Printing security permissions

When a printer is installed on a network, default permissions are assigned that allow all users to print, and allow select groups to manage the printer, the documents sent to it, or both. Because the printer is available to all users on the network, you might want to limit access for some users by assigning specific printer permissions. For example, you could give all nonadministrative users in a department the Print permission and give all managers the Print and Manage Documents permissions. In this way, all users and managers can print documents, but managers can also change the print status of any document sent to the printer.

Windows 2000 provides three levels of printing security permissions: Print, Manage Printers, and Manage Documents. When multiple permissions are assigned to a group of users, the least restrictive permissions apply. However, when Deny is applied, it takes precedence over any permission. The following is a brief explanation of the types of tasks a user can perform at each permission level.

The user can connect to a printer and send documents to the printer. By default, the Print permission is assigned to all members of the Everyone group.

The user can perform the tasks associated with the Print permission and has complete administrative control of the printer. The user can pause and restart the printer, change spooler settings, share a printer, adjust printer permissions, and change printer properties. By default, the Manage Printers permission is assigned to members of the Administrators and Power Users groups.

By default, members of the Administrators and Power Users groups have full access, which means that the users are assigned the Print, Manage Documents, and Manage Printers permissions.

The user can pause, resume, restart, and cancel documents submitted by all other users. The user cannot, however, send documents to the printer or control the status of the printer. By default, the Manage Documents permission is assigned to members of the Creator Owner group.

When a user is assigned the Manage Documents permission, the user cannot access existing documents currently waiting to print. The permission will only apply to documents sent to the printer after the permission is assigned to the user.

Any or all of the preceding permissions are denied for the printer. When access is denied, the user cannot use or manage the printer, manipulate documents sent to the printer, or adjust any of the permissions.