Hi Joshi Omkar,
I’m following up to check whether the issue has been resolved. Feel free to reply if you need further information. If the information provided was helpful, please click "Accept Answer" to help others in the community. Thank you!
I want to disable Print Spooler service from our Windows AD DC server
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 38%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJO%3C/text%3E%3C/svg%3E)
Joshi Omkar
0
Reputation points
We are planning to stop the Print Spooler service from our AD DC server can you tell me I can do it using steps below or need different approach?
- Sign in on the Domain Controller
- Open Group Policy Management
- Right-click on the Domain Controllers OU
- Select Create a GPO in this domain, and Link it here…
- Name the GPO DisablePrintSpoolerService and click OK
- Right-click on the GPO and click Edit
- Navigate to Computer Configuration > Windows Settings > Security Settings > System Services
- Double-click on Print Spooler
- Select Define this policy setting
- Select Disabled
- Click OK
- Start Command Prompt on the Domain Controller
- Run the command below to apply the changes immediately
To summarize I will create a new GPO and configure it to disable Print Spooler service and assign it to Domain Controller OU.
Windows for business | Windows Server | Directory services | Deploy group policy objects
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 90%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Shinde Dnyaneshwar Bajirao 90 Reputation points2026-04-13T05:53:41.77+00:00 Completely disables the service (best if not needed)
- Log in to the Domain Controller
- Open Group Policy Management
- Right-click Domain Controllers OU → Create a new GPO
- Edit the GPO
- Go to: Computer Configuration → Windows Settings → Security Settings → System Services
- Open Print Spooler
- Set it to Disabled
- Then Run This Command
- gpupdate /force net stop spooler
Also configure this setting: (Service runs, but no remote access allowed)
- Go to: Computer Configuration → Administrative Templates → Printers
- Open Allow Print Spooler to accept client connections
- Set it to Disabled
Sign in to comment
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 86%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Jason Nguyen Tran 19,225 Reputation points Independent Advisor2026-04-26T00:42:59.0866667+00:00 -
Jason Nguyen Tran 19,225 Reputation points Independent Advisor
2026-04-13T06:02:53.2733333+00:00 Hi Joshi Omkar,
The approach you described, creating a dedicated GPO linked to the Domain Controllers OU and configuring the Print Spooler service to be disabled, is indeed the recommended way to enforce this across all domain controllers. Doing it via Group Policy ensures consistency and avoids having to manually stop the service on each DC, which can be error‑prone.
A couple of points to keep in mind: first, disabling the Print Spooler service on domain controllers is considered a best practice for security, since it reduces the attack surface (especially against vulnerabilities like PrintNightmare). Second, after applying the GPO, you should run
gpupdate /forceon the domain controllers to make sure the policy takes effect immediately. Third, verify in Services.msc that the Print Spooler is indeed disabled after the policy is applied.One caution: if you have any applications or scripts that rely on the Print Spooler service running on a DC, those will stop working. In most environments, domain controllers should not be handling print jobs, so this is usually safe. If you need printing services, they should be hosted on separate member servers, not on DCs.
In short, your outlined steps are correct, and applying them through Group Policy is the right approach. I hope this gives you confidence to proceed. If you find this answer helpful, please consider clicking Accept Answer so others can benefit too.
Jason.
-
AI answer
2026-04-13T05:15:39.0933333+00:00 The described approach of using a dedicated GPO linked to the Domain Controllers OU to disable the Print Spooler service is valid and aligns with Microsoft security guidance, with a few important considerations.
Summary of the approach:
- Create and link a GPO to the Domain Controllers OU.
- In that GPO, configure the Print Spooler service to be Disabled.
- Apply the GPO so it takes effect on all DCs in that OU.
This matches the recommended mitigation that domain controllers and Active Directory admin systems should have the Print Spooler service disabled, preferably via GPO:
- The security assessment explicitly states that due to exposure risk, domain controllers and AD admin systems need to have the Print Spooler service disabled, and that the recommended way is using a Group Policy Object (GPO).
- It also notes that any server is potentially at risk and that the Print Spooler service should be disabled on all servers that do not require it.
Additional points to verify before and after applying the GPO:
- Check dependencies and workflows
The security guidance stresses reviewing Print Spooler settings, configurations, and dependencies before disabling it, to avoid breaking active printing workflows. - Understand impact on AD print pruning
- On a domain controller, the DC role adds a thread to the spooler service for print pruning (removing stale print queue objects from AD).
- If the spooler service is not running on at least one DC in each site, AD cannot remove old queues that no longer exist.
- If print queue publishing/pruning is still used in the environment, ensure at least one DC per site retains Print Spooler enabled, or accept that stale print queue objects will not be automatically pruned.
- Confirm no conflicting GPOs
- Existing GPOs might configure Print Spooler behavior (for example, allowing the spooler to accept client connections or disabling it as part of other security mitigations).
- Verify that the new GPO’s service setting is not overridden by higher-precedence GPOs.
- Apply and verify
- After creating and linking the GPO, force a policy update on DCs (for example, using
gpupdate /forcefrom an elevated Command Prompt on each DC). - Confirm on each DC that the Print Spooler service is set to Disabled and is Stopped.
- After creating and linking the GPO, force a policy update on DCs (for example, using
If the environment does not rely on DCs for printing or AD print queue publishing/pruning, the described GPO-based method is an appropriate and recommended way to disable the Print Spooler service on domain controllers.
References:
AI-generated content may be incorrect. Read our transparency notes for more information.