My school's network is based on Active Directory on Windows Server 2003 servers. Most of the computers in the school are members of the domain. However, we also acquired a passel of netbooks that are running Windows XP Home (as netbooks tend to), and we're trying to make those useful. The netbooks are made available to students by check-out, so none of them are dedicated to a specific user.
I only want to allow the netbooks to do two significant network activities: to access the Internet (this is working acceptably well so far), and to print to one or more printers on the network.
That second one is where trouble starts.
I'm trying to find a way to allow the XP Home clients to access those Active Directory printers. All the solutions that I can come up with right now are expensive, ugly, or both - for example, changing the OS on the netbooks (even with imaging, that would take a lot of my time) or making sure that the user account on each netbook has a matching account in Active Directory with permissions for printing (invites security/maintainability disaster).
Are there any elegant solutions? Failing that, what's the best ugly solution for allowing my students to print from the netbooks?
There is no "elegant" solution to this dilemma, which has been tiresome for a long time. It's a problem for any non-domain computer that you might want to give printing access, including Macs and *nix as well as XP Home and XP Pro not in the domain.
1- If the printers are on standalone or internal print servers (i.e. HP JetDirect), then you can manually install the printer and point to the printer IP address, bypassing the server print queue. This is the typical workaround for foreign computers.
2- If the users have domain accounts they can manually connect to the server (using \server.domain) and map any printer they have permission to use. They will likely have to manually connect each time they want to print. You can put an icon on the desktop and it should prompt for domain credentials. You may have to do some user training.
3- Setting the sharing permissions on the server for the printers to allow everyone and anonymous to print to the printer should also work, but I don't think the driver install from the server can happen without an authenticated account. You may need to enable the local "guest" account on the server, which some might consider a risk.
You might consider using something like a dedicated print server (you could use Samba if you wanted to keep the cost down on the server OS) with an open "guest" access (like tomjedrz mentioned in his "option 3") and connections to all of the printers the students needed access to. You could put this in a DMZ / public VLAN and allow access to the various print server devices through your firewall for this machine only.
It's not the prettiest thing in the world, from a maintenance perspecitve, but it would keep the students from needing unhindered network access to use the printers, and wouldn't require authentication from the clients to access the printers.
I work for a school system and we have run in to this problem. Students bring laptops from home and they are running the home/consumer versions of Windows. We used to help them add printers by IP number. But now we have put all our printers on an OSX print server. It can share them out using Bonjour, we just give the Windows users this link: http://support.apple.com/kb/dl999 The students can add/remove/switch printers on their own. We did the same thing when we recently hosted a conference, the attendees were able to connect to the printers in the public areas and we turned off Bonjour advertising at the print server for the printers in private spaces.
Note: you do not need an OSX print server to use Bonjour. Most modern printers have it built in although doing it this way - folks will be printing straight to the printers and bypassing the print server.