the printer

Yes, if you have Manage Printer permissions on the print server and the File and Printer Sharing* exceptions have been enabled in Windows Firewall with Advanced Security.

Yes, if you have Manage Printer permissions on the print server and the File and Printer Sharing* exceptions have been enabled in Windows Firewall with Advanced Security.

Designing and creating print security groups

Following is a list of suggested print security groups and their associated permissions:

  • System Administrators Group: Consists of members of the Administrators security group.

  • Print Administrators Group: Consists of members of the System Administrators group and users who have been assigned some set of delegated print administrator rights. Depending on what rights you assign, members of this group may be considered full delegated administrators or partial delegated administrators.

Note

If you want to mitigate the ability of members of the Administrators group to perform print management tasks, instead of adding whole groups to these print security groups, you can add members individually, and then assign the proper permissions.

The following table demonstrates which actions can be performed depending on the permissions assigned:

  Standard Users: Can connect to printers and print their documents (Permissions: Print, View Server) Partial Delegated Administrators: Can add printers (Permissions: Print, View Server, Manage Server) Partial Delegated Administrators: Can manage existing queues (Permissions: Print, View Server, Manage Printers, Manage Documents) Full Delegated Administrators: Can perform all administrative print tasks (Permissions: Print, Manage Documents, Manage Printers, View Server, Manage Server) System Administrators: Can fully administer the system (Permissons: Print, Manage Documents, Manage Printers, View Server, Manage Server)

View the print queue on the local server

Yes

Yes

Yes

Yes

Yes

Print to the queue

Yes

Yes

Yes

Yes

Yes

View, pause, restart, or cancel print jobs owned by the user in a queue

Yes

Yes

Yes

Yes

Yes

Modify all print jobs in a queue

Yes

Yes

Yes

Update an installed or included driver to an existing queue

Yes

Yes

Yes

Add or delete a form in the queue

Yes

Yes

Yes

View the printer properties

Yes

Yes

Yes

Yes

Yes

View the print server proprieties

Yes

Yes

Yes

Yes

Yes

Manage security permission on the print queue

Yes

Yes

Yes

Manage the print server security descriptor setServerSecurityDescirptor flag

Yes

Add and delete the print queue on a server

Yes, but you can add a printer using only a preinstalled driver.

Yes, but you can only delete the print queue with the Manage Printer permission.

Yes, but you can add a printer using only a preinstalled driver.

Yes

Add and delete a print driver on a server

Yes, but locally only. The user must be a member of the Administrators group to add non-included drivers or to add drivers remotely to the print server.

Yes, but locally only. The user must be a member of the Administrators group to add non-included drivers or to add drivers remotely to the print server.

Yes

Add, delete, and configure ports on a print server

Yes

Yes

Yes

Add and delete a form on a print server

Yes

Yes

Yes

Share the printer

Yes, if you have Manage Printer permissions on the print server and the File and Printer Sharing* exceptions have been enabled in Windows Firewall with Advanced Security.

Yes, if the File and Printer Sharing* exceptions have been enabled in Windows Firewall with Advanced Security.

Yes

Note

We recommend that only a member of the System Administrators group install drivers. If a delegated print administrator plans to remotely add or manage queues, the System Administrator should install the driver to the following directory by using scripts (for example, the Prmdrvr command) or manually:
systemdrive<STRONG>Windows<STRONG>System32<STRONG>spool<STRONG>drivers<EM>processor_architecture<STRONG>3