W2K and Network Printing -- the ongoing saga

[Patrick Goetz]

As some listizens might recall, I've been trying use a Samba 2.2 PDC to
provide downloadable printer drivers to W2K machines.  The Samba stuff
seems to be working perfectly (modulo the fact that the printer names seem
to be selected randomly from /etc/printcap -- not the last name in the
list as I thought earlier), but I can't get the W2K machines to either
provide the configured printers to ordinary domain users or have the users
mount the printers either by hand or from a login script.  Every time I
try I get a message saying that I don't have sufficient access to the
machine to connect to the selected printer.

I was ready to give up and fly to Redmond with a 100 pounds of C4 strapped
to my back, but an inability to locate any C4 combined with a number of
helpful suggestions from this list got me back in front of the console for
another try.  No luck.  For the sake of providing potentially
useful feedback back to the list, here is what happened:




On Sat, 28 Apr 2001, Eugenijus [ISO-8859-1] Janus(kevic(ius wrote:
> 
> >  The problem is that for W2K, network printers set up by
> > administrators do not automatically appear on the desktops of ordinary
> > domain users.  I thought the problem could be solved by having a default
> > login script with stuff like
> > 
> >     start \\samba-server\printer1
> >     start \\samba-server\printer2
> >        etc.
> 
> hm, try `net use \\samba-server\printer` then
> 


When I do this, I get a helpful message "operation
succeeded".  Unfortunately, I don't get a printer out of the deal.  I also
tried `net use lpt1: \\samba-server\printer` with the same result.

============

On Sat, 28 Apr 2001, Eugenijus [ISO-8859-1] Janus(kevic(ius wrote:
>
> Check permissions for %windir%\system32\spool and below (it's true for 
> NT. Check the correct location for Win2k)
> 

Since the system drive is set up with FAT32, anyone can write to this
directory.  Just to check, I made sure I could create new folders in the
%windir%\system32\spool\drivers directory.  (I realize that this blows the
whole point of securing the system in the first place, but one of my
assistants made the mistake while installing the machines, and I don't
feel like correcting right now.)

Moreover, while I was experimenting with this suggestion, I noticed that
- when I login on the W2K as a domain user - the printer drivers
are already there, so there is no reason for the system to want to
download them again!

============


On Sat, 28 Apr 2001, Jean Francois Micouleau wrote:
>
> Even if I agree with you it's plain boring to have the administrator 
> setup
> the printers on each workstations, Microsoft have understood it was a 
> problem. So since w2k you can push the drivers to the workstation from a
> central place. It's documented in the KB
>
> http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP
>
> as someone else mentioned on this list some days ago.
> 

Yes, I'm the one who mentioned this URL. When I try using the

  rundll32 printui.dll,PrintUIEntry <etc>

command I get the same result as when trying to use 

  `start \\samba-server\printer`

i.e. I don't have sufficient access to the machine.  The biggest problem
is even if I'm willing to set up every single network printer on every
machine by hand as administrator, the printers don't show up for users.


============


On Sat, 28 Apr 2001, Martin Radford wrote:
>
>   
> Did you check the security policy of your machine?  Allowing users to 
> install printer drivers is a security risk.
>
> Go to Start/Settings/Control Panel/Administrative Tools/Local Security
> Policy.  Under Local Policies/Security Options, check the entry for
> "Prevent users from installing printer drivers".  I think the default
> setting is "Enabled".  This may be causing your problem.
>


I really thought this was going to be the answer, but sadly, no.  By
default, this option is Disabled, and in particular, it's disabled on the
W2K machine I'm using for testing.


============


At this point, I'm really curious.  Does A_N_Y_O_N_E have this working
with W2K machines?  I checked with a friend who administers a huge
WinNT/2000 network, and their solution is to simply spool all print jobs
directly from the W2K workstation to the printer.  It turns out that
TCP/IP printers are set up as local printers, and these DO show up for
ordinary users.  Since all the printers I currently care about are TCP/IP
printers, this work-around solves my problem for now, but it's terribly
inelegant, since I have to set up printer drivers by hand on each machine
for each printer, and eventually it will become a big problem when people
decide that they want to spool print jobs to printers attached to local
linux machines on the network.