User cannot access shared printer in Windows Server 2003

I have:

  • A Windows Server 2003 machine acting as a file server and domain controller. Call this "Server 1".
  • Another Windows Server 2003 machine acting as a terminal server, file server and DNS server. Call this one "Server 2". People often log in to this machine via RDP to use a certain piece of software.
  • An old Windows XP SP3 machine with a USB printer attached and shared. This machine has its own local accounts, it does not validate logons against the domain controller. It is a member of the domain, though. Call this "PC 1".

(I have inherited this setup and am temporarily administering it. I am not particularly knowledgeable about administration of Windows servers, so forgive me if I've omitted valuable details.)

I want users to be able to print from the printer on PC 1 while working on Server 2, even if PC 1 is in use. I can add the shared printer to Server 2 as the administrator, but the user themselves cannot add the printer. When I try (logged in as them) to add it, I see "You do not have sufficient access to your computer to connect to the selected printer".

I followed the instructions in this KB article ie. disabled the "Prevent users from installing printer drivers" property in Local Security Settings, rebooted, and got the same message. I tried adding the user to Local Security Settings > Load and unload device drivers, rebooted, still can't add it. I added the user to the (local) Power Users group, rebooted, still can't add it.

Finally I added the user to the Administrators group, rebooted, and I could add the printer to their account — success! But then, when I removed them from the Administrators group and rebooted, the printer was... gone.

So what do I try next?


Solution 1:

Dump the "shared printer" and make the printer a local printer on the Terminal Server computer.

  • Install the optional component "Print Services for Unix" onto the Windows XP PC that is "sharing" the printer, which will turn the PC into an expensive HP JetDirect-alike (i.e. it will make the PC answer on TCP port 515 for the LPR protocol).

  • Verify that the Windows Firewall on the Windows XP machine permits inbound connections from the Terminal Server on TCP port 515.

  • Add the printer to the Terminal Server as a local printer attached to a "Standard TCP/IP Port" referring to the name or IP address of the Windows XP PC. There will be a long delay while Windows attempts to "detect" the port. When you finally get the dialog with a drop-down list of port types choose "Custom", click "Settings" and modify the default properties to use the "LPR" protocol, set the "Queue Name" to the "Share Name" of the printer on the Windows XP machine, and tick the "LPR Byte Counting Enabled" box. (This selection has nothing to do with the printer model-- this is just to get LPR going between the boxes.)

This will give you a local printer on the Terminal Server computer (and, thus, available to all users automatically). Since you need to restrict access to the printer use an ACL on the print queue to do so.

Edit:

Sadly, some printer drivers are not amenable to this technique. Consumer inkjet printers and all-in-one devices seem to be the worst.

Solution 2:

  1. Add the printer to each workstation (while logged in as the user)

  2. Configure the TS to allow printer redirection

  3. Configure the RDP client on each workstation to redirect printers to the TS session (while logged in as the user)

  4. Done