I have three servers.
- Server 1 - Print Server, Windows Server 2008 Standard
- Server 2 - Domain Controller, Windows Server 2008 R2 Standard
- Server 3 - Terminal Services Server, Windows Server 2008 R2 Standard
On Server 1 I have 5 printers installed. All printers are TCP/IP printers. One printer should be restricted so that only members of a specified AD group are able to print to it. Therefore, in Print Management, in the Security tab for the restricted printer the AD Security Group RESTRICTED Printers - Authorized Domain Users is given the Print Allow permission. The default Everyone group which has the Print Allow permission has been removed.
The only member of the RESTRICTED Printers - Authorized Domain Users is Domain\TestAllowed.
All 5 printers are installed on Server 3 through a GPO on Server 2 which automatically adds the printers. This works correctly.
I then login to Server 3 as Domain\TestProhibited and try to print to the restricted printer and the page prints.
Why does the page print and what do I need to do to ensure that only members of RESTRICTED Printers - Authorized Domain Users are able to print to the restricted printer?
I have already read (and confirmed that I configured the ACL correctly) Microsoft's TechNet page on setting permissions for print servers.
I went so far as to explicitly deny the Print permission for Domain\TestProhibited on the restricted printer on Server 1. I logged out of Server 3, logged back in, and Domain\TestProhibited was still able to print to the restricted printer.
It seems that it is not enough to change the security permissions for the printer on the print server even though the printer is installed on the Terminal Services Server by shared printer name.
If I log into the Terminal Services Server I see that the security permissions for the printer do not get transferred when the printer is installed using group policy. After I logged into the Terminal Services Server and changed the security permissions for the printer, I logged out and logged back in and now the printer is correctly restricted.
The important point about network printing in Windows is there are two objects for them: the port and the queue.
For your setup, on Server1 you're creating both a port and a queue, and you're setting the ACL for the queue. Then, on Server3 (through the GPO), for some reason, you're apparently creating a new queue using the port for Server1, instead of pointing the the queue on Server1. And as the queue is new, it's not getting the ACL from the queue on Server1!