• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Assigning printers

GeekDrew

GeekDrew

Diamond Member
Is there a way, under Windows 2000, to assign printers to specific machines in a domain? The problem is, some students are printing innappropriate messages to our printers, via IP, instead of via the domain, so they aren't being logged. We need to find a way to assign the printer for the domain to all of the machines, and then prohibit changing printer settings.

Is there any good way to do this?

Thanks!

Andrew
 
I think the situation is a bit more complex than that. Yes there are ways to assign printers to workstations through Active Directory GPO's but that won't stop your students from bypassing the entire AD and printing directly to the IP address off the printer (using LPR).

Probably the easiest way to accomplish some improvement is the following trick (providing there is NO router between the server and your printer(s) : go to the network properties of your Win2K server and add a secondary IP address from a different IP subnet to the existing interface. Make sure that IP routing is disabled on the server and that you are using a subnet that is not routed anywhere else in your network.

Now assign IP addresses in this new subnet to all printers, and redefine the LPR ports on the server so that it "sees" the printers again.
The end result is that the server can still communicate with the printers, but that any workstation that gets a regular DHCP IP address won't be able to talk directly to the printer using LPR because they are on different subnets with no routing between them.

Naturally this fix will not stop a determined student, it only ensures that such a student will now have to decide between network connectivity (server, internet proxy, ...) or messing with your printers (by manually setting his/her pc to an IP address in the printer's subnet). It should mean a substantial decrease of the abuse though...

Remark: locking down the workstations so that mere users do not have the right to create local printers would produce the same result, but you would not have this problem if you could lock down the pc's so I am assuming that this is not an option
 
We can lock them down in the sense that we can prohibit adding new printers... however, is there a way to 'push' printers out to workstations (install them remotely), so that we don't have to visit each one? I can then change the printer IPs, and that will eliminate printing via IP via printers that are already installed.
 
2 answers :

1) if all your workstations are Win2K or XP then yes you can push the printer settings through Group Policy Objects. Find any type of courseware on AD of buy any random Win2k book and this will be explained in sufficient detail. On NT4 boxes you can still do this, but it'll be a bit more tricky : through the login script (Kixtart for example) you can connect the network printers, provided the user DOES have the right to connect a network printer but NOT to create a local printer.

2) if your "normal" users are already printing via the server, then implementing my first suggestion will not "break" their printer setup. (The link from the workstation to the server remains unchanged, only the LPR port defined on the server changes). Those pc's that currently use local printers & print to the lpr port of the printer can already be called "rogue" so why worry if that setting all of a sudden fails ? The same printer will still be working the way it should be, ie through the server as network printer only the unauthorized connection to it will fail.

 
Originally posted by: EricT
2 answers : 1) if all your workstations are Win2K or XP then yes you can push the printer settings through Group Policy Objects. Find any type of courseware on AD of buy any random Win2k book and this will be explained in sufficient detail. On NT4 boxes you can still do this, but it'll be a bit more tricky : through the login script (Kixtart for example) you can connect the network printers, provided the user DOES have the right to connect a network printer but NOT to create a local printer.
Click to expand...

OK... I've been looking for some Active Directory info... I know most of what it does, and I have used group policy objects before, but the right option must be escaping me. I'll have to research it further. All of the clients are either Win2k or WinXP.

2) if your "normal" users are already printing via the server, then implementing my first suggestion will not "break" their printer setup. (The link from the workstation to the server remains unchanged, only the LPR port defined on the server changes). Those pc's that currently use local printers & print to the lpr port of the printer can already be called "rogue" so why worry if that setting all of a sudden fails ? The same printer will still be working the way it should be, ie through the server as network printer only the unauthorized connection to it will fail.
Click to expand...

I understood that, and I wanted the 'rogue' printer to fail... that was the goal. Thanks for the clarification anyway.

Andrew
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top