Ping a Specific Port

Question

f3tt

Asked: 2013-02-08 13:01:44 +0800 CST2013-02-08 13:01:44 +0800 CST 2013-02-08 13:01:44 +0800 CST

Cross Forest Printers

772

I am trying to set up printers for users, and the print server is in a forest with a trust relationship. Users are all on Windows 7, and the print server is Server 2008 R2 Standard.

DomainA contains the print server DomainB contains the users

When users or admins in DomainB attempt to add printers from the DomainA print server, they get a generic error that says "Windows cannot connect to the printer. Access is denied"

I have added DomainB users to the DomainA printer security w/ print rights, still getting the same error. I've even tried creating a Domain Local group in DomainA, and added users from DomainB, and it still fails whether I'm using a standard user or a domain admin in DomainB.

When adding the printer via IP, it works, but that's not running through the print server and isn't an acceptable solution in our environment.

What do I need to do to get this cross-forest printing working?

Printer Wizard error

ADDITIONAL INFO FROM TESTING: DomainB user is able to browse file shares on the DomainA print server, but adding printers flags the error. DomainB user was able to add certain HP/Brother printers, but Ricoh and Canon printers fail. All the printers they were able to add were printers who's drivers are included by default in Win7. This seems to only occurs when the print driver needs to be downloaded from the print server. Possible share missing or with wrong permissions?

3 Answers

Voted

joeqwerty · Answer 1 · 2013-02-08T14:31:22+08:00

joeqwerty

2013-02-08T14:31:22+08:002013-02-08T14:31:22+08:00

It sounds like the Forest Trust is using Selective Authentication. If so, you need to grant DomainB users the "Allowed to Authenticate" permission on the print server computer object in ADUC in DomainA.

1

MDMarra · Answer 2 · 2013-02-08T17:10:36+08:00

MDMarra

2013-02-08T17:10:36+08:002013-02-08T17:10:36+08:00

Check your GPO gpresult /z or gpresult /h on a failing machine under a failing user account and see if you have any Point and Print restrictions enabled in your Group Policy. If you do, you'll have to add the FQDN of the printer server in the other forest to the list.

1

Mike · Answer 3 · 2014-05-15T01:56:26+08:00

Mike

2014-05-15T01:56:26+08:002014-05-15T01:56:26+08:00

I solved this issue by adding "DomainB\Domain Users" group to the "print$" share permissions on the printer server in DomainA. The DomainB user account can then read the driver folder contents, download and install the driver. The printer can then work as long as the trust is up and running so that the "Everyone" group functions on the printer security.

1

Cross Forest Printers

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?