This does help -- and some of the dialogue helps bring to the forefront the real issue here. I have users that are not "malicously" connecting to incorrect printers; rather, I have users that are switching their own defaults, logging onto PCs without a NIC\LAN Connection...not onto the Domain....not getting a script. Point is -- if they can "accidentally" do something, they will. So my directive is to enforce security policy that provides for users whom move -- literally be in any of four sites in one day -- to NOT BE ALLOWED (through permission) to print to a location not physically close to themselves. Yes, we are fully subnetted; I can assign scripts, mappings per site. My concern is "disallowing" printing in all other sites. I've considered: (1) A logon script that would add a user to a Group permitted to print to a given printer (based upon a hash of the IP Address); and a partnering logoff script to remove the authorization. (2) Filtering either via IP or Packet traffic destined for a printer. I'm not happy with either solution because of the implications of implementation. Any other thoughts? ----- Original Message ----- From: "Alfonso Lopez de Ayala" <alopezdeayala@xxxxxxxxxxxx> To: <windows2000@xxxxxxxxxxxxx> Sent: Tuesday, October 15, 2002 6:12 PM Subject: [windows2000] Re: Printing Permissions Strategy > > The way I do it is: > - Printers are published in Active Directory (AD) > - Each AD Site has a Group Policy Object (GPO) that assigns a logon > script > - The logon script connects the user to (only) the closest printer(s) > > Note: since the sites have multiple floors, the logon script on each > site actually connects to the closest printer(s) depending on the > specific computer name the user is logging on to. > > Caveat: while this prevent ACCIDENTAL printing to a remote printer it > does not prevent the user from INTENIONALLY connecting to those printers > manually thru the Control Panel (but the user's ability to do this could > easily be restricted as well thru Group Policy if wanted). > > Hope this helps! > > Alfonso > > -----Original Message----- > From: windows2000-bounce@xxxxxxxxxxxxx > [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Reese > Sent: Tuesday, October 15, 2002 2:11 PM > To: windows2000@xxxxxxxxxxxxx > Subject: [windows2000] Re: Printing Permissions Strategy > > > I use kix to do something similar for users but the difference is that = > they do not move around on me. The process is driven by Windows group = > membership. if they are a member of a group, then get certain printers = > created, if they are a member of a different group, they get different = > printers. > > If your wan has different subnets, you might be able to do the same = > thing based on what the client IP address is. That way they only get = > the printers on that subnet. I think Kix will let you do this but I = > have never done it myself. > > They would still be able to manually add and use a different printer if > = > they know how to get to it but this would stop a whoops from happening = > to the wrong location. > > I hope that makes sense. I can help you with the printer creation and = > defaulting in Kix if someone else knows how to check the ip address. > > more info at www.kix.org > > Greg > > -----Original Message----- > From: Jason Fiegel [mailto:jason@xxxxxxxxxxxxx] > Sent: Tuesday, October 15, 2002 3:40 PM > To: windows2000@xxxxxxxxxxxxx > Cc: Jason S. Fiegel > Subject: [windows2000] Printing Permissions Strategy > > > > I am in the middle of a canundrum that stretches my abilities and > understanding of Windows 200 Security Structures. > > I run a 6 site Windows 2000 Native Mode environment. All sites are WAN > linked, and have at least their own Domain Controller -- we are = > currently > (and intend to continue to be) running a single Domain. > > I have a request from a high level executive to "secure" printers and > printing. > While all users are mobile with laptops and between sites, the goal is = > to > limit users to the following: > > "Any User MAY ONLY print where he is *currently* sitting." > > I have entertained various solutions -- including scripting for = > permissions > and printer packet filtering. > > Can any of you offer thoughts on the best solution? > The goal, of course, is to restrict accidental printing of sensitive > documents to remote printers. > > Many thanks. > Jfiegel > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D > To Unsubscribe, set digest or vacation > mode or view archives use the below link. > > http://thethin.net/win2000list.cfm > > ================================== > To Unsubscribe, set digest or vacation > mode or view archives use the below link. > > http://thethin.net/win2000list.cfm > > > ================================== > To Unsubscribe, set digest or vacation > mode or view archives use the below link. > > http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm