[windows2000] Re: Printing Permissions Strategy
- From: "Jason Fiegel" <jason@xxxxxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Tue, 15 Oct 2002 18:37:20 -0400
This does help -- and some of the dialogue helps bring to the forefront the
real issue here.
I have users that are not "malicously" connecting to incorrect printers;
rather, I have users that are switching their own defaults, logging onto PCs
without a NIC\LAN Connection...not onto the Domain....not getting a script.
Point is -- if they can "accidentally" do something, they will.
So my directive is to enforce security policy that provides for users whom
move -- literally be in any of four sites in one day -- to NOT BE ALLOWED
(through permission) to print to a location not physically close to
themselves.
Yes, we are fully subnetted; I can assign scripts, mappings per site. My
concern is "disallowing" printing in all other sites.
I've considered:
(1) A logon script that would add a user to a Group permitted to print to a
given printer (based upon a hash of the IP Address); and a partnering logoff
script to remove the authorization.
(2) Filtering either via IP or Packet traffic destined for a printer.
I'm not happy with either solution because of the implications of
implementation.
Any other thoughts?
----- Original Message -----
From: "Alfonso Lopez de Ayala" <alopezdeayala@xxxxxxxxxxxx>
To: <windows2000@xxxxxxxxxxxxx>
Sent: Tuesday, October 15, 2002 6:12 PM
Subject: [windows2000] Re: Printing Permissions Strategy
>
> The way I do it is:
> - Printers are published in Active Directory (AD)
> - Each AD Site has a Group Policy Object (GPO) that assigns a logon
> script
> - The logon script connects the user to (only) the closest printer(s)
>
> Note: since the sites have multiple floors, the logon script on each
> site actually connects to the closest printer(s) depending on the
> specific computer name the user is logging on to.
>
> Caveat: while this prevent ACCIDENTAL printing to a remote printer it
> does not prevent the user from INTENIONALLY connecting to those printers
> manually thru the Control Panel (but the user's ability to do this could
> easily be restricted as well thru Group Policy if wanted).
>
> Hope this helps!
>
> Alfonso
>
> -----Original Message-----
> From: windows2000-bounce@xxxxxxxxxxxxx
> [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Reese
> Sent: Tuesday, October 15, 2002 2:11 PM
> To: windows2000@xxxxxxxxxxxxx
> Subject: [windows2000] Re: Printing Permissions Strategy
>
>
> I use kix to do something similar for users but the difference is that =
> they do not move around on me. The process is driven by Windows group =
> membership. if they are a member of a group, then get certain printers =
> created, if they are a member of a different group, they get different =
> printers.
>
> If your wan has different subnets, you might be able to do the same =
> thing based on what the client IP address is. That way they only get =
> the printers on that subnet. I think Kix will let you do this but I =
> have never done it myself.
>
> They would still be able to manually add and use a different printer if
> =
> they know how to get to it but this would stop a whoops from happening =
> to the wrong location.
>
> I hope that makes sense. I can help you with the printer creation and =
> defaulting in Kix if someone else knows how to check the ip address.
>
> more info at www.kix.org
>
> Greg
>
> -----Original Message-----
> From: Jason Fiegel [mailto:jason@xxxxxxxxxxxxx]
> Sent: Tuesday, October 15, 2002 3:40 PM
> To: windows2000@xxxxxxxxxxxxx
> Cc: Jason S. Fiegel
> Subject: [windows2000] Printing Permissions Strategy
>
>
>
> I am in the middle of a canundrum that stretches my abilities and
> understanding of Windows 200 Security Structures.
>
> I run a 6 site Windows 2000 Native Mode environment. All sites are WAN
> linked, and have at least their own Domain Controller -- we are =
> currently
> (and intend to continue to be) running a single Domain.
>
> I have a request from a high level executive to "secure" printers and
> printing.
> While all users are mobile with laptops and between sites, the goal is =
> to
> limit users to the following:
>
> "Any User MAY ONLY print where he is *currently* sitting."
>
> I have entertained various solutions -- including scripting for =
> permissions
> and printer packet filtering.
>
> Can any of you offer thoughts on the best solution?
> The goal, of course, is to restrict accidental printing of sensitive
> documents to remote printers.
>
> Many thanks.
> Jfiegel
>
>
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> =3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
>
> ==================================
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
>
>
> ==================================
> To Unsubscribe, set digest or vacation
> mode or view archives use the below link.
>
> http://thethin.net/win2000list.cfm
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
