Print Management Guide - Assigning printer permissions
Windows provides three levels of printing security permissions: Print, Manage Printers, and Manage Documents. When multiple permissions are assigned to a group of users, the least restrictive permissions apply. However, when Deny is applied, it takes precedence over any permission. The following is a brief explanation of the types of tasks a user can perform at each permission level.
Manage Printers
By default, members of the Administrators and Power Users groups have full access, which means that the users are assigned the Print, Manage Documents, and Manage Printers permissions.
Manage Documents
When a user is assigned the Manage Documents permission, the user cannot access existing documents currently waiting to print. The permission will only apply to documents sent to the printer after the permission is assigned to the user.
Deny
Printing permissions assigned to groups
Group | Manage Documents | Manage Printers | |
---|---|---|---|
Administrators | X | X | X |
Creator Owner | X | ||
Everyone | X | ||
Power Users | X | X | X |
Print Operators | X | X | X |
Server Operators | X | X | X |
The Print Operators and Server Operators groups are located only on domain controllers.
Members of this group can manage, create, share, and delete printers and print queues. Members of this group can load and unload device drivers on the server. Users who can load and unload device drivers also have the ability to load malicious code on the server. As a security best practice, only add trusted users to this group. |
Each permission consists of a group of special rights that allow the user to perform specific tasks. The following table summarizes the level of access associated with each of the printing security permissions.
Tasks permitted | Manage Documents (applies to documents only) | Manage Printers | |
---|---|---|---|
X | X | ||
Manage Printers | X | ||
Manage Documents | X | ||
Read Permissions | X | X | X |
Change Permissions | X | X | |
Take Ownership | X | X |
To set Group Policy for printers
Start Group Policy according to the object you want to
set printer policy to. For more information on how to start
Group Policy, see Related Topics.
After selecting the properties page of the object you
want to set printer policy to, select the Group Policy node.
If you want to set policies that apply only to computers,
expand the Computer Configuration node,
and then expand Administrative Templates.
If you want to set policies that apply only to users,
expand the User Configuration node, expand
Administrative Templates, and then expand
Control Panel.
Double-click Printers to open a listing
of policies.
Double-click the printer policy you want to set.
On the Policy tab, enable or disable
the policy by selecting or clearing the appropriate radio
button. With some policies, you might need to enter additional
information.
Note
If you do not want to change the current state of the policy setting, leave it as it is (not configured) to save processing time.