Prevent users browsing and connecting to printers 1

[pancake]

We are a school, and have students that know how to browse for a printer, and then connect to print. If they are in one room I want them to use the printer in the room they are in only and not be able to go browsing for another.

Is there a way that I can prevent the browsing and connecting ?

If I change the security permissions on the printer share then they cannot ever connect if they change room, this isn't useful, and I have also tried the GPO, but it does not prevent browsing from within applications.

Thanks in advance

 

[porkchopexpress]

1 What client OS are you using?

If you prevent them seeing network neighborhood does this not prevent them browsing the network?

http://www.windowsnetworking.com/nt/registry/rtips108.shtml

2 How are they browsing then network?

 

[pancake]

We use mainly XP Pro, but do have some W2k. Print server is Windows 2003.

I have removed the entry in AD so if they click on "Find Printer" in Word for example it doesn't automatically appear. We use Group Policies to hide Network neighborhood.

I think this will catch most of the trouble causers, however if you type \\servername\printername it still allows you to connect. Is there a way I can prevent new connections. If there is a way around it, it will be found and exploited.

Many Thanks

 

[porkchopexpress]

Users can't do that here and i remember setting a policy to stop it, i'm not certain which one it is but here is a few if could be.

User Configuration/Administrative Templates/Windows Components/Windows Explorer

No "Computers Near Me" in My Network Places
No "Entire Network" in My Network Places

If my users type \\servername into the explorer address bar they get "Acces to resource \\server has been dissalowed"

 

[skialta]

Just set security on the printer object on the print server and deny them access...just like a folder

 

[porkchopexpress]

The problem there skialta is that when they move to the other room they cannot print.

 

[skialta]

I'm not sure what you want to achieve then. You want to prevent them from installing to other printers on their own, but then you want them to be able to install printers when they move?? I'm not sure what you're trying to achieve.

 

[porkchopexpress]

I think pancake will have a system that adds the appropriate printer for the class room the student is in, they should not be able to add printers in other classrooms as they can then print cr@p to other classrooms when they aren't in that room. The problem is that they have discovered a way to do this.

 

[skialta]

You could utilize security groups then...just add and remove people from the groups as necessary. It sounds like there is a tremendous amount of admin work here because people keep moving?

 

[porkchopexpress]

If it's anything like colleges that i've worked at then the students change room every hour so there is no way you could keep up manually, in the past i would use a logon script to add the appropriate printer at logon.

e.g.

Set Network = CreateObject("Wscript.Network")
compname = network.computername
room = left(compname,3)

Select Case room
Case "room1"
Network.AddWindowsPrinterConnection "\\server1\printer"
Network.SetDefaultPrinter "\\server1\printer"

Case "room2"
Network.AddWindowsPrinterConnection "\\server1\printer"
Network.SetDefaultPrinter "\\server1\printer"


case else

End Select

 

[porkchopexpress]

Did you get anywhere with this pancake?

 

[teckystuff]

You could hide the printer shares with a $ sign - similar to hiding c$
You should then copy a shortcut onto all the desktops on all the computers in each classroom that will point to the printer in that room. If you create and copy the shortcut on the desktop of the All Users and Default Users profiles for each computer this would work.
Just a thought...

 

[teckystuff]

Forgot to mention you can also untivk the option to list the printer in the AD directory - this way they wont be able to search for it either.

 

[porkchopexpress]

I think pancake has tried that already

I have removed the entry in AD so if they click on "Find Printer" in Word for example it doesn't automatically appear. We use Group Policies to hide Network neighborhood.

The problem was users printing to the wrong room when they shouldn't so putting printer shortcuts on the desktop would invite them to do this.

 

[teckystuff]

Yup but you would only put a shortcut to a printer located in the same room as the computer. i.e computer in room A would have ONE shortcut on the desktop pointing to Printer A and likewise for computer in room B and Printer B.
The $ hiding will prevent network neighbourhood browsing

 

[teckystuff]

Obviously once the students learnt what the printer are called they could manually map the printers. Its more to stop casual browsing

The only other "failsafe" way I can think of would be to get serious and put each classroom on a different subnet and make sure each subnet cannot access each other. You can achieve this with fancy vlans and intelligent routers

 

[nsantin]

Just create a local mandatory profile on each PC which has the local printer configured and disables adding new printers.

 

[justin42279]

I'm not sure if i'm missing something but this shouldn't be so complicated to achieve.

First, if you have a server that is setup as a printer server for all printers, simple go to that server and set permissions. Instead of denying users access to the printers, which would cause your problem of them not being able to go between rooms and browse, grant and deny access based on computer names. Make a security group and place only the machines within that room into the group. Then deny access to all others. Plan and simple. Nothing too fancy.

Justin

 

[pancake]

Thanks everyone for your responses.

Porkchopexpress, yes that is what we do to connect printers via a script.

I haven't yet come across a failsafe way of stopping the little cherubs from connecting. We use GPO more rigorously now to prevent access to as much as possible within windows, and as far as I can tell has made a considerable impact on system misuse generally as well as printing.

Thanks Justin42279 for your suggestion hadn't thought of groups based on computer name. Will have a go at this one I think !

 

[porkchopexpress]

Justin have you used that idea before? I've add some stations to a group and applied deny permissions on the print server but i can still print.