Assigning printer permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Assigning printer permissions

When a printer is installed on a network, default printer permissions are assigned that allow all users to print, and allow select groups to manage the printer, the documents sent to it, or both. Because the printer is available to all users on the network, you might want to limit access for some users by assigning specific printer permissions. For example, you could give all nonadministrative users in a department the Print permission and give all managers the Print and Manage Documents permissions. In this way, all users and managers can print documents, but managers can also change the print status of any document sent to the printer.

Windowsprovides three levels of printing security permissions: Print, Manage Printers, and Manage Documents. When multiple permissions are assigned to a group of users, the least restrictive permissions apply. However, when Deny is applied, it takes precedence over any permission. The following is a brief explanation of the types of tasks a user can perform at each permission level.

Print

The user can connect to a printer and send documents to the printer. By default, the Print permission is assigned to all members of the Everyone group.

Manage Printers

The user can perform the tasks associated with the Print permission and has complete administrative control of the printer. The user can pause and restart the printer, change spooler settings, share a printer, adjust printer permissions, and change printer properties. By default, the Manage Printers permission is assigned to members of the Administrators and Power Users groups.

By default, members of the Administrators and Power Users groups have full access, which means that the users are assigned the Print, Manage Documents, and Manage Printers permissions.

Manage Documents

The user can pause, resume, restart, cancel, and rearrange the order of documents submitted by all other users. The user cannot, however, send documents to the printer or control the status of the printer. By default, the Manage Documents permission is assigned to members of the Creator Owner group.

When a user is assigned the Manage Documents permission, the user cannot access existing documents currently waiting to print. The permission will only apply to documents sent to the printer after the permission is assigned to the user.

Deny

All of the preceding permissions are denied for the printer. When access is denied, the user cannot use or manage the printer or adjust any of the permissions.

Printing permissions assigned to groups

Windowsassigns printer permissions to six groups of users. These groups include Administrators, Creator Owner, Everyone, Power Users, Print Operators, and Server Operators. By default, each group is assigned a combination of the Print, Manage Documents, and Manage Printers permissions as shown in the following table.

Group	Print	Manage Documents	Manage Printers
Administrators	X	X	X
Creator Owner		X
Everyone	X
Power Users	X	X	X
Print Operators	X	X	X
Server Operators	X	X	X

The Print Operators and Server Operators groups are located only on domain controllers.

Members of this group can manage, create, share, and delete printers and print queues. Members of this group can load and unload device drivers on the server. Users who can load and unload device drivers also have the ability to load malicious code on the server. As a security best practice, only add trusted users to this group.

Each permission consists of a group of special rights that allow the user to perform specific tasks. The following table summarizes the level of access associated with each of the printing security permissions.

Tasks permitted	Print	Manage Documents (applies to documents only)	Manage Printers
Print	X		X
Manage Printers			X
Manage Documents		X
Read Permissions	X	X	X
Change Permissions		X	X
Take Ownership		X	X

For more information, see Set Group Policy for printers.