I’ve been working on migrating our Active Directory infrastructure to a Role-Based Access Control architecture and in the process I completely screwed up our shared printers. My goal was to simplify print permissions by having only two groups assigned permissions to each printer:
- ACL_PrinterName_Print would have permissions to print to the printer.
- ACL_PrinterName_Manage would have permissions to manage the printer settings and queued print jobs.
This way assigning to users to a printer was just a matter of assigning them to the appropriate group in Active Directory. So I created the groups, added members, created permissions for the groups by adding them to the security tab of the appropriate printers, then deleted all of the old permissions.
What happened next was odd to say the least.
Shared Printers Were Printing But Not Deleting the Print Jobs
Basically users were able to print, but after printing the jobs never left the print queue. This led to mass confusion, and I quickly realized what I had done. When a printer is created it automatically has permissions for Administrators and CREATOR OWNER. The printer’s owner is the SYSTEM account. The Print Spooler service runs as SYSTEM and automatically clears completely print jobs. Deleting this permission is effectively saying you don’t want the print spooler to do it’s job. So when simplifying your printer permissions DON’T remove permissions for CREATOR OWNER.